I have a PHP website I'm maintaining and I've confirmed that this worked at one point.
We have a website utilizing a login system which stores a logged in user's information in a $_SESSION['user'] variable. The site used to log out the user when clicking /logout.php which essentially removed that portion of the session, then header() redirected to the homepage.
As of recently, the /logout.php file with session_start() at the top somehow doesn't see the session information when print_r() is used to output it for debugging purposes.
If I go to another page, I see the session info just fine, but not on the logout page...which is exactly why I cannot remove the session info, because it's not accessible.
I thought $_SESSION was global on the site until the browser was closed. I've never had this happen and I know the session instance was started on this page, so it's weird that it's not showing me the session data.
Any ideas? I'm totally stumped on this one!
Code: /logout.php
<?
#session_start() is inside this file
require_once($_SERVER['DOCUMENT_ROOT'].'/includes/config.php');
unset($_SESSION['user']);
header("location: /");
exit();
?>
The checking of $_SESSION['user'] is site-wide and I call to various items below it when needed for different things. Someone else built this site and I'm trying to debug why it's not working for them all of a sudden.
If the domain/subdomain is the same as the rest of the page, I would say this sounds like a typical session vs. output error. Make sure you have enabled all errors, and display them, as you might have printed output to the client before calling session_start(). This will break the function and making sessions unavailable.
To fix the problem(if it is the case), you should remove all output before session_start. Even a space before <?php will be considered output by Apache(and other). Also make sure you have disabled BOM(Byte Order Mark) in the document(any decent editor will let you change this, just look for something like "Current file setings").
Always remember the first line of your PHP code should be session_start(); and nothing else. If all your going to do is unset the session variables and destroy the session, Try removing the require_once($_SERVER['DOCUMENT_ROOT'].'/includes/config.php'); and add the session_start() and the session_destroy() at the end of the logout.php file and see if it works.
Are you accessing logout.php from the same exact domain that you set the session to begin with (i.e. example.com vs. www.example.com/logout.php)
As for just unsetting specific session data, it would be best to call session_destroy() and then unset your cookies to kill the session.
Related
I'm trying to get a session to pass from page to page while using eval(). Basically I have one page that handles all other requests and just gets the pages output via an eval() call.
Everything works fine, but for some reason the session information keeps resetting on every refresh. The login system, which also uses sessions, doesn't reset with every page refresh, though.
If you go to http://fretfast.com and view the source code, you can see the contents of $_SESSION starting on line 221.
My question is, how does the login system still work but the other session information keeps getting reset? The firstActivity and lastActivity variables are set on the configuration page that is included on the main file which handles all requests. These only get set if a session has not already been started, like so:
if ( session_id() == '' ) {
session_start();
// set other $_SESSION['trail'] variables
}
The requests and requestTimes variables are set inside the object that retrieves a given page's contents via eval().
If anyone has any idea what the problem may be or needs any information I would be glad to provide it. Thanks in advance.
Your check never evaluates to true, so the session_start() never executes.
Unless you specifically changed (or emptied) the session id (either by code or in your php.ini), it defaults to PHPSESSID (and a quick firebug check to your url confirms that).
Skip the check altogether, and just issue the session_start() at the beginning of your file.
P.S. Why do you use eval() ? NEVER use eval() !
I'm developing a site for someone where users can post problems to a website and the Admin of the company can view the problems and give a solution for it. I use one page that takes care of the login handling and a mysql db. The problem is that i can log in, it shows me another panel(userpanel), but whatever other button i click, it takes me back to the login panel.
It used to work as i was able to post data to my database. but suddenly after some changes on my website, it stopped working (and i can't find the problem anymore.)
When i log in, $_SESSION["LoggedIn"] gets a value and goes to the other panel on the same page with http post. when i click a button there, it seems that $_SESSION["LoggedIn"] is removed again because i check with isset if the user is logged in, otherwise it shows the userpanel.
//check user logged in
if (isset($_SESSION['LoggedIn'])) {
//Problem posted
if (isset($_POST["plaatsen"])) {
//Processing - plaatsen
postProblem();
}
} else {
//do login thing
}
I've attached my code here and i hope anyone can help me out.
Index.php: http://pastebin.com/BZSirUTT
Functions.php: http://pastebin.com/7Hknhm9r
Website: http://php.olvgroeninge.be/~sac.26A-07/php/Oefeningen/Oefening3/index.php (it's in dutch)
Sessions typically don't disappear by themselves. If they do, assuming you did run session_start() first, it can be due to:
The session could not be saved on the server; this can be due to disc space or permission issues. It could also be due to any page output before the session_start() statement. Fortunately, you can see this by heightening the error reporting at the start of your script:
ini_set('display_errors', 'On');
error_reporting(-1);
The session could not be found; for session to perpetuate it requires the session id at every request. Depending on your settings, this can come from the URL (PHPSESSID=xxx) or cookies. In the latter case, you can verify that your browser sends the cookie by whipping up the browser developer tools.
You destroyed the session yourself; calling session_unset or session_destroy will clear and remove the session respectively. Make sure this doesn't happen accidentally.
The session is garbage collected; this normally only happens after some time of inactivity, configured using the relevant ini settings
The session could not be read; just like #1 but for reading.
Hope at least one of these points helps you.
Debugging the session
You can add the following code to all pages to isolate the problem:
echo '<pre>', htmlspecialchars(print_r($_COOKIE, true)), '</pre>';
session_start();
echo '<pre>Session = ', session_id(), '</pre>';
Update
The problem is that the index.php doesn't set any cookies; OP created a separate small test page which does set cookies. Turns out the problem is #2 then :)
I'm having trouble getting PHP's session_regenerate_id() to work in an application I'm developing. The application uses a (loose) self-made MVC framework and redirects all requests using .htaccess through the index.php file.
I'm trying to regenerate the session ID on logout but it isn't working correctly.
Here is some code from my logout controller - the expired variable is a check for session timeout:
session_regenerate_id(true);
if(isset($_SESSION['expired']))
{
$this->registry->template->expired = true;
}
session_unset();
session_destroy();
Also relevant is the code from the beginning of the index.php file:
session_cache_expire(20);
session_start();
session_name("TMU");
//session_regenerate_id();
I'm echoing out the result of session_id() at the bottom of each page to see what it contains to test if it has been regenerated.
The session ID doesn't change when you logout however. When you login again (even with another account) the session ID is the same.
You'll notice the commented out fourth line of the index.php file - if I uncomment that line the ID appears to be regenerated on every page as it should. However, when I comment the line out again the session ID is once again the original ID from before I uncommented the line in the index file...
I'm just wondering how I can get session_regenerate_id() to work. It seems like it's just not 'committing' the changed id. I've tried using session_commit() but I don't understand how it works fully and it was giving me an error when I tried to destroy the session.
PHP 5.3.10 and apache 2.2.21
After revisiting this topic several times, I have figured it out. There were two problems.
session_regenerate_id() must be called before any HTML output is displayed and/or headers are sent. (It needs to be called as one of the first functions, just like session_start()).
Order matters. session_name("TMU") needs to be called BEFORE session_start() to have the desired result - I didn't catch this before.
Basically what was happening to me was calling session_name("TMU") after session_start() was causing it to set TWO session ID cookies - two sessions - one named TMU the other just the default PHPSESSID. Changing the order fixed all my problems and regenerating the ID / destroying the old session works as expected now.
For anyone having problems doing this I suggest you echo out the $_SESSION and $_COOKIE arrays to see what is happening in your particular application.
I am having a problem in accessing a session variable.I have one page lets say test.php, when i use print_r($_SESSION) here, it prints all the session data.But when i use Redirect then i am unable to access session data on test2.php i-e print_r prints empty array, even though i have session_start() at the top of my script.
Then i tried header("Location: test2.php") and now session data is accessible.
But i want the page to be redirected on onClick of a button.
Please help ..
Make sure you have session_start(); in the head of both files and you're not browsing in a private browsing mode.
I was using the path http://localhost/project/orders.php in href then i changed it to just orders.php and it worked
Cheers
Sometimes, accessing with http or https or http://www can make the difference of variables in session being accessed or not. Please browse through all in order to be certain, as sometimes saved urls are with www whereas the session is created with simple http. It matters in session accessibility.
I am having a really unsual problem I have never had before, I have a signup page/form and a processing page that for submits to, on the processing page I set any errors that are in the user data like empty fields and set them to a session var array
$_SESSION['signup_errors'] = $signup_errors;
$signup_errors is an array that I set to the session, I can then access that session data on the same page but I just changed my site around to use mod-rewrite to change the URL's and the only thing that I can seem to think of is on my signup form I cannot access these session variables anymore and now that I use mod-rewrite the url is like this domain.com/account/new and it used to be domian.com/?p=account.new so now it appears that it is in a differnt folder, could that have something to do with it?
I have tried debugging it a lot and that is the only thing I can come up with is maybe because it appears to be a different directory now because of the mod-rewrite maybe that makes the session unaccessible?
Are you sure you're starting sessions on every page you're accessing? I would check to make sure there's
session_start();
Wherever necessary.
Also, what does
print_r( $_SESSION );
return? Anything at all? If not it would probably indicate what I was saying.
I would check that you're not changing domains. E.G. domain.com -> www.domain.com
Normally a cookie is used to track the session id, and by default, the cookie is tied to a single domain. I.E. If the session was created at www.domain.com, when you visited login.domain.com the cookie wouldn't be sent resulting in no session information.
It happened to me once, maybe you have a similar scenario. The session variable was temporary and I would destroy it once it was outputted to the screen.
With mod rewrite if you are routing everything, if there is a broken image, that might be redirected to your php script as well, it would in the back ground print out the error and destroy that session var.
Just a thought!