I'm having serious issues with session management in PHP and am trying
to
determine if it's a problem with my hosting company or a problem in my
code.
The flow of my site is:
login_page -> session_start_page -> form_page -> display_results_page
Upon login a POST is made to session_start_page. This page checks that
the user
exists in the database and then creates a session and populates a
session
variable ($session_id) to 123456. session_start_page then calls
header(location) to forward to the form_page. I output the $session_id
for
debugging purposes on every page following the session_start_page
The problem occurs as such:
Upon initial login, when the user reaches the form_page the $session_id
is
populated and prints "123456". However, when a user submits the form
and a GET
is made to display_results_page, the $session_id has been deleted (i.e.,
prints
no value). Since my code relies on the $session_id variable for
security, this
causes the user to be forwarded to an intermediate error page and then
back to
the login_page.
Upon the second login, everything functions as I would expect it
to...the
session_id variable is populated on every screen and no error occurs.
At first I thought the problem might be the version of PHP my hoster was
using.
Up until a week ago, the version was 4.0.4pl1. However, the server was
upgraded
to PHP 4.0.5 last week. Now, the problem seems to be fixed in Netscape
4.07 but
still occurs when using IE 4.
I'm at a loss. I've done quite a bit of research in to this problem and
haven't
found an answer. Any help anyone could provide would be much
appreciated. The
code is as follows:
-------------------------------------------------------------------------------
host.php (configuration file)
-------------------------------------------------------------------------------
<?
$base_href="http://xxxxx/membership/";;
$dbuser="user";
$dbpass="pass";
$dbhost="localhost";
$database="members";
$member_table="MEMBERS";
$login_table="LOGIN";
?>
-------------------------------------------------------------------------------
login_page.php
-------------------------------------------------------------------------------
<HTML>
<HEAD><TITLE>Login</TITLE>
</HEAD>
<BODY BGCOLOR="white">
<h4>Please login to view the member database:</h4>
<FORM name="login" ACTION="session_start_page.php" METHOD="POST">
<TABLE name="login_table">
<TR><TD>Username: </TD><TD><INPUT NAME="username"
TYPE="text"></INPUT></TD></TR>
<TR><TD>Password: </TD><TD><INPUT NAME="password"
TYPE="password"></INPUT></TD></TR>
<TR><TD COLSPAN=2><INPUT TYPE="submit" value="login"></INPUT></TD></TR>
</TABLE>
</FORM>
</BODY>
</HTML>
-------------------------------------------------------------------------------
session_start_page.php
-------------------------------------------------------------------------------
<?
include("host.php");
mysql_pconnect($dbhost, $dbuser, $dbpass);
$db = $database;
$table = $member_table;
$result = mysql_db_query($db, "select username, password from
$login_table");
while ($row=mysql_fetch_row($result))
{
if (($username==$row[0])&&($password==$row[1]))
{
$logged=true;
}
}
if ($logged==true)
{
session_start();
session_register('session_id');
$session_id = 123456;
header("location:form_page.php");
}
else
{
print "Invalid login!";
}
?>
-------------------------------------------------------------------------------
form_page.php
-------------------------------------------------------------------------------
<?
include("host.php");
session_start();
if($session_id)
{
?>
<HTML>
<HEAD><TITLE>Member Information</TITLE>
<BASE HREF="<?=$base_href?>">
</HEAD>
<BODY BGCOLOR=WHITE>
<? print "SESSION: $session_id<BR>"; ?>
<FORM NAME="SEARCH_MEMBERS" METHOD=POST
ACTION="display_results_page.php">
<TABLE>
<TR>
<TD>Last Name: </TD><TD><INPUT TYPE=TEXT NAME=LASTNAME></INPUT></TD>
</TR>
<TR>
<TD>First Name: </TD><TD><INPUT TYPE=TEXT NAME=FIRSTNAME></INPUT></TD>
</TR>
<TR>
<TD>Street: </TD><TD><INPUT TYPE=TEXT NAME=STREET></INPUT></TD>
</TR>
<TR>
<TD>City: </TD><TD><INPUT TYPE=TEXT NAME=CITY></INPUT></TD>
</TR>
<TR>
<TD>State: </TD><TD><INPUT TYPE=TEXT NAME=STATE></INPUT></TD>
</TR>
<TR>
<TD>Zip: </TD><TD><INPUT TYPE=TEXT NAME=ZIP></INPUT></TD>
</TR>
<TR>
<TD>Phone: </TD><TD><INPUT TYPE=TEXT NAME=PHONE></INPUT></TD>
</TR>
<TR>
<TD COLSPAN=2><INPUT TYPE=SUBMIT VALUE="SEARCH"></INPUT></TD>
</TR>
</TABLE>
</FORM>
</BODY>
</HTML>
<? }
else
{
?>
<HTML>
<BODY onLoad="location.href='error.html'">
</BODY>
</HTML>
<? } ?>
-------------------------------------------------------------------------------
display_results_page.php
-------------------------------------------------------------------------------
<?
include("host.php");
session_start();
if(session_is_registered("session_id"))
{
?>
<HTML>
<HEAD><TITLE>RESULTS</TITLE>
<BASE HREF="<?=$base_href?>">
</HEAD>
<BODY BGCOLOR=white>
<?
print "Session_id: $session_id<BR>";
if ($COMMAND==0)
{
$dbh = mysql_connect($dbhost, $dbuser, $dbpass);
mysql_select_db($database);
$stmt = "SELECT * FROM $member_table ";
if ($LASTNAME)
{
$TEMP .= (($TEMP) ? " AND " : " WHERE ") . "LAST_NAME LIKE
'%$LASTNAME%'";
}
if ($FIRSTNAME)
{
$TEMP .= (($TEMP) ? " AND " : " WHERE ") . "FIRST_NAME LIKE
'%$FIRSTNAME%'";
}
if ($STREET)
{
$TEMP .= (($TEMP) ? " AND " : " WHERE ") . "STREET LIKE
'%$STREET%'";
}
if ($CITY)
{
$TEMP .= (($TEMP) ? " AND " : " WHERE ") . "CITY LIKE '%$CITY%'";
}
if ($STATE)
{
$TEMP .= (($TEMP) ? " AND " : " WHERE ") . "STATE LIKE '%$STATE%'";
}
if ($ZIP)
{
$TEMP .= (($TEMP) ? " AND " : " WHERE ") . "ZIP LIKE '%$ZIP%'";
}
if ($PHONE)
{
$TEMP .= (($TEMP) ? " AND " : " WHERE ") . "PHONE LIKE '%$PHONE%'";
}
$sth = mysql_query($stmt . $TEMP, $dbh);
$cnt = 0;
while($row = mysql_fetch_array($sth, MYSQL_ASSOC))
{
$cnt++;
$href = "memSearch.php?LAST_NAME=" . urlencode($row["LAST_NAME"]) .
"&FIRST_NAME=" . urlencode($row["FIRST_NAME"]) .
"&STREET=" . urlencode($row["STREET"]) .
"&CITY=" . urlencode($row["CITY"]) .
"&STATE=" . urlencode($row["STATE"]) .
"&ZIP=" . urlencode($row["ZIP"]) .
"&PHONE=" . urlencode($row["PHONE"]) .
"&COMMAND=1";
print "<p><DIV style=\"background-color:white;border:thin solid
#9999cc\">";
print "<a href=\"$href\">";
print $row["LAST_NAME"] . ", " . $row["FIRST_NAME"];
print "</a></DIV></p>\n";
}
if($cnt==0)
{
print "No entries found by that criteria. Please <a
href=\"form_page.php\">[ try ]</a> again!";
}
}
else
{
?>
<DIV ALIGN=center>
<TABLE WIDTH=60% BORDER=0 CELLPADDING=4 CELLSPACING=0
STYLE="page-break-before:
always">
<COL WIDTH=64*>
<COL WIDTH=91*>
<COL WIDTH=37*>
<COL WIDTH=64*>
<TR VALIGN=TOP>
<TH COLSPAN=2 WIDTH=61% BGCOLOR="#9999cc">
<P><? echo "$FIRST_NAME $LAST_NAME"; ?>
</P>
</TH>
<TH ROWSPAN=2 COLSPAN=2 WIDTH=39%
BGCOLOR="#9999cc">
<P><IMG SRC="images/dispimg.jpg"></IMG>
</P>
</TH>
</TR>
<TR>
<TD COLSPAN=2 WIDTH=61% VALIGN=TOP
BGCOLOR="#9999cc">
<P><?=$STREET?><BR>
<? echo "$CITY, $STATE $ZIP" ?><BR>
<? echo "$PHONE" ?></P>
</TD>
</TR>
</TABLE>
<A HREF="form_page.php">[ Search again? ]</A>
</DIV>
<? } ?>
</BODY>
</HTML>
<?
}
else
{
?>
<HTML>
<BODY onLoad="location.href='error.html'">
<? print "session_id: $session_id<BR>";?>
</BODY>
</HTML>
<? } ?>
-------------------------------------------------------------------------------
error.html
-------------------------------------------------------------------------------
<HTML>
<HEAD><META HTTP-EQUIV=REFRESH CONTENT="3;URL=login_page.php">
</HEAD>
<BODY bgcolor=white>
<p><h3>ACCESS DENIED. Contact administrator at <a
href="mailto:admin@xxxxxxxxxxxxx";>admin@xxxxxxxxxxxxx</a></h3></p>
<br>
<p>Redirecting you to the login screen. If browser doesn't refresh,
click <a
href="login_page.php">[ here ]</a></p>
</BODY>
</HTML>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
