So I created this little login system for my php site, I have a login form where I first create the session with a few session variables like UserId and such.
I also do session_destroy() before i create the session so that any existing session will be destroyed.
Then I have this php file that I include on the top of every page on my site which opens that session with session_start() and starts the mysql connection and such.
Problem is, on some pages the session does open correctly and on other pages seems to create a new session. In fact if I go to another page and return to the page where the correct session isn't opening it's the same incorrect session, so I actually have two sessions opened it seems...
When I echo the session ID on page where it works and the one where it doesnt, they have different session ID's so I'm confused.
First of all don't use session_destroy() as it will delete the session on the next page request. Instead use:
unset( $_SESSION ); //this will delete the session immediately
To try and test the problem use the session_id() function:
<?php
$a = session_id();
if(empty($a)) session_start();
echo "SID: ".SID."<br>session_id(): ".session_id()."<br>COOKIE: ".$_COOKIE["PHPSESSID"];
?>
IF you are getting duplicate cookies (as is in this case), check the domain and path of each cookie. Make sure the cookie path are domain are always set to the same domain and path is always the root of your website (assuming you want the cookies site-global).
Each cookie is visible to the set path and domain, all paths starting with the path set, and may be set to match all subdomains of the domain.
Based on the comments to the question.
Related
I have 4 SESSION variables for keeping a user active
$_SESSION['login']
$_SESSION['m_ID']
$_SESSION['l_cd']
$_SESSION['loginAs']
When I visit to another profile from my profile I automatically log out, because $_SESSION['m_ID'] changes to profile of the id I visit. I only change $_SESSION['m_ID'] when logging in. There are three type of login.
normal user
admin
cookie(if u put remember me, after u close the
browser and reopen it automatically set session from cookies )
I searched the entire site for $_SESSION['m_ID'] = and '$_SESSION["m_ID"]=' but I only found these three. On my local site it works fine. Is there anyway to fine where the session is change ?
PHP store in your browser a cookie with the reference of the phisically serialized file of the session data.
When you call session_destroy() or similar this cookie expire. After logout, when you call session_start() a new cookie is created with the reference of another file.
You need to unset all variables because you don't refresh the session, the cookie is the same all time. I recomend to you to use sesion_destroy() to logout.
I have a php file on external-site.com like this:
<?php
session_start();
$_SESSION['something'] = "whatever";
?>
This PHP file I include on a different website example.com like this:
<script src="http://external-site.com/session.js.php"></script>
Does this work? I do not want to use the session on example.com itself. I only need it for external-site.com. So I do not want to transfer the session to another domain or anything like that.
If so, in which browser does it work and in which browser it does not?
The session is identified in a cookie with the session ID. Since you're loading the file with an http:// call, it should create the session and add a cookie with the session id from external-side.com.
However, you're probably going to run into issues with 3rd party cookie permissions doing this, regardless of browser. If your user has 3rd party cookies enabled, you're good. If they have them disabled, then no cookie, and hence no session.
You can't use the session from one site to another. Every site has it's own session ids saved on client's pc.
I'm building a simple website with few pages such as index.php, about.php etc. I've included navigation file and I want it to automatically choose current page and use different styling. It can be done with one variable. The easiest way is to use GET method but I want to have shorter URL. So is there any other way? Because as far as I know POST refers only to forms. Maybe I should use cookies?
Use a session. It will keep a set of values stored in the $_SESSION superglobal as long as the client's session cookie is still set.
Example:
page1.php
<?php
session_start();
$_SESSION['test'] = "Hello, session!";
?>
page2.php
<?php
session_start();
echo $_SESSION['test'];
?>
If you visit page2.php first, you'll get no output. Once you visit page1.php, it will set the 'test' session variable. When you view page2.php again, it will show the result. This session is server-side, and is accessed by the session ID stored in a cookie by the browser. Session cookies are usually deleted when the browsing session ends (i.e. the user closes the browser) or when the session cookie timeout expires. Most sites use this as a mechanism to handle logins, by setting session variables relating to the logged in user (e.g. user id) when a login completes successfully.
See the PHP sessions reference: http://www.php.net/manual/en/book.session.php
I use OAuth to authenticate at an external website. Everything is okay but the session variable misses after redirecting from external websites.
Summary:
I store a session var in my website then go to login page of other website. After logging in and confirming, it redirects to my callback, when I check the previous session var, it misses! How to fix it?
I tried to call session_start() everywhere I use session but it doesn't work. Of course I enabled session in "php.ini" and enabled cookie in browser. :) I debugged but can't find the reason out.
Update:
After storing my session var, I do a request like this:
http://mixi.jp/connect_authorize.pl?oauth_callback=http%3A%2F%2Fmypage.com%2Fcallback.php&oauth_token=fjdklsfjlksd
Note the oauth_callback, it is the redirect URL. I don't know what mixi.jp use to redirect.
Make sure your site's domain is 100% identical before and after the redirection.
Note that
www.yoursite.com
and
yoursite.com
are two different sites cookie-wise.
The session id is stored in a cookie. The cookie is send in every page of the domain you registered in. Whe you jump to another domain, your cookie with the session id is not send. You must pass the session id to your new domain and then create a new cookie in this domain with the session id.
header('Location:redirect.php?session=' . sessionĀ_id());
And then in the redirected page restore the session
<?php
session_id($_GET['session']);
session_start();
I have 2 pages: login.php and index.php. Both pages start with
session_start();
When I set
$_SESSION['user'] = "name";
in login.php and than open index.php, my session object is empty. How come?
EDIT:
I found the problem: IE 7. I had to grand access to my domain. However, I thought a session is stored on the server, instead of the client? Than why do I have IE grand access to my domain? (http://www.pcwindowstips.com/2007/09/04/how-to-enable-cookies-in-internet-explorer-7/)
I thought a session is stored on the server, instead of the client? Than why do I have IE grant access to my domain? (http://www.pcwindowstips.com/2007/09/04/how-to-enable-cookies-in-internet-explorer-7/)
The way sessions work is that a session cookie is stored for the site, which contains your session ID. The only way the server knows who you are is when it reads the session ID cookie on every page load. All of the $_SESSION data is stored on the server for each user, but the cookie must be set for the server to know which $_SESSION data to retrieve.
This is also why you can essentially "become" another user if you obtain their session id cookie.
Internet Explorers have a stricter cookie policy than most other browsers. Check your session cookie parameters (see also session_get_cookie_params()) and try to replace the default values by explicit values where possible. Additionally you might send a [fake P3P policy](http://msdn.microsoft.com/en-us/library/ms537343(VS.85).aspx) to satisfy the Internet Explorers.
Perhaps this variable in php.ini is mapping to an existing path
session.save_path = "c:/wrong/path"
Here is something that happened to me that might shed light for someone. My session wasn't working properly. IE 8 and Firefox were losing the session information.
I included a file. That included file had an extra carriage return after the trailing &ques?>
That carriage return started the session. I put session_start after the include. BOOM.
Not much info here, I'll try to use my psychic powers.
After the user logs in, do you set the session var and then redirect the user to index.php using an http header? If so, I don't think the session cookie gets sent to the user. If that is the case, the solutions are:
call session_start() when the login form is initially displayed (not just after the user posts back to it); or:
display a "login successful!" message and then redirect with a meta-refresh, or just provide a link to index.php.
You can also try to dump the session ID on both pages, to see if you are somehow starting a new session:
echo 'Session ID is: ' . SID . "<br/>\n"
You need verify if the cookies are enabled and nothing ( this includes blank lines in the beginning or in the end of archive) sent to browser before you call session_start().