Hi Andras, Yes, good point Thank you. It could be that the IP address of the user is changing on each HTTP request that is made, which would explain the problem (although that does seem quite odd). Can anyone confirm whether AOL (or any other ISPs for that matter) change a user's IP address as seen by the web server (for eample through a proxy) within the same session?
Assuming that the above is the problem, does any one know whether by removing the check in the authentication to see whether the user is using the same IP address as they logged in with comprises the security of the login i.e. will it be possible for some one to hijack the login if this check is not there? Or does anyone have any other suggesstions for doing authentication? Thank you. Regards, Andy "Andras Kende" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > -----Original Message----- > From: Andy Higgins [mailto:[EMAIL PROTECTED] > Sent: Saturday, December 27, 2003 6:04 AM > To: [EMAIL PROTECTED] > Subject: [PHP] PHP Session Variables Not Being Set For Certain Browsers > > Hello All, > > I have been racking my head over a problem where a large percentage of users > are unable to log into my php site due to what seems to be a problem with > setting php session variables on certain end user browsers (certain versions > of AOL seem to be particularly problematic). Below are some snippets of code > that are used to do the authentication/ login. > > Has anyone encountered the same problem and if so do you have a solution? > The only solution I can think of is to pass the session using PHPSESSION in > the URL however I would like to avoid this if at all possible as it involves > a major re-write of the code (as session variables are used elsewhere in the > session) and if I am not mistaken if a user accesses a non-php page then the > session is lost requiring them to log in again. > > Currently the following code is used to check whether a user is logged in: > > <?php > > $notAuthenticated = !isset($HTTP_SESSION_VARS['authenticatedUser']); > > $notLoginIp = isset($HTTP_SESSION_VARS['loginIpAddress']) && > ($HTTP_SESSION_VARS['loginIpAddress'] != $_SERVER["REMOTE_ADDR"]); > > if ($notAuthenticated || $notLoginIp) { > > if (!session_is_registered("targetURL")) > session_register("targetURL"); > > $HTTP_SESSION_VARS['targetURL'] = $_SERVER["REQUEST_URI"]; > > header("Location: /smartbid/php/Login.php"); > > } > > ?> > > And in Login.php after doing a check on the username and password the > following session variables are set: > > session_start(); > > session_register("authenticatedUser"); > $HTTP_SESSION_VARS['authenticatedUser'] = $userId; > > session_register("loginIpAddress"); > $HTTP_SESSION_VARS['loginIpAddress'] = $_SERVER["REMOTE_ADDR"]; > > It is the setting of the above session variables in Login.php that appears > to be failing for some browsers resulting in users using these browsers > continually being redirected to the Login page when the above check to see > if they are logged in is done. > > Any help that could be supplied would be greatly appreciated. > > Thank you. > > Regards, > Andy > > > > ------------------------------------- > > Andy, > > Not sure, but maybe AOL users on proxy and their ip address can change..... > > Andras Kende > http://www.kende.com > > ------------------------------------- > > > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
