PHP - Session Issue With Xampp Server.

I just did a huge import from an app I have been working on. No issues except for this.

I uploaded & imported all files & databases from my wampserver (localhost, local server) to my main online server.

Before I continue with the problem, I have to give you info on how the files work.

I am using a "controller" to view the files. Meaning, from index.php, I call all the files. For example, instead of mysite.com/register.php, its mysite.com/index.php?page=register.

The index defines the doctype & html tags etc.

The other files that are called through index.php are just pure php code, it does not contain the head & body tags etc.

So, the issue is , when the surfer submits a form, i need to set a cookie. this cookie is VERY important.
I cannot get it to work. I am getting the header warnings after submit

Of course, this is to be expected. But I tried it on my local server, & it worked. I am not very familiar with cookies, this is a side of PHP i never really even touched. I know almost everything but that.  So the php code is before the html code on the page, so I figured it was worth a shot.
Im guessing the problem here is, since the code being outputted as index.php code + the form page code. So the cookie is being set after the html tags.

How can I fix this? I need it to work thru the controller. I cannot just make it a single file, all files on the site needs to be thru this controller, otherwise it will mess everything up.

Ino I could just add the code from index.php plus the form page code & just run the php code before all of the html tags, but like I said it has to be called thru index.php.

I appreciate your replies, & I hope you guys dont think im an idiot & can understand my question, im terrible with words!

I need to know if this is even possible.  I have found conflicting information on this online. 

Anyway, here is what I want to do.  I have two websites that reside on the same dedicated server.  Both have different IP's.  www.mywebsite1.com and www.mywebsite2.com. 

I need a user that logs in at www.mywebsite1.com to be able to pass the $_SESSION from www.mywebsite1.com to www.mywebsite2.com.  Any help on this would be cool.  Thanks in advance.

Ryan

I'm looking for a secure way to share session data across two different domains (not subdomains) on the same server.

I've looked at passing the session id through a GET var to the other domain. It works but it looks to open the possibility of session hijacking and I don't really like having the session id in the URL string. Any way to make this secure?

The other option I'm looking at is using cURL to load a script on the other domain that sets a cookie with the session id. When the person loads the other domain, check for the cookie, get the session id, connect to session then delete the cookie. Can anyone see anything wrong with this?


Thanks.

hi there - good day dear fellows, 

the topic of today: session.save_path (/tmp) is not writable for web server :: security-risk!?

I am trying to install a script on my OpenSuse Webserver, and I managed to resolve most of the errors except of one:

The value for session.save_path (/tmp) is not writable for the web server.
Make sure that PHP can actually save session variables.

 

 That seems to be the problem.
 

 

session.save_path: writeable 
You need set permission for your var directory.

 

well - i guess that the default ownership may be incorrect on the session folder: 

Example; php on some Linux-Server defaults to apache user. 

If using nginx or other need to switch the folder ownership.  Also as a note you have to change the user/group setting in www.conf.

 

chown -R root:nginx /var/lib/php/7.0/
sed -i 's/apache/nginx/g' /etc/php-fpm-7.0.d/www.conf
service php-fpm-7.0 restart

 

But wait:  what about the security - is it save to make the session.save_path writeable!?

my server-admin says that this is a big big hole and makes the server unsecure. 

love to hear from you 

yours dil_bert

by the way: years ago i have had this issue on the server. 

but the question is - is this a securitiy risk!?  I need to know this. Look forward to hear from you 

Edited March 21, 2020 by dil_bert

I'm using the PHPmotion script, with a use-a-credit to view-a-video mod. When the user logs out, the viewed video should not be available again to view, until he logs back in and chooses it chooses it, via a credit, but it is still available when he logs back in. Any ideas on what file may be responsible for what I guess you could call 'clearing the session'?

i am trying io copy my template to the newly created file using copy function but the copy function does not work on the server it worked fine in localhost.. i tried using fil_get_contents and file_put_function but that didnt work as well mayb cuz of the restrictions of the server.. and i do not have the permission to edit the php.ini file.. i am talking to talk with the hosting company.. but just wanted to knw is der any oder wat to copy my template to a new file that is created?

Im working on an issue that keeps sending the user to logge_in.php and never to post_new.php even if it is the referer. Here is the code I have wrote so far:

Code: [Select]

if($_SERVER['HTTP_REFERER'] =="post_new.php"){
 $referer = "post_new.php";
}elseif($_SERVER['HTTP_REFERER'] =="logged_in.php"){
 $referer = "logged_in.php";
}

header("Location: ".$referer." ");
exit();
}


Thanks in advance!

Hi All,

I'm running trying to add key and values to an array on multiple pages, but it seems to override the array each time I add variables on the next page, even though the keys are different.

Each page has something like this:


Code: [Select]
<label class="yes"><input type="radio" name="form_field[<?php echo "number".$f1; ?>]" value="0" > Yes</label>
<label class="no"><input type="radio" checked="checked" name="form_field[<?php echo "number".$f1; ?>]" value="1" > No</label>
<label class="unsure"><input type="radio" name="form_field[<?php echo "number".$f1; ?>]" value="2" > Unsure</label>
I then collect it as well as other page variables with:

Code: [Select]
session_start();

foreach($_POST as $name => $value) {
$_SESSION[$name] = $value;
}
on all following pages. But rather than adding to the array it writes over it each time.

Any ideas on what's going wrong here. Should the array simply be able to continue to collect the keys or do I need to do something else?

Thanks.

I was told that using a Session will allow me to capture an Object and pass it between pages.

I tried following what I read online and what someone sugegsted but it is not working.

This is the error I get when running my test application...

Quote

Catchable fatal error: Argument 1 passed to Microwave::receiveItem() must be an instance of Bowl, instance of __PHP_Incomplete_Class given, called in /Users/user1/Documents/DEV/++htdocs/Soup/cook.php on line 13 and defined in /Users/user1/Documents/DEV/++htdocs/Soup/classes/Soup.class.php on line 31
Call Stack
#   Time   Memory   Function   Location
1   0.0095   56412   {main}( )   ../cook.php:0
2   0.0101   68272   Microwave->receiveItem( )   ../cook.php:13


I would really appreciate it if someone could look at my code and see where the problem is at.

My guess is that it is in cook.php, but who knows?!

Attached is a ZIP of my entire directory structure.

Thanks,


TomTees

Hi Everyone

I have a weird session issue going on and i'm not sure what is causing it.

Basically any sessions that i set are randomly expiring sooner than they should be. As a test I did the following:

Code: [Select]
<?php
session_start();
if(isset($_SESSION['views'])){
    $_SESSION['views'] = $_SESSION['views']+ 1;
}else{
    $_SESSION['views'] = 1;
}
echo "views = ". $_SESSION['views'];
echo '<p><a href="testpage.php">Refresh</a></p>';

?>

If i continue to click the refresh button, i sometimes get to 30 and then it starts at 1 again. Other times ill get to 20 and then back to 1. It has also sometimes skips a couple of counts from 7 to 11 as an example in one click.

Any one come across this before?

I have been reading up online and some have mentioned PHP upgrades from php4 to php5 cause some issues and specifically the hosting company changing the session.save_path.

If this was the case, it wouldn't even count to 10, would it?

Any help would be really appreciated.

thanks in advance

About to pull my hair out.  Looks simple, I think it's simple, but something is not behaving.  I have a simple login page (loginpage.php) which checks a database for the FamilyID and Password, if it is a match, then it redirects them to userspage.php.  I eventually want to use the FamilyID as a filter for my database so I only show the stuff relative to that FamilyID.  Using CS5 and the built in functions, and it looks to me that the session variable 'MM_Username' should contain the FamilyID which is "adminid" in my database.  It appears to work since it sends me to my userspage.php when I enter a valid FamilyID and Password, but it will not show me my session variable on the that page!!! PLEASE PLEASE HELP...Slap me in the face if it's a stupid question, but I have spent WAY too much time trying to figure what is wrong.  I have included my code:

 

CODE FOR LOGINPAGE.PHP

 

<?php require_once('Connections/MyTest.php'); ?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
  if (PHP_VERSION < 6) {
    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
  }

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;   
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}
?>
<?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
  session_start();
}

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

if (isset($_POST['familyid'])) {
  $loginUsername=$_POST['familyid'];
  $password=$_POST['password'];
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "userspage.php";
  $MM_redirectLoginFailed = "loginpage.php";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_MyTest, $MyTest);
 
  $LoginRS__query=sprintf("SELECT adminid, password FROM `admin` WHERE adminid=%s AND password=%s",
    GetSQLValueString($loginUsername, "int"), GetSQLValueString($password, "text"));
   
  $LoginRS = mysql_query($LoginRS__query, $MyTest) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
     $loginStrGroup = "";
   
if (PHP_VERSION >= 5.1) {session_regenerate_id(true);} else {session_regenerate_id();}
    //declare two session variables and assign them
    $_SESSION['MM_Username'] = $loginUsername;
    $_SESSION['MM_UserGroup'] = $loginStrGroup;     

    if (isset($_SESSION['PrevUrl']) && false) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<form id="form1" name="form1" method="POST" action="<?php echo $loginFormAction; ?>">
  <p>
    <label for="familyid">FamilyID:</label>
    <input type="text" name="familyid" id="familyid" />
  </p>
  <p>
    <label for="password">Password:</label>
    <input type="text" name="password" id="password" />
  </p>
  <p>
    <input type="submit" name="Submit" id="Submit" value="Submit" />
  </p>
</form>
</body>
</html>

 

 

CODE FOR USERSPAGE.PHP

 

<?php
if (!isset($_SESSION)) {
  session_start();
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<strong>YOU MADE IT!
</strong>
<?php echo $_SESSION['MM_Username']; ?>
</body>
</html>

 

 

THANKS IN ADVANCED!!!

Hi guys i've spent 3 whole days trying to get this to work but it dosent. My issue is very similar almost the same as: http://www.phpfreaks.com/forums/index.php?topic=296100.15 but with the code i have.

Basically i have custom member pages. member1.php member2.php the design and content will be custom to each member, they also have their own login page.

Each member should be able to access their page and simply view their secure area. They should not be able to log into another users area if they dont have the username or password for it.

Now the problem is, i have this entire script setup and it works, however i fear there is something wrong with the sessions which allows other members to access other members pages with their own passwords and usernames because they share the same database. So the script executes thinking its a valid user and lets them in.

Here is my login checker once the user is validated they are sent to their own folder header("Location: ../{$loginusername}/index.php"); and are able to view the page.


Code: [Select]
<?php
require_once('../config.php');

// Connect to the server and select the database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db")or die("Unable to select database");

// The username and password sent from login.php
$loginusername=$_POST['username'];
$loginpassword=$_POST['password'];

//The following bit of coding protects from MySQL injection attacks
$loginusername = stripslashes($loginusername);
$loginpassword = stripslashes($loginpassword);
$loginusername = mysql_real_escape_string($loginusername);
$loginpassword = mysql_real_escape_string($loginpassword);

$sql="SELECT * FROM $tbl WHERE username='$loginusername' and password='$loginpassword'";
$result=mysql_query($sql);

// Count how many results were pulled from the table
$count=mysql_num_rows($result);

// If the result equals 1, continue
if($count==1){

session_start();
$_SESSION["loginusername"] = $loginusername;
$_SESSION['user1'] = $username; // store session data
//echo "User: = ". $_SESSION['loginusername']; //retrieve data
header("Location: ../{$loginusername}/index.php");

}
// If not successful, inform the user of error
else {
echo "Wrong Username or Password";
}
?>


Now here is the secure page sample:

Code: [Select]
<?php
session_start(); 
if (!$_SESSION['user1']){ 
header("Location: login.php"); 
}else{
print "its working!";
}

?>

<html>
<body>
Login Successful for

</body>
</html>

For each login page i have given each user it's own session.. this works, however if user1 logs in and simply changes the url to user2 and enters his user2 password he is granted access giving him new sessions which means he has access to everything.

Im pretty sure im missing something really small any help would be appreciated.

I'm having an issue with sessions and session_set_save_handler.
Note: new at OO PHP

I'm using an MVC written mostly from a tutorial and it all seems to be working, except for sessions.
I've got session_set_save_handler as a class SessionHandler. If I include it into the main index page and create an instance, I get an error 'Undefined variable: _SESSION' for my index view file.
If I instead include a global.php file into the main index page and include the session class into the global.php page, and create an instance, the error goes away and session_set_save_handler saves the session variables into my database.

(1)On my index page for debugging I've got a var_dump of $_SESSION to see which session variables are set.

On my login page I've got a form token that is saved to a session variable. When I go to the login page that session token variable is set and doing a var_dump on the page shows it is indeed being set, however, when I click back to the main index page, the index var_dump(1) shows the session variable is no longer set.
But then if I login it correctly redirects me to a user logged in page and echos the username of the user logged in correctly, but still does not show the form token session variable in the var_dump for index(1). But then if I navigate to the login form page where the form token should be initially set, it now sets it correctly and going to the index page indeed shows the token set.

form token being set on login view page:

Code: [Select]
$login_token = $_SESSION['login_token'] = md5(uniqid(mt_rand(),true));
var_dump on index page before login (even if I navigate to login page then back to index it remains blank when it should instead show the form token session variable)
Code: [Select]
array
  empty
var_dump on index page after login.
Code: [Select]
array
  'lu_user' => string 'admin' (length=5)
  'lu_user_id' => string '6' (length=1)
  'user_sess_time' => int 1326544148

var_dump on index page after login, navigating to login form page (where login_token is set), then navigating back to index:

Code: [Select]
array
  'lu_user' => string 'admin' (length=5)
  'lu_user_id' => string '6' (length=1)
  'user_sess_time' => int 1326544148
  'login_token' => string 'c260e76dd65f0d9b6e881cfc9a4b33e1' (length=32)
Magically the login_token now shows, but only after logging in and setting the other variables. It seems it's not saving the login_token when it's initially set, but only after logging in which it shouldn't be doing.

The same issue arises with any other session variables that I set elsewhere (only displayed after user login).

If I remove session_set_handler the sessions set correctly but naturally the data is no longer added to the database.

If I do var_dump(get_included_files()); it shows the session class is correctly being included.
I was thinking it's an issue with session_start() but if I add that in or try to create another instance of the session class on the other pages, I get an error stating they've already been called and cannot be called again. So then they must be getting called, right?

So now I'm thoroughly confused. More code below, sorry for the long post. Hopefully I've provided all necessary information.

Index includes global.php, which contains:

Code: [Select]
require 'framework/SessionHandler.php';

$sess = new SessionHandler();

And the session handler class is (Database class is included into index which is why you cannot see it instantiated here):

Code: [Select]
<?php

class SessionHandler
{
function __construct()
{
session_set_save_handler
(
array(&$this, 'open'),
array(&$this, 'close'),
array(&$this, 'read'),
array(&$this, 'write'),
array(&$this, 'destroy'),
array(&$this, 'gc')
);

session_start();

ini_set('session.gc-maxlifetime', 1800);

if (isset($_SESSION['lu_user']))
{
if (!isset($_SESSION['user_sess_time']))
{
$_SESSION['user_sess_time'] = time();
}
elseif (time() - $_SESSION['user_sess_time'] > 1800) // 30 mins
{
    session_regenerate_id(TRUE);
    $_SESSION['user_sess_time'] = time();
}
}
}

function open()
{
$this->db = new Database();
}

function close()
{
return $this->db = null;
}

function read($id)
{
$stmt = $this->db->prepare('SELECT * FROM sessions WHERE id = :id');
$stmt->execute(array(':id' => $id));

if ($row = $stmt->fetch(PDO::FETCH_ASSOC))
{
return $data = $row['data'];
}
else
{
return '';
}
}

function write($id, $data)
{
$access = time();

if (isset($_SESSION['lu_user']))
{
$session_id = session_id();
$username = $_SESSION['lu_user'];

$stmt = $this->db->prepare('REPLACE INTO sessions (id, access, data) VALUES (:id, :access, :data)');
$stmt->execute(array(':id' => $id, ':access' => $access, ':data' => $data));
}
}

function destroy($id)
{
if (ini_get("session.use_cookies"))
{
     $params = session_get_cookie_params();
     setcookie(session_name(), '', time() - 42000,
         $params["path"], $params["domain"],
         $params["secure"], $params["httponly"]);
}

$stmt = $this->db->prepare('DELETE FROM sessions WHERE id = :id');
$stmt->execute(array(':id' => $id));
}

function gc($max)
{
$old = time() - $max;

$stmt = $this->db->prepare('DELETE FROM sessions WHERE access < :old');
$stmt->execute(array(':old' => $old));
}

function __destruct()
{
session_write_close();
}
}

I have 500 users using software I have developed, and 495 do not have a timeout problem.  Our default is to timeout after 60 minutes, but one particular office times out randomly and without warning.  The normal procedure is, like online banking, a pop up comes up to let them know they will be logged out in 60 seconds, or they can click continue to stay logged in.   The timer is based on JS, but on each page load a PHP function checks to see if they are timed out, and if they are, redirect them to the login page.  The JS pop up never occurs, so obviously the countdown hasn't happened, but when they click on a link, they are redirected to the login page.   Since the issue only occurs in one office, it leads me to believe it is a firewall or anti-virus issue, but I'm not sure...   Anyone have any thoughts on this?