PHP - Md5 And Session Defining Problem

This is my first post here. G'day everyone. I'm having trouble with getting a session recognized from one page to another. I did a search and used the advice but I'm still having trouble.

I have a page called checklogin.php that processes the information submitted for a member to login, and redirect it to login_success.php if the login was successful.
The problem I have is when I test the session in the second page it tells me there is no session. Here's my code (I omitted the db connection code):

Code: [Select]
<?php
// username and password sent from form 
$myusername=$_POST['user']; 
$mypassword=$_POST['pass'];
?>

<?
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"

$_SESSION['myusername']=$myusername;
$_SESSION['mypassword']=$mypassword;
header("location:login_success.php");

}
else {
echo "Wrong Username or Password";
}
?>


after I am redirected to login_success.php:

Code: [Select]

<?php
session_start();
$_SESSION['myusername'];

if (isset($_SESSION['myusername']))
{
$loggedin = TRUE;
return $loggedin;
echo "logged in.";

}
else
echo "not logged in";
?>

It echoes "not logged in". I've struggled with this for days and I don't know what's wrong. Thanks in advance.

I'm using xampp and am trying to create a login session...these are the my php files
login.php
Code: [Select]
<form action='login1.php' method='post'>
Email: <input type='text' name='id'></br>
Pass : <input type='password' name='pass'></br>
<input type='submit' name='login' value='login'>
login1.php
Code: [Select]
<?php
$id=$_POST['id'];
$pass=$_POST['pass'];

$conn=mysql_connect("localhost","root","");
if (!$conn)
{
die('Could not connect: ' . mysql_error());
}


$e=mysql_select_db('test', $conn);
if(!$e)
{
die(''.mysql_error());
}
else
{
echo 'database selected successfully';
}

$sql=mysql_query("Select email,password from login where email='$id' AND password='$pass'");
$count=mysql_num_rows($sql);
if($count==1) 
{ 
    session_start();
    
    echo "</br>Login Successful</br>";
echo "Please wait 5 seconds ";
/* redirct to the specified page */
header("refresh:5;url=empty.php");
}
else
{

echo "please try to login again</br>";
echo "you will be redirected to the login page in 5 seconds";
     /* redirct to the specified page */
header("refresh:5;url=login.php");
}
mysql_close();
?>
empty.php
Code: [Select]
<?php
session_start();

$logi=$_SESSION['id'];
echo 'welcome '.$logi;



?>

empty.php is supposed to display the email id from login.php
I checked it about an hour ago and it was working fine but now it gives me an error
Undefined index: id in C:\xampp\htdocs\littleprogress\empty.php on line 4
I didn't change anything after checking it. only cleared the history and cookies of my firefox browser
what could be the problem

Hi guys.

Im making a script that stores different contents in sessions. And everything seems to be working fine. I previously had some problems with it, but managed to fix them. Now somehow a new problem have accrued for me. I did not do anything to it since it last worked. So i am a little confused. It keeps telling me that the session does not have any content.

I think that the problem is within these two files he

http://pastebin.com/T6sfzjWn

and

http://pastebin.com/BUAuFp6t

It keeps giving me the error on line 24 from the second file.

Can someone please help me and say what i am doing wrong?

I have this error, and I cann't find soluiton:
Code: [Select]
Notice: Undefined index: ime in C:\wamp\www\web\login_public.php on line 26

Notice: Undefined index: ime in C:\wamp\www\web\login_public.php on line 27
This is the code:
Code: [Select]
<?php require_once("public/includes/session.php"); ?>
<?php require_once("public/includes/connection.php"); ?>

<?php  

if(!$_POST['submit']){
header('refresh:0; url=index.php');}
else {
$korisnik = $_POST['korisnicko_ime']; 
$lozinka = $_POST['lozinka'];
$lozinka_db = sha1($lozinka);

if ($korisnik && $lozinka){
$query = mysql_query("SELECT * FROM korisnik WHERE korisnicko_ime = '$korisnik' ");
$numrow = mysql_num_rows($query);

if($numrow != 0){

while ($row = mysql_fetch_assoc($query)){
$korisnik_db = $row['korisnicko_ime'];
$db_lozinka = $row['lozinka'];
$ime = $row['ime'];
}
if ($korisnik == $korisnik_db && $lozinka_db == $db_lozinka){
echo "Uspesno ste ulogovani";
$_SESSION['ime'] == $ime;
echo $_SESSION['ime'];
}
else { echo "Lozinka je netacna"; }
} else {die("Korisnik ne postoji");}
}
}

?>
What seems to be the problem 

I'm writing a shopping cart type of application for booking something. The cart will holds items as arrays in the session. The problem i'm i'm having is i can store 5 items in my cart and then once i try to store any more, it just won't. I'm not getting any php errors. I'm using the codeigniter framework, so it may be a codeigniter session storage problem. Hopefully you guys can look at it and can see if you spot any bad logic that i'm overlooking.

Code: [Select]
<?php
                 //generates random unique 32 character string
$booking_hash = random_string('unique');

//set items foreach night
foreach($room['date_rate'] as $date => $rate)
{
                        //produces random sha1 16 char length string
$sha1 = random_string('sha1', 16);

$session['items'][$sha1] = array(
'code'       => $room['code'],
'id'         => $room_id,
'title'      => $room['title'],
'date'       => date("n/j/Y",strtotime($date)),
'price'      => $rate,
'tax_one'    => money_format('%i',$room['tax_one'] * $rate),
'tax_two'    => money_format('%i',$room['tax_two'] * $rate),
'sales_tax'  => 0,
'guests'     => $num_guests,
'booking'    => $booking_hash,
'deposit'    => $deposit,
);
}


$existing_items = $this->session->userdata('items');

   if(!empty($existing_items))
  {
$session['items'] = $existing_items + $session['items'];
    }
 
$this->session->set_userdata($session);


?>
I just read some codeigniter session documentation. It says the cookie it's using can hold 4KB of data. I have no idea how much text 4KB can hold...

I thought I had somewhat of a mastery of sessions, until I encountered this problem.  Basically, I'm trying to built a session expired code which is a little bit deviated from your everyday session expired codes.  I want the user of a website to be logged out automatically after the session expires, and redirected to the login page.  But I also need that, if any other user tried to access that same website without having previously been logged on, he should be redirected not to the login page but the signup page.  So basically, the same page (index.php) should redirect the user to login.php if he was logged in and his session expired after 1 minute, or signup.php if he wasn't logged in and tried to access home.php.

So what I tried to do to accomplish this was

- Declare two session variables $_SESSION['id'] = "some value from database" and  $_SESSION['logged_in'] = TRUE everytime the user succesfully logs in.

-At the top of index.php, right after session_start(), check to see if 1 minute has elapsed since last activity and if so, unset $_SESSION['logged_in'] without destroying the session.  So presumably, all other session variables including $_SESSION['id'] and the session itself remain intact.

-Right below that, check if $_SESSION['id'] is set.  If not(meaning the session is not active and hence no user was logged in), redirect to signup.php.   If it is set, then check if $_SESSION['logged_in'] is set and if not, redirect to login.php

Now to the code itself


Code: [Select]

<?php


//address error handling

ini_set ('display_errors', 1);
error_reporting (E_ALL & ~E_NOTICE);



//Check if max allowable time has elapsed

if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 60)) {

    // last request was more than 1 minute ago
 
    unset($_SESSION['logged_in']);     // unset logged_in session variable for the runtime


}

$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp



        //Get the current page url to pass on to the session expired page.
$url=urlencode("http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);


//Check whether the session variable id is present or not

if(!isset($_SESSION['id']) || (trim($_SESSION['id']) == '')) {

 session_destroy();

 header("location: signup.php");

exit();

}else{//If session id is set meaning the session is alive and hasn't been destroyed


if(!isset($_SESSION['logged_in'])){//If this variable is not set, then session must have expired because this is the variable we unset upon sesssion expire. The session is still alive though and we must destroy it

//Redirect to login.php and pass on the page url

$msg = "Your Session Expired Due to Inactivity. Login Below";

session_destroy();


header("location: login.php?url=$url&msg=$msg");


}//End of if logged in is not set


}//End of if session id is set




?>



Well the code works just as i want it to, except for this scenario.  If I login with some user's credentials, and open a new page, by typing in url.com in a new window, this new page doesn't redirect to url.com/signup.php but stays on url.com/index.php and all the session variables are available on this new page just like on the old page that was accessed by actually loging in.  Well that's expected.  The problem is, when the session expires on this page, it gets redirected to url.com/signup.php and not url.com/login.php as expected(note that with the old page that was accessed by actually login in, we do get redirected to url.com/login.php)  Now this bothers me because the website is supposed to be redirected to signup.php only if the user started a fresh session without having been logged in as the logic from the code above shows.  So, the $_SESSION['id'] variable actually exists(and I actually tested it by echoing it)but yet, the code behaves as if it doesn't with every new page.  What could possibly be going on here? I have tried using session_regenerate_id(), but that just keeps the session going without ever expiring.  I tried to use the actual session_id()itself in the place of $_SESSION['id'] but in that scenario, the page always gets redirected to url.com/login.php regardless of whether a user was previously logged in or not.


PS:  I dont think this has anything to do with the problem but worth noting that the url of a page opened after a user logs in is url.com/index.php but that of a page opened after a user is already logged in is simply url.com

hello all,

I have a client that wants to protect their web page with a password protected landing page. Once the password is entered the user is directed to a "disclaimer" page that they have to agree to first before going into the site. I have put both the landing page and the disclaimer page in my root directory and then the site I put in a sub directory /cms/

in the main site index.php I check for the post password and then set a $_COOKIE for the user that will expire in 1 month
<?php 
// this goes on the very top of the index.php file in the template you are using
//check if user has entered password and needs cookie set
if(isset($_POST['fpass']) && !isset($_COOKIE['fpass'])) setcookielive('fpass', $_POST['fpass'], strtotime( '+1 month' ));


function setcookielive($name, $value='', $expire=0, $path='', $domain='', $secure=false, $httponly=false) {
    //set a cookie as usual, but ALSO add it to $_COOKIE so the current page load has access
    $_COOKIE[$name] = $value;
    return setcookie($name,$value,$expire,$path,$domain,$secure,$httponly);
}

The next thing I do is check if a user is trying to access the main site with having the COOKIE - if so I redirect the user to the landing page
//check if user has not entered password
if (!isset($_COOKIE['fpass']) || $_COOKIE['fpass'] == "") header('location: http://www.mypage.com');

This works fine up to this point.
Now my problem is that I also need to check if a user has the month long cookie set but is trying to access the main page without viewing the disclaimer page first.
I thought this would work:
//check if the user has a cookie set but is on a new session
if (isset($_COOKIE['fpass']) && !isset($_SESSION['fpass'])) header('location: http://www.mypage.com/disclaimer.php');
But this only throws the user into a loop of "disclaimer" -> "landing page" -> "disclaimer" etc. They can never get into the main site.

How do I check for the cookie and whether the user has visited the disclaimer page - but then allow the user to continue once they go to the disclaimer page?

NB: the $_SESSION is not set until the main site.

Hi. I have to check if a session is started or not, and then, check for the rank of the user. For that i use two functions like is_administrator,etc.

Well, but this isnt working. I cant get any clear way to know if a session have been already started or not.
Code: [Select]
function is_administrator() {
session_start();
if (isset($_SESSION['usr']) and empty($_SESSION['usr'])) {

$l = conect();
$user = $_SESSION['usr'];
$cons = "SELECT * FROM `users` WHERE usr='" . $user . '\';';
$res = mysql_query ($cons,$l);
$ob = mysql_fetch_array($res);

if ($ob['tipo'] == 'A') {
return true;
}

}
return false;
}

What i want to do is to check if a sesion exist, if not, return false. If the sesion exist, check for the user rank and return true/false.

page.php
<a href="cart.php?action=add&id=38">

cart.php

session_start();
$cart = $_SESSION['cart'];

$action = $_GET['action'];

switch ($action) {
   case 'add':
if ($cart)
   $cart =$cart. ','.$_GET['id'];
   else
      $cart = $_GET['id'];
}


$_SESSION['cart'] = $cart;
echo $cart;
output:
 Insted of one time it adds the id two times.

It prints : 38,38.
can pls suggest me what's problem in the code. Thank's in advance.

I'm trying to use a boolean 'true' or 'false' to tell the page that when false, he/she is logged out and send them to loggin page..other wise display the name which is taken from the session....i made the session stuff in a class and i have it as follows:

Code: [Select]
<?php
include("includes/functions.php");

class Session{
    
    public $logged_in = false; // the one i'm on about
    public $key;
    
    // $_session[$key] = $value
    public function set($key, $value){//setting session
$_SESSION[$key] = $value;
if(isset($_SESSION[$key])){
    $this->logged_in = true;
}
    }
    
    public function get($key){ //getting session
if(isset($_SESSION[$key])){
    return $_SESSION[$key];
}
else{
    return false;
}
    }
    
    
    public function confirm_logged_in(){ //check if logged in
        if(!$this->logged_in)
redirect_to("login.php"); // a tailored method
    }
    
    public function logout(){ 
session_start();
session_unset();
session_destroy();
$this->logged_in = false; 
    }
}
$session = new Session();
?>
unfortunately when i set the session on one page (say after login) assuming that the $logged_in variable is now turned to TRUE, but when I go to another page (e.g. Index.php)  and Get the allready set session and perform the test confirm_logged_in() it does the OPPOSITE to what I would expect as for example: redirecting me to login.php even when its "supposed to be"  $logged_in=true as set in the set function above.

any help would be appreciated...suggestions to change syntax or any as such...thanks

I am having probelm in saving Session variables ALthough I'm writing session_start();
in the header of my php script and saving the values of Session array in the next page. It does not print the values or show right results.

Code: [Select]
session_start();
require_once ("functions.php");

$token=$_GET['t'];
if(!isset($token)){
 
$name = stripslashes($_POST['username']);
$email = stripslashes($_POST['email']);

check_validate_input($name, $email);
}
if($token=='register')
{
show_registration_form();
}
  $my_model = new model();
  $arr_info = $my_model->check_members($name,$email);
 
   if (($arr_info==NULL)&&($token!='register'))
    {   
    echo '<p> Hello Guest</p><br />';
       show_mailing_form();
    }
   
  else if (($arr_info['role']=='user')||($arr_info['role'] == 'admin'))
    {
         $_SESSION['userId']=$arr_info['id'];
         $_SESSION['user_role']=$arr_info['role'];
         $_SESSION['user_name']=$arr_info['name'];
        print_r  ($_SESSION);}
here it does not print session array.

Hello,

I have the $_session code working, but after I destroy the session and I am asked to log in again, my browser doesn't ask me for my password and just logs me in.

I don't understand because I have destroyed my session and I have deleted the data in $_SESSION and I have deleted the info in the cookie so it shouldn't log me in automatically. I thought it was something in my browser, but I erased my history and I never saved any password.

Here's my code:

This is the welcome page

<?php
    require_once 'login.php';
    $connection = new mysqli($db_hostname, $db_username, $db_password, $db_database);
    
    if ($connection->connect_error) die($connection->connect_error);
    
    if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW']))
    {
        $un_temp = mysql_entities_fix_string($connection, $_SERVER['PHP_AUTH_USER']);
        $pw_temp = mysql_entities_fix_string($connection, $_SERVER['PHP_AUTH_PW']);
        
        $query = "SELECT * FROM users WHERE username='$un_temp'";
        $result = $connection->query($query);
        
        if (!$result) die($connection->error);
        elseif ($result->num_rows)
        {
            $row = $result->fetch_array(MYSQLI_NUM);
            
            $result->close();
            
            $salt1 = "qm&h*";
            $salt2 = "pg!@";
            
            $token = hash('ripemd128', "$salt1$pw_temp$salt2");
            
            if ($token == $row[3])
            {
                session_start();
                $_SESSION['username'] = $un_temp;
                $_SESSION['password'] = $pw_temp;
                $_SESSION['forename'] = $row[0];
                $_SESSION['surname'] = $row[1];
                
                echo "$row[0] $row[1] : Hi $row[0], you are now logged in as '$row[2]'";
                
                die("<p><a href=continue.php>Click here to continue</a></p>");
            }
            else die("Invalid username/password combination");
        }
        else die("Invalid username/password combination");
    }
    else
    {
        header('WWW-Authenticate: Basic realm="Restricted Section"');
        header('HTTP/1.0 401 Unauthorized');
        die("Please enter your username and password");
    }
    $connection->close();
        
    function mysql_entities_fix_string($connection, $string)
    {
        return htmlentities(mysql_fix_string($connection, $string));
    }
        
    function mysql_fix_string($connection, $string)
    {
        if (get_magic_quotes_gpc()) $string = stripslashes($string);
        return $connection->real_escape_string($string);
    }
?>

and this is the other page:

<?php
    session_start();
    
    if(isset($_SESSION['username']))
    {
        $username = $_SESSION['username'];
        $password = $_SESSION['password'];
        $forename = $_SESSION['forename'];
        $surname = $_SESSION['surname'];
        
        destroy_session_and_data();
        
        echo "Welcome back $forename. <br>
            Your full name is $forename $surname.<br>
            Your username is '$username'
            and your password is '$password'.";
    }
    
    else echo "Please <a href='authenticate2.php'>Click here</a> to log in.";
    
    function destroy_session_and_data()
    {
        $_SESSION = array();
        setcookie(session_name(), '', time() - 2592000,'/');
        session_destroy();
    }
?>

 

When I type the website in i first get prompt to enter my password, when I am authenticated the webpage says: You are now logged in click here to continue. When I do I am directed to another page which confirms that I am still logged in. Then I press refresh and the webpage asks me to "Click here to log in". I do, but it doesn't ask me for my password again. Why? My personal info should be destroyed.

Thank you for responding. It's greatly appreciated

 

 

 

which is the best place to put this code :

Code: [Select]
if(isset($_SESSION['last_ip'])===false){
$_SESSION['last_ip']=$_SERVER['REMOTE_ADDR'];
}
if($_SESSION['last_ip']!==$_SERVER['REMOTE_ADDR']){
session_unset();
session_destroy();
}
like this :

Code: [Select]
class session {
public $user_on=false;
public $user_id;

function __construct(){
//make sure that javascript can not access session variable
ini_set('session.cookie_httponly',true);
session_start();
//set the last ip the user has logged on with
if(isset($_SESSION['last_ip'])===false){
$_SESSION['last_ip']=$_SERVER['REMOTE_ADDR'];
}
if($_SESSION['last_ip']!==$_SERVER['REMOTE_ADDR']){
session_unset();
session_destroy();
}
$this->check_login();
}

private function check_login(){
if(isset($_SESSION['user_id'])){
global $user;
$this->user_id=$_SESSION['user_id'];
$this->user_on=true;
$user->find_by_id($this->user_id);
} else {
unset($this->user_id);
$this->user_on=false;
}
}
}
OR :
Code: [Select]
function __construct(){
//make sure that javascript can not access session variable
ini_set('session.cookie_httponly',true);
session_start();
$this->check_login();
}

private function check_login(){
if(isset($_SESSION['user_id'])){
global $user;
                        [b]//set the last ip the user has logged on with
if(isset($_SESSION['last_ip'])===false){
$_SESSION['last_ip']=$_SERVER['REMOTE_ADDR'];
}
if($_SESSION['last_ip']!==$_SERVER['REMOTE_ADDR']){
session_unset();
session_destroy();
}[/b]
                elseif($_SESSION['last_ip']===$_SERVER['REMOTE_ADDR']){
$this->user_id=$_SESSION['user_id'];
$this->user_on=true;
$user->find_by_id($this->user_id);
                 }
} else {
unset($this->user_id);
$this->user_on=false;
}
}
}

hi i want to include session so that attendance.php can't be acess directly..