Unusual Session Behaviour

Re: Unusual Session Behaviour

Make sure all of the files inside the "authentica ted" umbrella have
session_start() on it at the top. The only other thing that comes to
mind is if your pages are not all on the same server/domain, that would
cause the browser to have multiple session id's. Also check to be sure
the PHPSESSIONID variable is configured in php.ini to be passed via
cookie instead of url.

Alex

Re: Unusual Session Behaviour

Thanks for your response Alex. I actually have a auth.php file with
session_start() in which is included into the top of each page, before
anything else, so I don't think that is the problem.

Also I've done a full transfer, I'm not trying to go to pages on one or
another server. The two servers have no contact with each other.

How can I be sure that the PHPSESSIONID is being passed via cookie and
not url? The server is commercial and had PHP installed already and I
don't think I can configure it. I have a page with the phpinfo() on it
though, does it say on that page?

Re: Unusual Session Behaviour

Yes, phpinfo() will show you that information.

session.use_coo kies - On.

If you don't already, you can also try setting the session cookie
params yourself, e.g.
session_set_coo kie_params (0, "/path/to/dir/");

(0 meaning keep cookie for life of browser)

Full doc:

Re: Unusual Session Behaviour

Thanks for your response, cookies are turned on. I'm storing them as
session variables though - I shouldn't need to be setting cookies
should I?

I may try it with cookies storing the values as the password isn't
stored, so there isn't a security risk associated with it.

It's still behaving very unusually though, sometimes a page I should be
able to see will redirect me to the error page which will proudly
display the variables that indicate I should be logged in, and it is
still behaving normally on the other server. Very confused at the
moment.

Re: Unusual Session Behaviour

While the session data is stored on the server, the cookie is used to
store that session name and id, so you can track/utilize the same
session data over multiple different pages. If you don't use session
cookies, you can pass the session id (SID constant) thru the URL (there
may be other ways to use cookie-less sessions also).

In my experience, sessions either work or don't work at all (errors are
generated) so not sure what the problem might be in your case. May be
helpful to post some code or the session settings from your phpinfo?

Re: Unusual Session Behaviour

Thanks for your continued support Joe, I'll include some code and if
you tell me which setting details you need I can get those for you
shortly.

The auth.php file called at the top of each restrictred page:
session_start() ;

if (!isset($_SESSI ON['db_is_logged_i n'])
|| $_SESSION['db_is_logged_i n'] != true) {

// not logged in, move to login page
header('Locatio n: denied.php');
exit;
}

The login mechanism:
if (isset($_POST['txtUserId']) && isset($_POST['txtPassword'])) {
include 'config.php';
include 'opendb.php';

// form variables
$userId = $_POST['txtUserId'];
$password = $_POST['txtPassword'];

// check if the user id and password combination exist in database
$sql = "SELECT username, type FROM agent WHERE username = '$userId'
AND user_password = MD5('$password' )";
$result = mysql_query($sq l) or die('Query failed. ' . mysql_error());
include 'closedb.php';
if (mysql_num_rows ($result) == 1) {
// the user id and password match,
// set the session variables
$_SESSION['db_is_logged_i n'] = true;
$_SESSION['user'] = $userId;

// after login we move to the main page
header('Locatio n: welcome.php');
exit;
} else {
$errorMessage = 'Sorry, wrong user id / password';
}

}

It's very hard for me to describe the error. Once logged in, when you
try to view a page, often you get redirected to the error page. Try the
link again from the menu and it may display the page. It's as if
sometimes it can't find the session variable in auth.php so is
redirecting. Then you try again and it works. This behaviour is really
irritating considering it hasn't done this before.

Thanks again.

Re: Unusual Session Behaviour

John Howie wrote:[color=blue]
> This worked all well and fine locally, and on one other server.
> Recently I moved server and since then the whole authentication process
> has been behaving unusually. Sometimes (when logged in) you are taken
> to the error page, but your username is still displayed in the menu.
> Clicking the link a few more times and eventually the page will display
> correctly.[/color]

Unusual indeed. There has got to be some problems with the server set
up. One thing to try is to change session.save_pa th with ini_set() to a
subdir in your user directory (chmod'ed to 0777) before calling
session_start() . That way, your session data is saved in a more
controlled area. As you browse through your site, monitor the session
files either through telnet or FTP. That should give you some insights.

Re: Unusual Session Behaviour

John Howie wrote:[color=blue]
> I've found very unusual behavious when using sessions on two different
> servers.
>
> I'm using sessions to handle simple log in. When the form submits the
> values are checked against a MySQL table. If a match exists two session
> variables are created: $_SESSION['db_is_logged_i n'] and
> $_SESSION['user']. Each page checks if the session variable
> 'db_is_logged_i n' is set and is true, display the page otherwise use
> header to redirect to an error page.
>
> This worked all well and fine locally, and on one other server.
> Recently I moved server and since then the whole authentication process
> has been behaving unusually. Sometimes (when logged in) you are taken
> to the error page, but your username is still displayed in the menu.
> Clicking the link a few more times and eventually the page will display
> correctly.[/color]
<snip>

1. Set the error level to the max (if PHP5, use strict too)
2. Post a link, where we can check the source
3. Post a link where we can check the phpinfo

My guess is that there is some caching issue.

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

Re: Unusual Session Behaviour

I didn't test it out but your code looks ok...is the new server a
commercial server or one you have full access to?
Either way, you can try what Chung said, or use an .htaccess file to
change it (if the webserver is running apache):

php_value session.save_pa th /path/to/your/dir/

Re: Unusual Session Behaviour

Sorry for my delay, I was away this weekend. Thanks for your help with
this matter.
1. You can see the php info at

2. The other pages there contain the basic login control, which still
isn't working (incase any of the other page content was interfering
I've gutted them to basic log in).
Go to http://www.falicensedplayersagent.com/index.php To try to log in,
user and pass are displayed. There are two pages with restricted
access, with links to them. Earlier I logged in and could go between
the two fine, then again just now I did the same and frequently get the
error page appear.

The server is commercial, so I don't know how I'd go about altering
paths or setting the error level to high.

The server is running apache, so .htaccess is one approach I'm now
considering, my curiousity is high now though, and I really want to
know what is going on.

Your help is greatly appreciated, though my knowledge of the PHP set-up
is poor and I don't know how to do some of the suggestions made. Thanks
again.

joe wrote:[color=blue]
> I didn't test it out but your code looks ok...is the new server a
> commercial server or one you have full access to?
> Either way, you can try what Chung said, or use an .htaccess file to
> change it (if the webserver is running apache):
>
> php_value session.save_pa th /path/to/your/dir/[/color]

Re: Unusual Session Behaviour

Problem solved! Or at least a workaround. Instead of using sessions I'm
now using cookies on the client machine, since the data stored isn't
confidential, or passwords.

It seems to be working perfectly fine now, though I don't know what
would happen if a user has disabled cookies. That's a huge relief,
thank you all for your help with this matter, if anyone does work out
what wasn't working with the sessions I'd be very interested to hear
it, as I can include it in my write up.

John

Re: Unusual Session Behaviour

"John Howie" <johnhowie85@gm ail.com> wrote in message
news:1141055279 .339488.125350@ v46g2000cwv.goo glegroups.com.. .[color=blue]
> Problem solved! Or at least a workaround. Instead of using sessions I'm
> now using cookies on the client machine, since the data stored isn't
> confidential, or passwords.
>
> It seems to be working perfectly fine now, though I don't know what
> would happen if a user has disabled cookies. That's a huge relief,
> thank you all for your help with this matter, if anyone does work out
> what wasn't working with the sessions I'd be very interested to hear
> it, as I can include it in my write up.
>
> John
>[/color]

John,

Just out of curiosity, when you changed servers did you alter any links?
PHP is usually set up to use both cookies and url based session handling.
url based kicks in when cookies are not enabled but only works with fully
qualified links:

1) <a href='http://www.yourserver. com/link.htm'>Link</a> <- will have the
session id appended if cookies are disabled
2) <a href='link.htm' >Link</a> <- will not work as PHP won't add the
session id to a short form link

and make sure that the 'temp' directory is set in php.ini so that PHP knows
where to store the sessions...

Norm

Re: Unusual Session Behaviour

Norm,
thanks for your response, it would be good if that is the problem. I
didn't change the links and they were all relative : <a
href="index.php ">Index</a>
I'm very temped to resort to undoing the cookie implementation and
seeing if that solves it. I think the temp is default /tmp but haven't
had a look in there.
If that solves it it will certainly give me something to write about.

Re: Unusual Session Behaviour


"Norman Peelman" <npeelman@cfl.r r.com> wrote in message
news:JJOMf.4710 1$Fw6.14262@tor nado.tampabay.r r.com...[color=blue]
> "John Howie" <johnhowie85@gm ail.com> wrote in message
> news:1141055279 .339488.125350@ v46g2000cwv.goo glegroups.com.. .[color=green]
>> Problem solved! Or at least a workaround. Instead of using sessions I'm
>> now using cookies on the client machine, since the data stored isn't
>> confidential, or passwords.
>>
>> It seems to be working perfectly fine now, though I don't know what
>> would happen if a user has disabled cookies. That's a huge relief,
>> thank you all for your help with this matter, if anyone does work out
>> what wasn't working with the sessions I'd be very interested to hear
>> it, as I can include it in my write up.
>>
>> John
>>[/color]
>
> John,
>
> Just out of curiosity, when you changed servers did you alter any links?
> PHP is usually set up to use both cookies and url based session handling.
> url based kicks in when cookies are not enabled but only works with fully
> qualified links:
>
> 1) <a href='http://www.yourserver. com/link.htm'>Link</a> <- will have the
> session id appended if cookies are disabled
> 2) <a href='link.htm' >Link</a> <- will not work as PHP won't add the
> session id to a short form link[/color]

funny, it seemed to work in my php file with relative link. or are you
saying the behaviour becomes flaky?
[color=blue]
>
> and make sure that the 'temp' directory is set in php.ini so that PHP
> knows
> where to store the sessions...
>
> Norm
>
>[/color]