I have made a simple website in which user can log in.my problem is when a user enter the address http://www.mysite.com/signin.php and after a successful log in he manually enters the address as http://mysite.com but from that page session variable is not getting. How do I make same session to both www.mysite.com,mysite.com Are there any settings in the php ini file or how do I manage to make same session to both addresses?
if(verify($password,$pw['password']))
{
$uid=$pw['user_id'];
$_SESSION['login_status']=true;
$_SESSION['user']=$uid;
}
i have a page checksession.php
<?php
session_start();
var_dump($_SESSION);
?>
when i login from http://www.mysite.com/signin.php and checking http://www.mysite.com/checksession.php its showing session values but from http://mysite.com/checksession.php it showing nothing.(differance is in address one with www,another without www)
I usually force www. or no www. in my .htaccess file using redirects.
Your problem is probably your PHP_SESS_ID cookie domain not beginning with a "."
session_set_cookie_params ( 3600 , '/', '.example.com');
That should set it.
Add this line before your session_start();:
ini_set('session.cookie_domain', '.mysite.com' );
This should tell PHP to include all subdomains of mysite.com in the same session, including 'www'. Note the period before the domain name.
A different Approach is to use session_start(); inside config.php file and include that file on the top of the code of every page where sessions are required otherwise U will not be able to get the value of SESSION variable..!!
use https:// before the page address call..
Related
set cookie is not setting the value for the following code.
<?php
session_start();
ob_start();
unset($_SESSION['adminname']);
session_destroy();
if(isset($_COOKIE['adminremember_me'])) {
$past = time() - 100;
setcookie('adminremember_me', gone, $past);
}
header("Location: login.php");
exit();
?>
Cookie is not deleting as setcookie donot works though an error message is not displayed.
Interesting part is that i have another file with same code structure but with different cookie name for normal user logout and that one works.
I moved the admin logout file which was in (htdocs/site/admin/)to (htdocs/site) and now logout works!!! seriously what change didit make?
You can have multiple cookies with the same name but different paths. So if you script is in /folder1/folder2/mypage.php, you can have 1 cookie with the path /folder1 and another with the path /folder1/folder2, and both cookies could have the same name.
My guess is the cookie you are trying to delete belongs to a different path (by default, if you don't specify a path, then it assumes the folder that the script is in). To delete it, you will have to manually set the path parameter to match that of the cookie. For example:
setcookie('adminremember_me', gone, $past, "/");
or
setcookie('adminremember_me', gone, $past, "/folder1/");
To see what the path is on the existing cookie, you need to use your browser's cookie viewer to see what path is set on it.
Edit: to answer the question in your edit, when you moved the location of your logout file, you moved it to be in the same folder as the path that was set on the cookie (so the default value was now the same). If you want to move the script back to the old location, just explicity set the path to whatever the folder was where it worked
I have a example.com/login.php file on root domain with this code
header('Access-Control-Allow-Origin: *');
session_set_cookie_params(0, '/', '.example.com');
session_name('lusession');
session_start();
$_SESSION['name'] = $_GET['name'];
$_SESSION['useremail'] = $_GET['useremail'];
$_SESSION['password'] = $_GET['password'];
This file is provided with credentials and it then creates login session. It is called from main domain and subdomains by AJAX.
The problem is it doesnot creat session when called through AJAX, but when opened directly in browser as querystring it creates cross domain session as expected.
Other pages which call it through AJAX have following code in them at start:
session_set_cookie_params(0, '/', '.example.com');
session_name('lusession');
session_start();
If I add following code in login.php it shows in AJAX response that session is created. But that session is not available on pages on same domain and on other subdomains.
echo 'session created for'.$_SESSION['name'];
Inspecting resource shows AJAX call creates session cookie with name 'lusession' as it should.
Access to the session cookie by scripting languages is controlled with the session.cookie_httponly configuration setting. Or you can use the 5th parameter of session_set_cookie_params() if you prefer this.
Well figured it out.
Actualy AJAX calls only send Cookies if the url you're calling is on the same domain as your calling script. Subdomains are considered seperate domains. Though this code creates cross subdomain sessions but AJAX involved is culprit.
As in this case I am trying to call a url from domain.com while my calling script is on sub.domain.com (In other words: I made a Cross Domain Call in which case the browser didn't sent any cookies to protect privacy).
The solution that worked for me is I put login.php file on every subdomain for calls from that subdomain. This way sessions were created, and once a session is created on one subdomain it is available on all subdomains as wanted.
I was wondering how I would pass something using a session between pages that are in two separate directories. For example, if I had the following code, what would I need to add to make it work?
Page 1: directory\directory1\directory2\Page1.php
session_start();
$_SESSION['example'] = '123';
Page 2: directory\dir1\dir2\Page2.php
session_start();
echo $_SESSION['example'];
Your code should work if these pages are served within the same domain.
You do not have to session_start() in each page. Just write that, in a single file and share that file between the pages you want to hold the session in.
So, if you have page1.php and page2.php and session.php You can create session either in page1.php and check it in page two like: echo var_dump($_SESSION) and vise-versa
First of all, check if session-cookies are properly set. Some problems (e.g. Headers already sent) may cause your session cookie to not be set.
If this is working properly, you may have to change the session cookie parameters via session_set_cookie_params
By setting the second parameter (path) to /, the session cookie is valid for the root of your website and all subdirectories.
Example
session_set_cookie_params(0, '/');
The same settings can also be set in your php.ini or via ini_set(). See Session configuration
Note:
I'm not sure if these settings have any effect if session.autostart is enabled, in which case the cookie-header may already be sent before the changes are made.
I have an issue with login session. Basically the flow is like this:
user creates account and defines a username;
user logins using url 'http://[username].website.com'
(coded in php & mysql, using session cookie)
My problem is: when trying to directly login from the index page 'www.website.com' I don't manage to get my user logged to his URL http://username.website.com
/// EDIT ///
Let say i have opened url "www.example.com" and created a session variable in this url. Now i want to access that session variable in url "test.example.com". How to do that? any solution welcomed
/// EDIT2 ///
In the top of every php file i have used the below code but my session variable was destroyed and i can't access the session variable in another page. I have also set session.cookie_domain = ".website.com" on "php.ini" file.
ini_set('session.cookie_domain', '.website.com');
session_name("sessionid");
session_start();
As minaz mentioned in the comments, make sure that the cookie you're setting on www.website.com is valid for domain-matching on ".website.com".
If you're still not sure whats happening, try playing around with wget (http://www.gnu.org/software/wget/) using --save-cookies, --load-cookies and --debug.
I've got a simple login system using PHP sessions, but just recently it seems that if you visit pages not in a certain directory (/login/) you will always be flagged as not logged in, even when you are. It seems that my session data is being lost when I change directories (say, to /login/user/).
I don't think I've touched the code myself since the problem appeared, is there something my web host could have done to my PHP installation that would delete the session data, and is there a workaround?
EDIT:
Inside each file that needs authorization, it loads a loginfunctions.php file which calls session_start() and checks the login. Files which work in /login and i copy and paste into /login/user stop working, even though i update all the relevant paths and links.
EDIT2:
Okay, some code.
In the actual pages that are giving me the error, this is the auth. code:
require_once("../../../includes/loginFunctions.php");
$login = new login;
$login->checkLogin(0);
Inside loginFunctions.php is this:
class login{
function checkLogin($requiredAccess){
session_start();
if($_SESSION['accesslevel'] < $requiredAccess || $_SESSION['logged_in'] != TRUE){
die("You don't have access to this area. If you should have access, please log in again. <a href='/login/'>Login</a>");
}
if (isset($_SESSION['HTTP_USER_AGENT'])){
if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT'])){
session_destroy();
die("Bad session. Please log in again. <a href='/login/'>Login</a> ");
}
} else {
$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
}
if (!isset($_SESSION['initiated'])){
session_regenerate_id();
$_SESSION['initiated'] = true;
}
}
}
The $requiredAccess variable is the access level that you need to access this page, so if you have an accesslevel of 3 in the database you can view level 0, 1, 2 and 3 pages. This is specified when the function is called in the main page and is compared to the access level of the current user which is defined in $_SESSIONS when they log in.
I'm getting the error 'You don't have access to this area etc." when i try to access these pages. If i try to print the $_SESSION variables, nothing shows; they appear to be empty. However, if I move the file to the /login/ folder (one level up) and update the links, they work perfectly and all the variables print out fine. This makes me think the code is not the part that's not working, but some setting in my PHP install that has been changed without my notice.
maybe you aren't calling session_start() at the begging of pages not in /login/ ..?
I had a similar problem.
Check you don't have a php.ini file. Removing this sorted the problem out. Still looking ito exactly why. The php.ini file could even be blank and it would stop session data from carrying over to more than one directory...
It's possible that they changed the php.ini setting session.cookie_path.
You should call session-set-cookie-params before you call session_start and make sure you set the cookie path yourself. Set it to the highest level directory you want the session to be valid for. EG if you set it to /login it will be valid for /login and /login/user. If you want your session to be valid for the etire site set the path to be /
i had a similar issue. you may want to use:
<?
setcookie("TestCookie", $value, time()+3600, "/~rasmus/", ".example.com", 1); ?>
or something similar. i know cookie and session variables are a different desired solution, but this was able to clear up my issue.
See here for documentation
Make sure you have the same php.ini file in each directory that you want to access the session variables from.
This is why you shouldn't use directory to make false friendly URLs...
Don't forget to call session_start() every time you need the session.