Topic awaiting preservation: User Authentication Problems

OK...I've got a user authentication script written, and it mostly works...it authenticates if the user account exists and allows you to continue or doesn't in the correct manner...only problem being the actual login menu itself is supposed to display one of three things, depending on your login status. If you are logged in as a standard user it displays the standard menu. If you are logged in as an administrator user it displays the standard menu plus the admin extras, other than that, it displays the login fields. The problem I have with it is that all it will ever display is the login fields...even when you are logged in. It is supposed to pull your group_id out of the $_SESSION variables that I define...and I do define them...but they don't seem to get written to the cookie like they're supposed to and passed onto the next page. Is there something special you have to do when you define $_SESSION variables in order to get them to write into the cookie to be accessed by other pages?

well, assuming you've started your session with session_start(), no there's nothing special you need to do with them.

Another problem I could imagine is something like this:

if ($_SESSION['isloggedin'})

   printMenu();

else printLoginForm();



if (tryToLoginUser($_POST['name'],$_POST['password')

  $_SESSION['isloggedin'] = true;

Ie., accesing the variable before setting it.

so long,


Tyberius Prime

In fact, AFAIK, the session variables aren't written into a cookie. They are written to a local file, and maintained as long as the session is alive. The Session ID is the only thing written into the cookie. You can also get around the problem of ppl setting their browsers to refuse cookies by sending the sessionID as part of the url.

PHP even gives you a handy little constant (SID) for doing it quickly, but it can be problematic. (see http://nl.php.net/session_id). I use the long-winded way ... i.e. things like

<FORM ACTION="this.php?<?=session_name()."=".session_id()?>>

On the trail of your problem though ... take a look at where your session_destroy() is placed in the code. It's possible that you inadvertantly execute it before the script exits, in which case the session is terminated before you can use the variables. Try echoing them to the page as a debug line ... see what you get on the second invocation ...


Bug-free software only exisits in two places
A programmer's mind and a salesman's lips

[This message has been edited by trib (edited 06-19-2003).]

hm. I never ever had to use session_destroy()... I just unset() whatever user variables I have in $_SESSION.

I only destroy on my logout page, and dont unset session vars ever, is this a bad thing?

My problem is really...yes I called session_start() as the very first thing on my page...but any variables I set with $_SESSION["myvariable"] = doesn't remain set when I go back to my main page...and it's strange...becuase when I tell it to echo out the whole $_SESSION array everything's there...but it isn't on the main page.

in this case, your browser probably's not reloading the main page, but pulling it from your cache.
There are serveral 'tricks' to get a browser not to cache your page... but you'd best look them up on php.net yourself... something about pragma-cache in the headers...

IU stick this in the top of my header.php
session_start();
header("Cache-control: private");

and it does the trick, this also fixs the bug with IE when you user fills in a form and makes a erorr and they hit back all the data they filed in dissaperas for some reason, but if you put that in it magicaly fixs that

Thanks
Trigger

actually, if you call that before the includes where your clases are defined, you'll be having problems, trigger ;-).

(Classes have to be defined before their objects are being fetched back out of the session with session_start())

I learned about this from Emps doing some coding for the GN and it's worked nicely for me a few times since.

If you put this:

session_cache_limiter ('private, must-revalidate');

in your code before session_start() it will keep your forms filled in if the user hits the back button, but doesn't cache the page itself.

Of course that leaves you with the problem of keeping people from hitting the back button after a database insert, and then hitting the submit button again thinking they've altered what's already been submitted instead of what they are actually doing which is resubmitting the same or slightly different info.

-Butcher-

quote:

---

any variables I set with $_SESSION["myvariable"] = doesn't remain set when I go back to my main page...

---

The way to set a session variable is not to assign it to $_SESSION[] .. I don't think that works at all (but I may be wrong). The proper way is to specifically register your variables using the function session_register() to make them part of the session data, and then assigning values to the registered variables will automatically save the values as $_SESSION['variable_name']

......... erm ........ I think .....




Bug-free software only exisits in two places
A programmer's mind and a salesman's lips

em, and I think you're 100% wrong, trib!

quoting http://www.php.net/manual/en/function.session-register.php
"You can also create a session variable by simply setting the appropriate member of the $_SESSION or $HTTP_SESSION_VARS (PHP < 4.1.0) array. "

And I'd also declare it (arguably) the prefered way, since it would be a lot easier to later change to some other method of data storage and transmission (as it's just uniform array syntax, instead of special 'session syntax' and regular global variables (yuck)).

so long,

Tyberius Prime

Thanks T-P ... I'm always up for a new view on an old trick ... I've got to do some session -based work again soon so I think I might try it your/their/the other way just for the helluvit ...

I LOVE this place


Bug-free software only exisits in two places
A programmer's mind and a salesman's lips

uuurrgghh....this script is really annoying me.

By now you know how a basic user auth script work...find the user account by username and password (limit it to 1 result) if they match, then the account exists, if they don't, it doesn't. Then name the session, start it, and define all the stuff associated with that account as $_SESSION variables.

Go back to the main page and start the session first thing (tell me...does it matter that it's within it's own PHP tags? ie: It's just <?PHP session_start(); ?> then there's a bunch of HTML code and the other parts of the page are included in other parts of the page). Then, as a test, tell it to echo out all the $_SESSION variables...but to no avail...they're no longer there.

aaaarrgghhh...what am I doing wrong? (I'd post up my entire code...but it and me are far from each other right now...I'm not anywhere near my development PC)

Are you issuing any header information before you do the session_start(). I believe there's an issue with cookie-generating commands that requires you to create the cookie before anything else is visible at the browser end. If you don't, the whole thing might well fail to initialize, butmight not give you an error message because the syntax and operation of the code is still acceptable at the server-side.

hm, I don't think sending other headers might be the problem.
And putting session_start into it's own php tags isn't either.

Step 1:
Put a error_reporting(E_ALL) before the session_start(). this should tell you about any deviation from the way anything should behave in this script

Step2: if step one didn't tell you anything, you'll need a browser that tells you what cookies are being set, and what contents they contain.
Opera has an option to tread cookies that way. Now you can see if you get a cookie that contains something like PHPSESSID=[gibberish looking characters],
when you call session_start() the first time. If that doesn't happen, we're having a different problem.

so long,
TP

PS: you're not doing something stupid like setting $_SESSION = array() or so, right?

just a note.

Anytime you are doing PHP development always turn error reoprting to E_ALL it will show you many ways to clean up your code



.:[ Never resist a perfect moment ]:.

Well...I finally managed to bring my internet connection (well, not mine, someone elses...) and my PHP code close enough together to put my code online to see if you can find something wrong with it.

menu.php (please note...this is included in my main index.php file, so the session_start() isn't in this file, it's right at the start of index.php). Oh, and ERROR_REPORTING(E_ALL) just tells me the $_

<?PHP

ERROR_REPORTING(E_ALL);

//Login/Menu Script

//If a user is logged in and registered as a standard user, display the following menu

if ($_SESSION["group_id"] == "1")

{

echo '

<TABLE width="105" align="center" valign="top" border="0" cellspacing="0" cellpadding="0" bgcolor="#595959">

     <TR height="200">

          <TD width="105"><P class="noindent"><B>'.$_SESSION["ufullname"].'</B><BR><BR>

          <A href="usercp.php?uid='.$_SESSION["uid"].'">Your Control Panel</A><BR>

          <A href="fav.php?uid='.$_SESSION["uid"].'">Your Favourites</A><BR><BR>

          <A href="logout.php">Logout</A></P></TD>

     </TR>

</TABLE>';

}

//Or if they're logged in and registered as an admin user, show this menu instead

elseif ($_SESSION["group_id"] == "2")

{

echo '

<TABLE width="105" align="center" valign="top" border="0" cellspacing="0" cellpadding="0" bgcolor="#595959">

     <TR height="200">

          <TD width="105"><P class="noindent"><B>'.$_SESSION["ufullname"].'</B><BR><BR>

          <A href="usercp.php?uid='.$_SESSION["uid"].'">Your Control Panel</A><BR>

          <A href="admin/admincp.php">Administrator\'s Control Panel</A><BR>

          <A href="fav.php?uid='.$_SESSION["uid"].'">Your Favourites</A><BR><BR>

          <A href="logout.php">Logout</A></P></TD>

     </TR>

</TABLE>';

}

//Otherwise display the login screen

else

{

echo '

<TABLE width="105" align="center" valign="top" border="0" cellspacing="0" cellpadding="0" bgcolor="#595959">

     <TR height="200"><TD width="105"><P class="noindent">

          <FORM action="login.php" method=POST>

          Username:<BR><INPUT type=text name="uname" size=10><BR>

          Password:<BR><INPUT type=password name="pword" size=10><BR>

          <INPUT type=submit name="submit" value="Submit">

          </FORM>

          <A href="register.php">Register</A></P></TD></TR>

</TABLE>';

}

?>

login.php, the actual authentication page.

<?PHP

     require("/config/_db_config.php");

     $connection = @mysql_connect($db_host, $db_user, $db_password) or die("Error connecting to database.  Please email the Webmaster and include the following message: ".mysql_error());

     mysql_select_db($dbname, $connection);



function UserandPasswordMatch($uname, $pword)

{

     $user_query = "SELECT * FROM users WHERE username = '$uname' AND password = PASSWORD('$pword')";

     $result = mysql_query($user_query) or die("Error in Query $user_query: ".mysql_error());

     $usr_obj = mysql_fetch_object($result);

     

     if (!empty($usr_obj->username) AND !empty($usr_obj->password))

     {

     return TRUE;

     }else{

     return FALSE;

     }

}



$uname = $_POST["uname"];

$pword = $_POST["pword"];



if (UserandPasswordMatch($uname, $pword))

{

     $user_query = "SELECT * FROM users WHERE username = '$uname' AND password = PASSWORD('$pword')";

     $result = mysql_query($user_query) or die("Error in Query $user_query: ".mysql_error());

     $usr_obj = mysql_fetch_object($result);

     

     session_start();

     

     SESSION_REGISTER("ufullname");

     SESSION_REGISTER("uid");

     SESSION_REGISTER("group_id");

     SESSION_REGISTER("uname");

     SESSION_REGISTER("uemail");



     $_SESSION["ufullname"] = $usr_obj->full_name;

     $_SESSION["uid"] = $usr_obj->id;

     $_SESSION["group_id"] = $usr_obj->group_id;

     $_SESSION["uname"] = $usr_obj->username;

     $_SESSION["uemail"] = $usr_obj->email;





echo 'User '.$_SESSION["uname"].' sucessfully logged in.  Click <A href="htpp://localhost/index.php">Here</A> to return to the home page and continue your browsing.';

exit();

}else{

die('<P>Your Username and Password do not match our user records.  Please return to the <A href="index.php">Home Page</A> and try logging in again, or <A href="register.php">Register</A> a new user account and try again.</P>');

}



?>

well, there you go. Please...feel free to pick the shit out of my 'written at 5 A.M' code.

And while you're at it, if you could tell me what's going wrong with it, I'd be really happy.

Most likely is that you're calling session_register(), but then setting the variables via $_SESSION.

You either
a) Call session_register($myVar) and then $myVar = "shu";
or
b) use $_SESSION['myVar'] = "shu";

that should fix it.
if it doesn't, holler, and I'll spent some more time on it.

Eh...unfortunatley TP that was not the problem. Wish it was. I can't really move onto the other scripts linked to this one until I get it working becuase I need the output from this one to test out the other scripts.

hm... a striped down version (without the db stuff) works fine for me...

You sure the cookies' getting set when you access localhost?

Try to put a ini_set('session.use_trans_sid',1)
into the login file, before the session_start... that should append something like PHPSESSID=09a78oeu098 onto every link, and fix the problem if it's the cookies.

I'm ready to be very annoyed with this. Adding the ini_set parameters didn't append the session ID to the URL...I had to add it myself, and that still didn't work. This damn thing is not carrying over the session variables. As far as I can tell the cookies are not being created at all. I look in my Temporary Internet Files, and I can't see a cookie from my pages.

AAAARRRGGGHHHH!!!

ok ok... we need to do this step by step.

create file 'a.php'
content:

<?php

session_start();

$_SESSION['shu'] = 'Hello Skaarjj';

print '<a href="b.php">continue</a>';

?>

file b.php

session_start();

print 'The message is: '. $_SESSION['shu'];

if that works, replace the whole thing with a post.
if it doesn't, your php server is broken.
Did you set this thing up yourself?
There's a directive in php.ini where the path to wherever php stores the sessions is set.
Is that valid?

Well TP...did what you told me to, and it does appear to be a problem with the way I've set up PHP.

Yes, I set up the server myself...it's just a local development copy of PHPDev4, and the path to store the session data is correct, as is the URL that the cookies are valuid for, as is every other bloody setting I can find and validate. in my php.ini the use_trans_sid is active, but no matter what, even if I add it as an ini_set in my php script, it doesn't append the session ID to the URL...I have to do it manually. So I'm going to copy out my entire work directory, wipe phpdev and reinstall it from scratch. I'm probably going ot wait until after I get my internet connection back at my home before I do that though so I can ask you stuff on the Q while I'm doing it.

Thanks for all your help TP.

ok... I have one last idea, but you need to toy with it a bit.

that php path setting I mentioned earlier...
try it with and without a \ at the end.
try to replace all \ with /.
or all but the first \ (after with /

if that doesn't help, reinstall.

I think it's time for the reinstall...but, as I said, that's going to have to wait until I get back online so I can check with you to see if I'm doing everything right.