Welcome to WebmasterWorld Guest from 100.24.209.47

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Users complain that my sessions aren't working

They say they log in OK, but are logged out when visit another page.

     
1:07 pm on Mar 10, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:Jan 17, 2003
posts:86
votes: 0


This problem has me puzzled. I am using PHP's session management to handle the log-in and authentication of the users on my site.

Every now and then, a user will contact me to say that he entered his username and password and logged in successfully, but when he then clicks on a link to go to another page it tells him he's not logged in and redirects him to the login page again. He repeats the process and the same thing happens again.

As I understand the way PHP's sessions work, it attempts to write a session cookie first. If that fails then it rewrites the URL with the session ID appended. I have tried turning off cookies in my browser and it does indeed switch to the URL-rewriting method and continues fine.

So why are my users having problems? I even set up a page I can send them to that mails me the details of their browser, OS, etc. The only common factor I can see is that they do have cookies turned off.

Has anyone else experienced such problems with their users?

1:42 pm on Mar 10, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:Jan 9, 2003
posts:180
votes: 0


It depends on whether PHP was compiled with the -enable-trans-sid option set. This option is disabled by default in PHP4, not sure about other versions.

You can ensure that the session ID is always passed, whether the user's browser will accept cookies or not by appending the session ID to the link eg

<a href="nextpage.php?<?php print SID;?>">Next Page</a>

1:53 pm on Mar 10, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:Jan 17, 2003
posts:86
votes: 0


Yes, it was compiled with the --enable-trans-sid option set. And it does definitely work for me when I turn off cookies so I know the rewriting bit is working.

I take your point about forcing the SID to be appended to each link, but I only want to go down that route as a last resort (it would involve a lot of amendments, and it doesn't look as 'neat').

2:24 pm on Mar 10, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:Jan 9, 2003
posts:180
votes: 0


Are you using relative URLs? Non relative URLs are assumed to point to external sites and the session ID is not appended.
3:12 pm on Mar 10, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:Jan 17, 2003
posts:86
votes: 0


Hadn't thought of that.

All my links are prefixed with "/" (root) as they are in an include file which is included from various subfolders (so "../" wouldn't work).

Example: href="/somepage.php"

Is that still classes as relative? I guess it is. I certainly don't have links beginning http://

And besides, the point I keep coming back to is that it works fine for me when I turn off cookies, which I think implies that it must be some configuration at the client end rather than server end.

3:28 pm on Mar 10, 2003 (gmt 0)

Administrator

WebmasterWorld Administrator jatar_k is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 24, 2001
posts:15756
votes: 0


I use sessions, enable trans id and both relative and absolute paths and they all work fine.

The problem is probably something else. The cookies off is the first clue but there must be some other common element between them.

Are the sesions being started properly? Have you looked at how you are testing if they are logged in?

3:35 pm on Mar 10, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:Jan 17, 2003
posts:86
votes: 0


When a user successfully logs in, I call:

session_register("mymember");

At the top of each subsequent page I have:

$mymember="";
session_start();

I then do the following to check if logged in:

if (!$mymember) {
// display error message and die
}

2:25 pm on Mar 13, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:Jan 17, 2003
posts:86
votes: 0


Does anyone have any other ideas on this one?
3:32 pm on Mar 13, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:Jan 14, 2002
posts:118
votes: 0


If you have register globals off (default in >= 4.2) you'll need to replace mymember with $_POST['mymeber'], and there shouldn't be quotes around it when you register it AFAIK.

Try echoing the value of $mymember at the top of each page (if necessary, stick it inside an HMTL comment) so you can track it's value.

Allen

5:36 pm on Mar 13, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:Jan 17, 2003
posts:86
votes: 0


I'm using PHP 4.1.2 and register_globals is ON.

I have echo'd $mymember and it shows fine.

The thing that's puzzling me is that it all works fine for me and 99% of my users. I can log in and navigate around without any problems. It even continues to work fine when I turn cookies off.

But there is a small number of new members each week who mail me to say they experience this problem. This is what leads me to believe it has to be some configuration at the client-end, but it's really got me stumped.

8:31 pm on Mar 13, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:Dec 6, 2001
posts:99
votes: 0


I would agree strongly with Paul (in South Africa) about ensuring the string is ALWAYS passed, therefor avoiding the problems with cookies.

noSanity

10:49 am on Mar 14, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:Jan 17, 2003
posts:86
votes: 0


So is that the way a lot of session-based PHP sites are written - with the SID explicitly appended to the links?

Seems to make the built-in session-handling stuff that comes with PHP redundant!

I'll give it a go though and see what happens.

4:33 pm on Mar 14, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:Dec 6, 2001
posts:99
votes: 0


Well, the problem isn't how PHP handles sessions. It is a problem with how people are handling cookies. For example, if their date is earlier than the servers date, the cookie will automatically expire... this may be the problem you are experiencing. If you run the server, you could just set the date back 5 minutes or so and see if that fixes the problem.

noSanity

(note: that is only 1 of many possible cookie problems that exist)

1:28 pm on Mar 15, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:Jan 17, 2003
posts:86
votes: 0


Well, I know I keep making the same point here, but if it's a problem with peoples' cookies (which I can quite understand) then surely PHP should seamlessly switch to URL-rewriting?

That's what I don't understand. Why should I have to explicitly append a session ID to every single link and include it as a hidden field in every single form, when PHP is supposed to handle that for me?

And indeed, when I turn off cookies on my browser, PHP does handle it for me and starts putting the session ID on each URL automatically. Why is this apparently not happening for everyone with cookie problems - that's my real question.

Thanks for your help so far though! :-)

6:21 pm on Mar 15, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member drdoc is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 15, 2002
posts:6807
votes: 0


For example, if their date is earlier than the servers date, the cookie will automatically expire...

Ehm, that can't be right? Then they would expire for anyone who live in a different time zone! Or, what about those that live in areas where they use a different calendar than we do (like muslim countries, or China)

8:35 pm on Mar 15, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:Dec 6, 2001
posts:99
votes: 0


Well, the cookie is set for 1 timezone, eg: GMT, and the computer is set for another, eg: PST (-8 hours). The computer makes up for the difference automatically.

noSanity

9:33 pm on Mar 15, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:Jan 17, 2003
posts:86
votes: 0


After a great deal of head-scratching, I've finally realised what is causing my sessions to fail.

When cookies are disabled, PHP does do its URL-rewriting stuff for all links and forms on my pages. But I also use a nice drop-down javascript-based menu system. And the links embedded within that code are not re-written. This explains why I couldn't replicate my users' problems - they were using the javascript menu, while I was clicking on the alternative text links.

So now I know what's causing it, I'm faced with figuring out how to get the session ID appended to the links in the javascript code. I've tried using PHP tags and echoing out the PHPSESSID but that didn't seem to work. I've even renamed the javascript file to a .PHP extension, but that made no difference.

Any ideas?

9:34 pm on Mar 15, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member drdoc is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 15, 2002
posts:6807
votes: 0


But, how does that affect session cookies? A session is time-independent, right?

(response to nosanity's post)

[edited by: DrDoc at 9:38 pm (utc) on Mar. 15, 2003]

9:36 pm on Mar 15, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member drdoc is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 15, 2002
posts:6807
votes: 0


instead of

blah.html

make the link

blah.html?<?php echo SID?>

12:19 am on Mar 16, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 22, 2002
posts:1782
votes: 0


The url_rewriter.tags [php.net] directive lets you specify element name and attribute that should be rewritten to include the session id.

php_value url_rewriter.tags [php.net] "option [w3.org]=value [w3.org]" will rewrite any URL contained within the value (option) [w3.org] attribute of an option [w3.org] element.

HTH Andreas

8:53 am on Mar 17, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:Dec 6, 2001
posts:99
votes: 0


DrDoc,

Yeah, I think all last week my mind has been on loan to somebody else. Come to think of it, I have been way off base almost every night on at least 1 topic. Argh, too much Tequilla.

noSanity

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members