[PHP] PHP Session Variables Not Being Set For Certain Browsers
Hello All,
I have been racking my head over a problem where a large percentage of users
are unable to log into my php site due to what seems to be a problem with
setting php session variables on certain end user browsers (certain versions
of AOL seem to be particularly problematic). Below are some snippets of code
that are used to do the authentication/ login.
Has anyone encountered the same problem and if so do you have a solution?
The only solution I can think of is to pass the session using PHPSESSION in
the URL however I would like to avoid this if at all possible as it involves
a major re-write of the code (as session variables are used elsewhere in the
session) and if I am not mistaken if a user accesses a non-php page then the
session is lost requiring them to log in again.
Currently the following code is used to check whether a user is logged in:
And in Login.php after doing a check on the username and password the
following session variables are set:
session_start();
session_register("authenticatedUser");
$HTTP_SESSION_VARS['authenticatedUser'] = $userId;
session_register("loginIpAddress");
$HTTP_SESSION_VARS['loginIpAddress'] = $_SERVER["REMOTE_ADDR"];
It is the setting of the above session variables in Login.php that appears
to be failing for some browsers resulting in users using these browsers
continually being redirected to the Login page when the above check to see
if they are logged in is done.
Any help that could be supplied would be greatly appreciated.
Thank you.
Regards,
Andy
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Session Variables Not Being Set For Certain Browsers
Hi Andras,
Yes, good point Thank you. It could be that the IP address of the user is
changing on each HTTP request that is made, which would explain the problem
(although that does seem quite odd). Can anyone confirm whether AOL (or any
other ISPs for that matter) change a user's IP address as seen by the web
server (for eample through a proxy) within the same session?
Assuming that the above is the problem, does any one know whether by
removing the check in the authentication to see whether the user is using
the same IP address as they logged in with comprises the security of the
login i.e. will it be possible for some one to hijack the login if this
check is not there? Or does anyone have any other suggesstions for doing
authentication?
Thank you.
Regards,
Andy
"Andras Kende" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> -Original Message-----
> From: Andy Higgins [mailto:[EMAIL PROTECTED]
> Sent: Saturday, December 27, 2003 6:04 AM
> To: [EMAIL PROTECTED]
> Subject: [PHP] PHP Session Variables Not Being Set For Certain Browsers
>
> Hello All,
>
> I have been racking my head over a problem where a large percentage of
users
> are unable to log into my php site due to what seems to be a problem with
> setting php session variables on certain end user browsers (certain
versions
> of AOL seem to be particularly problematic). Below are some snippets of
code
> that are used to do the authentication/ login.
>
> Has anyone encountered the same problem and if so do you have a solution?
> The only solution I can think of is to pass the session using PHPSESSION
in
> the URL however I would like to avoid this if at all possible as it
involves
> a major re-write of the code (as session variables are used elsewhere in
the
> session) and if I am not mistaken if a user accesses a non-php page then
the
> session is lost requiring them to log in again.
>
> Currently the following code is used to check whether a user is logged in:
>
>
> $notAuthenticated = !isset($HTTP_SESSION_VARS['authenticatedUser']);
>
> $notLoginIp = isset($HTTP_SESSION_VARS['loginIpAddress']) &&
> ($HTTP_SESSION_VARS['loginIpAddress'] != $_SERVER["REMOTE_ADDR"]);
>
> if ($notAuthenticated || $notLoginIp) {
>
> if (!session_is_registered("targetURL"))
>session_register("targetURL");
>
> $HTTP_SESSION_VARS['targetURL'] = $_SERVER["REQUEST_URI"];
>
> header("Location: /smartbid/php/Login.php");
>
> }
>
> ?>
>
> And in Login.php after doing a check on the username and password the
> following session variables are set:
>
>session_start();
>
>session_register("authenticatedUser");
>$HTTP_SESSION_VARS['authenticatedUser'] = $userId;
>
>session_register("loginIpAddress");
>$HTTP_SESSION_VARS['loginIpAddress'] = $_SERVER["REMOTE_ADDR"];
>
> It is the setting of the above session variables in Login.php that appears
> to be failing for some browsers resulting in users using these browsers
> continually being redirected to the Login page when the above check to see
> if they are logged in is done.
>
> Any help that could be supplied would be greatly appreciated.
>
> Thank you.
>
> Regards,
> Andy
>
>
>
> -
>
> Andy,
>
> Not sure, but maybe AOL users on proxy and their ip address can
change.
>
> Andras Kende
> http://www.kende.com
>
> -
>
>
>
>
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: SESSION Query
Hi Aniruddha,
Try using
session_start();
$HTTP_SESSION_VARS['session_referer'] = "abc.com";
and
if (session_is_registered('session_referer'))
go to abc.com;
Regards,
Andy
"Aniruddha" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Hi PhpTeam,
>
> Iam runing PHP 4.3.0 on Apache server.
>
> Iam expiriencing following problem when managing session:
>
> 1) I start session and register session variable by setting $_SESSION:
>
> session_start();
> $_SESSION["session_referer"] = "abc.com";
>
> 2) The above step does not register the variable "session_referer".
> I have following code in another page altogether:
>
> session_start();
>
> if(isset($_SESSION["session_referer"])) {
>go to abc.com;
> }
> else {
>// CONTROL ALWAYS GETS HERE
>go to xyz.com;
> }
>
> 3) However if I redirect immediately after (1) the variable is
> registered properly!!? and the first "if" condition in (2) gets
> satisfied.
>
> 4) I use session_register then there is no problem at all. Only thing is
> I get a Notice that this is no more an advised
> method.
>
>
> What is the reason behind this behaviour?
>
> With regards,
> Aniruddha Deshpande
>
>
>
> !-- Virus-Free Mail Using PostMaster AvAc & QuickHeal Engine --!
>
>
>
> -
> QuantumLink Communications Pvt Ltd, Mumbai, India
>
>
>
> -
> QuantumLink Communications Pvt Ltd, Mumbai, India
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Session Variables Not Being Set For Certain Browsers
Hi Gerard, Thank you very much for the response. Please can you clarify the following: 1. At the time of login will the login code need to check if the clients browser accepts cookies and if not then append the SID as described? If so, do you perhaps have a sample piece of code that does this? 2. Am I correct in understanding that if the client has logged in (with no cookies enabled i.e. the SID needs to be passed) and the site contains other static pages (that cannot pass the SID) that if the client browses any of these static pages and then returns to a page that required the client to be logged that they will have to log in again? 3. For forms, where the SID need to be passed, do you pass this as a hidden form variable or do you do it on the URL? You help is greatly appreciated. Thanks again. Regards, Andy "Gerard Samuel" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > On Saturday 27 December 2003 07:03 am, Andy Higgins wrote: > > Hello All, > > > > I have been racking my head over a problem where a large percentage of > > users are unable to log into my php site due to what seems to be a problem > > with setting php session variables on certain end user browsers (certain > > versions of AOL seem to be particularly problematic). Below are some > > snippets of code that are used to do the authentication/ login. > > > > Has anyone encountered the same problem and if so do you have a solution? > > The only solution I can think of is to pass the session using PHPSESSION in > > the URL however I would like to avoid this if at all possible as it > > involves a major re-write of the code (as session variables are used > > elsewhere in the session) and if I am not mistaken if a user accesses a > > non-php page then the session is lost requiring them to log in again. > > > > Im just putting the finishing touches to my code, that I had to rewrite for > similar reasons as you. > You're going to have to include the session id in the url for those users who > do not allow cookies. > Using this fact about the constant SID > a) If the user's browser accepts cookies, SID will be empty "" > b) If the user's browser does not accept cookies, SID will be "PHPSESSID=xxx" > > So what I did, was append the constant SID to all urls/forms and php header() > (for redirection) functions that point to the site that is serving the > content (dont append SID to urls going to other sites). > > So the final results will be > a) If the user's browser accepts cookies, urls/forms/php header() will be > normal > b) If the user's browser does not accept cookies, the session id is appended > to urls/forms/php header() > > OR > > you can take the easy way out, and turn on transparent ids with -> > http://us2.php.net/manual/en/ > install.configure.php#install.configure.enable-trans-sid -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Session Variables Not Being Set For Certain Browsers
Hi Mark, Thank you for confirming that for me. I am new to the list and did do a search though past messages but did not find this point (obvioulsy I did not look hard enough). Thanks again. Regards, Andy "Mark Charette" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > > -Original Message- > > From: Andy Higgins [mailto:[EMAIL PROTECTED] > > Can anyone confirm whether > > AOL (or any > > other ISPs for that matter) change a user's IP address as seen by the web > > server (for eample through a proxy) within the same session? > > It's been pointed out and confirmed many, many times here. An IP is not > useful for authentication in the general case (you may have a specific case > on an intranet, but major players like AOL put everything through load > balancing proxies that change from request to request). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Session Variables Not Being Set For Certain Browsers
Hi Gerard,
Thank you for your assistance you have been of enormous help.
Regards,
Andy
"Gerard Samuel" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> On Saturday 27 December 2003 10:54 am, Andy Higgins wrote:
>
> > 1. At the time of login will the login code need to check if the clients
> > browser accepts cookies and if not then append the SID as described? If
so,
> > do you perhaps have a sample piece of code that does this?
>
> No, php does this for you. Thats why I gave the explanation of the value
of
> SID when browsers accept, or dont accept cookies.
>
> Sample code
>
> session_start();
> if (SID === '')
> {
> echo 'Cookie Exists';
> }
> else
> {
> echo 'Cookie doesnt exist';
> }
>
> echo 'CLICK
ME';
>
> ?>
>
> If the browser does accept cookies, on the first page load, it will report
> "Cookie doesn't exist" because the cookie wont become available till the
next
> page load. After the initial page load, it will report "Cookie Exists".
> If the browser does not accept cookies, it will always say "Cookie doesnt
> exists".
>
> > 2. Am I correct in understanding that if the client has logged in (with
no
> > cookies enabled i.e. the SID needs to be passed) and the site contains
> > other static pages (that cannot pass the SID) that if the client browses
> > any of these static pages and then returns to a page that required the
> > client to be logged that they will have to log in again?
>
> Yes that is correct. The session id must stay in all urls within the
site.
> If you are able to direct them to a static page, you should still be able
to
> pass the SID in the url/form/iframe/etc they click.
>
> > 3. For forms, where the SID need to be passed, do you pass this as a
hidden
> > form variable or do you do it on the URL?
> >
>
> I have it passing in the form's action attribute, so it stays in $_GET
domain
> like regular links.
> echo '
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Simple question
Hi Lab,
I normally use code of the following format, which I think is quite neat:
//Note that you do not need curely brackets in an "if" statement is there is
only one line
if ($_SERVER['REQUEST_METHOD'] == 'POST')
$add = $HTTP_POST_VARS['textbox'];
if ($add == 'Hello')
do something
//It is however recommended that you do the following in order to ensure
that a user does not try to use malicious code in their input
if ($_SERVER['REQUEST_METHOD'] == 'POST')
$add = clean($HTTP_POST_VARS['textbox'], 20);;
if ($add == 'Hello')
do something
where clean() is a function defined in an include as follows:
function clean($input, $maxlength)
{
$input = substr($input, 0, $maxlength);
$input = EscapeShellCmd($input);
return ($input);
}
Hope that helps.
Regards,
Andy
"Labunski" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Hello, I have only one simple question..
> I'm using this method to get the values from the text box:
>
> if(isset($_POST["Submit"]) && $_POST["Submit"]=="Submit")
> {
>$add = $_POST['textbox'] ;
> }
>
> But I don't know how to write the source for this:
>
> If the value from the textbox ($add) is "Hello" then.. do something.
> I think it could be nicely done with IF, but I dont know how to write
this..
>
> Can someone help me, please?
>
> Regards,
> Lab.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Problem with fmod() function
Hello,
My understanding from the documentation is that the fmod() function should
work with floating point numbers however the following snippet of code:
";
echo "y: $y ";
echo "fmod: " . fmod($x, $y) . "";
?>
outputs the following:
x: 1.05
y: 0.05
fmod: 0.05
I would have expected to get an answer of 0 i.e. no remainder. It works fine
for whole numbers.
Can any one shed any light on this please?
Thank you.
Regards,
Andy
P.S. I tried using the following function but I get the same results:
function fmodAddOn($x,$y)
{
$i = floor($x/$y);
// r = x - i * y
return $x - $i*$y;
}
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Changing the Time Zone in php.ini
Hello, I have a requirement to run two different sites that are in different time zones on the same machine. Does anyone know if this is possible to do by running two instances of php and making a change in the php.ini? Or do you have any other suggestions on how this can be done? Thank you. Regards, Andy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
