i have this code:
$username = $_POST["username"];
$password = $_POST["password"];
if(mysql_num_rows($result80)>0)
{
$row80 = mysql_fetch_assoc($result80);
$_SESSION["loginmng"] = 1;
$_SESSION["username"] = $username;
$_SESSION["password"] = $password;
$fname = $row80["fname"];
$lname = $row80["lname"];
$userid = $row80["id"];
}
and every thing is ok because i tryed to echo the session and its work in the same page (index.php)
now i have this check:
if(($_SESSION["loginmng"]!=1)||(!isset($_SESSION["username"]))||(!isset($_SESSION["password"])))
{
header("Location: index.php");
}
when i put this into new folder:
newfolder/index.php
the check is not working right,when i have logged in , and the session is set....when i am tring to echo $_SESSION["loginmng"] and the other sessions,,its values is empty like no session setted and the header is got run ...and go to index...i have put session_start(); in the first php line too
i tryed too:
if($_SESSION["loginmng"]!=1)
{
header("Location: ../index.php");
}
and the same thing...like no session set, what may be the problem
A PHP session variable is used to store information about, or change settings for a user session. Session variables hold information about one single user, and are available to all pages in one application.
PHP Session Variables
When you are working with an application, you open it, do some changes and then you close it. This is much like a Session. The computer knows who you are. It knows when you start the application and when you end. But on the internet there is one problem: the web server does not know who you are and what you do because the HTTP address doesn't maintain state.
A PHP session solves this problem by allowing you to store user information on the server for later use (i.e. username, shopping items, etc). However, session information is temporary and will be deleted after the user has left the website. If you need a permanent storage you may want to store the data in a database.
Sessions work by creating a unique id (UID) for each visitor and store variables based on this UID. The UID is either stored in a cookie or is propagated in the URL.
Starting a PHP Session
Before you can store user information in your PHP session, you must first start up the session.
Note: The session_start() function must appear BEFORE the <html> tag.
Maybe you forgot to add session_start(); on top of the file.
To make session start on each page you need to start the session on each page.
session_start() creates a session or resumes the current one based on a session identifier passed via a GET or POST request, or passed via a cookie.
Related
I have this in my $_SESSION setting script:
<?php
//----------------------// Start session----------------------
if(!isset($_SESSION))
{
session_start();
}
//------------------------------------------------------------
//------------------// Check if Username $_SESSION is set------------------------------------------
if (!$_SESSION['Username']) { // If not current User
header("Location: ./logout.php"); // Session destroy file that leads to session logout landing page
exit();
}
//------------------------------------------------------------
?>
Now, what I basically do is just check if Username SESSION is set. But, I have come to notice something strange while putting another user through:
If we click the same link at the same time and arrive on the landing page same time, I noticed I can see my Username displayed as his Username and his personal data like email and phone replaced mine in my very own PC! This is really strange to me as we do not even live in the same country or even share same PC.
So, it is obvious I have not secured my SESSION and I have used a lame approach without thinking about security and this can be abused with SESSIONS hijacked.
How do I resolve this conflict? How do I restrict each logged in user to a particular session without conflicts if two or more users access the same resource at the very same time? I need help. I can't sleep since I found this.
After reading your responses, I will now show a snippet of the functions.php file which outputs Use data from DB.
First, I get the UserName value from session using:
$UserName = $_SESSION['Username'];
With this value, I query DB to get more user details:
//------------Get User Info -- All user column
$Get_User_Info = mysqli_query($conn,"SELECT * FROM customers WHERE User='$UserName'");
/************************************************************/
/************************************************************/
$Get_User_Info_row = mysqli_fetch_array($Get_User_Info,MYSQLI_ASSOC);
/************************************************************/
//---- Now list all user rows
$GLOBALS['Skype'] = $Get_User_Info_row['Skype'];
$GLOBALS['Jabber'] = $Get_User_Info_row['Jabber'];
$GLOBALS['ICQ'] = $Get_User_Info_row['ICQ'];
$GLOBALS['Join_Date'] = $Get_User_Info_row['Join_Date'];
$GLOBALS['Join_Date_Time'] = $Get_User_Info_row['Join_Date_Time'];
$GLOBALS['Balance'] = number_format($Get_User_Info_row['Balance'],2);
The above is what is contained in the functions.php which I require with each page I need protected.
As you can see, I barely see where I have done too much wrong there.
I googled to solve my question but any site explains my problem in a different way so I feel very confused!
I realized a php site in this way.
index.php:
In this page I get username and passw from login form and after checked if the user really exist I'll save them first in a variable and after in session.
$_SESSION['user']=$user;
$_SESSION['psw']=$psw;
Now I would show this page ONLY if the user is logged, so I would make some like this:
first_page.php:
<?
if(isset($_SESSION['user']) && isset($_SESSION['user'])!="" && isset($_SESSION['psw']) && isset($_SESSION['psw'])!=""{
// show page site
}
else
// go to index.php
?>
and insert this block if-else in any pages of the site.
It is correct this procedure?
I need to introduce session_start(); in any page or just in index.php?
How long time $_SESSION['user'] and $_SESSION['psw'] (expires)?
Since the site needs $_SESSION['user'] for many features, I need to be sure that when a user navigate the site those session variables are setted.
Thanks for your support, I feel very confused on it.
You must add session_start() in every single page where you use $_SESSION. It expires when you leave the site.
Don't store a password in a session, without changing the session handler data in a session is stored as plain text outside of the web root. This means anyone that has access to the system can read session data.
The method of knowing if a valid login occured is:
$sql = "select id where username = 'username' and password = 'hashedpassword'"
If an id is returned it means the user successfully logged in and store that ID in a session. Then validate if the session continues if the ID is set.
Keep in mind that after raising privileges it is recommend to change the session id as well, that can be done with session_regenerate_id() this to add protection for session fixation attacks.
At the beginning of each script when trying to read data from a session use session_start() and session_destroy() to remove all data stored in that session (usually a logout)
If I introduce at the top of any page the following script, could be a good solution? Or there's something wrong?
if ((isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) || $_SESSION['iduser']==NULL) {
// last request was more than 30 minutes ago
session_unset();
session_destroy(); // destroy session data in storage
echo "<script>location.href='index.php'</script>"; //redirect the user to index page
}
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp
/* Code for the rest of my page HTML*/
(took from here: How do I expire a PHP session after 30 minutes?)
For a website, I need to route users to their own page. I have a login form, which sends data to a PHP file to check if the user's information is correct, and if so, forwarding the user to their page. The only problem is that I need to validate the user on arrival, to check if they logged in or just typed out the URL. I plan to use this with a POST, but how can I auto-send the constant (i.e. "logged-in")? Is there a way to do that through an HTML form (outputted from an echo) and sending it when the page loads? Thanks in advance!
EDIT 1: I understand that I must use Sessions, but whenever the page redirects it clears the session. The whole reason I was asking this was because I needed a way to keep the session active. How do I redirect in a way that doesn't clear the session?
In the PHP file that validates their credentials, start a "session". You can then apply session variables that can be called at any time while the session is valid. You can do this with POST, which is sounds like you're using, or by querying a database upon validation.
For example, upon validation:
session_start();
$_SESSION['username'] = $_POST['username'];
$security_check = mysql_query("SELECT * FROM userList WHERE username = '$username'");
$row = mysql_fetch_assoc($security_check);
$_SESSION['userId'] = $row['userId'];
$_SESSION['userFullName'] = $row['userFullName'];
On subsequent pages, you can put the following code at the top to check if the user logged in. If not, it will kick them back to the index page; otherwise the $_SESSION variables will be maintained.
<?php
session_start();
if (!isset($_SESSION['userId'])) {
echo "<script> window.location.replace('index.php?login=no') </script>";
}
?>
As suggested in the comments, I would recommend doing some further research on sessions to get a full understanding of how they work.
I have an application that needs to create a new session id at specific times. Right now, this is causing the user to log out because $_SESSION ends up being empty.
It is my understanding that regenerate_session_id() should preserve the session information and just change the session id (meaning that $_SESSION['someVar'] would be available on subsequent requests.
What I'm finding is that $_SESSION is empty on subsequent requests.
I've tried copying the data:
$session = $_SESSION;
session_regenerate_id();
$_SESSION = $session;
but that didn't help. If I comment out session_regenerate_id(); subsequent pages load properly (the $_SESSION array is populated and the user stays logged in).
I have a dev environment that I just set up recently running a newer version of PHP (5.5) and this code is functioning as I would expect it to. I'm not aware of any other differences.
What am I missing? Thanks in advance.
session_start();
$_SESSION['name'] = "mike";
session_regenerate_id();
echo $_SESSION['name'];
outputs 'mike'
I did a little test on my server and it seems to be working fine.
<?php
session_start();
$old = session_id();
$_SESSION['name'] = "mike";
session_regenerate_id();
$new = session_id();
echo $_SESSION['name']."<br/>\n";
echo $old ."<br/>". $new
?>
Here is a sample of the output:
mike
d9oog3vo55936m3088o25qqe27
m6qq99pp1c80mit8e66ho3hfn3
As you can see, it is changing the session id and keeping the session variables in place, as it is supposed to. Perhaps your hosting provider has some funky settings in the php.ini? You might want to look into that.
Alternatively, and it is a bit of a hassle, couldn't you create a cookie with a key that will log them back in immediately after it logs them out, then delete the cookie?
After a good nights rest, it occurred to me that you probably have some header issues. Sessions are only valid within the same domain they are set in, so for example, if you set the session variable in www.example.com, then use a header redirect to header("location:example.com");, your session variables will be blank, as they aren't set for that domain, they are set for www.example.com. I would check through your code and see if that is the issue, as you say, it is working fine in your sandbox.
I have this query in mysql in a php page:
mysql_query("INSERT INTO tz_todo SET text='".$text."',
position = ".$position.",
user_id=".$_SESSION['user_id'].",
view_stat=0");
I tried to echo the query and the result is this:
INSERT INTO tz_todo SET text='trial text', position = 21, user_id=, view_stat=0
it seems that it can't get the session value of user_id.
And $_SESSION['user_id'] is not working in social engine. How to correct this? I also made a localhost version in my xampp and everything is fine but when I converted it into social engine, session is not working.
In any page where you are using session objects, place this code at the beginning of the file:
if(!isset($_SESSION)){session_start();}
This way if the session is not already started, it starts it; otherwise it ignores the session start if the sesion is already started.
This is important because calling session_start() if session is started already can sometimes cause errors.
That's how I get my user id through session
session_start();
$userID = $viewer->getIdentity();
$_SESSION['user_id'] = $userID;
echo $_SESSION['user_id'];
Using session to store the user_id is totally wrong. To gain a user_id try
$viewer_id = Engine_Api::_()->user()->getViewer()->getIdentity(); (or $user->getIdentity if you have another user's object).
If you still need to use session for storing this data, use Zend-approach.
session_start();
$_SESSION["test"] = "hello world";
session_start();
echo $_SESSION["test"];
does above code work ? if not, check your session.save_path in the php.ini
NOTE: to retain this variable remember to call session_start() on each php script/page before calling for the variable from the session.
Yoy might be forget to start your session at the top of the page
<?php if(!isset($_SESSION)){ session_start(); } ?>
$_SESSION['user_id'] might not stored a value. check your login page (Basically after login session variables will set) or after register weather you assigned a value to that session variable..
setting a value to a session variable :
$_SESSION['user_id'] = "1234567";