Forum Moderators: coopster
I use a basic cookie-based login, nothing special. In php.ini I have the appropriate settings:
session.use_cookies = 1
session.use_only_cookies = 1
session.use_trans_sid = 0
And the code is pretty straightforward:
-----------------
Login page:
if (!isset($_SESSION)) {
session_start();
}if (isset($_POST['UserName'])) {
sleep(1);
$loginUsername=$_POST['UserName'];
$password=$_POST['Password'];
$LoginRS__query=sprintf("SELECT UserID, AccountStatus FROM User_List WHERE UserName=%s AND Password=SHA1(%s)",
GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text"));
$LoginRS = mysql_query($LoginRS__query, $databaseName) or handleError(mysql_error());
$loginFoundUser = mysql_num_rows($LoginRS);
if ($loginFoundUser) {
$AccStatus = mysql_result($LoginRS,0,'AccountStatus');
$UserID = mysql_result($LoginRS,0,'UserID');
$_SESSION['MM_Username'] = $loginUsername;
$_SESSION['MM_UserGroup'] = $AccStatus;
$_SESSION['UserID'] = $UserID;
header("Location: " . $REDIRECT_SUCCESS);
} else {
header("Location: " . $REDIRECT_FAIL);
}
exit;
}
// html for login page
if (!isset($_SESSION)) {
session_start();
}function forceLogOut() {
$_SESSION = array();
if (isset($_COOKIE[session_name()])) {
setcookie(session_name(), '', time()-42000, '/');
}
@session_destroy();
}
if (!isset($_SESSION['MM_Username'])) {
forceLogOut();
header("Location: Login.php");
exit;
}
// html for whatever page is being viewed
Now this works - for most people. Occasionally, less than one user in 100 let's say, they'd log in and get forced back from no session found. I ended up making a passthrough page right after login just to check for that session variable. If it's there they get passed through to the rest of the site (and it's normal checks).
But if it's not, I display an error page telling them that they have to log in, and that cookies must be enabled, and to please clear their cache. Then I have a feedback form asking for more information.
Like I said, most people never see this. But every so often someone is landing there. I receive info like this:
i am pn the sprint network using the opera mobile browser and cookies are enabled. what else could i tryor this
i have been logged in before but now wont let me in
I don't want to ignore these people, but I'm not about to drop cookie-based sessions for URL session IDs. Not on a universal case anyway (though I could see using it as a back up method if it was smooth).
Am I overlooking something? Is there a smooth fix? Or would I have to custom-write a session handler and modify all my header("Location:") lines?
I'm not overly familiar with sessions, but I thought I knew best practices. So I'm a bit stumped here.
[edited by: Amarsir at 7:14 pm (utc) on Feb. 2, 2009]
if (!isset($_SESSION)) {
session_start();
}
Try replacing this with just the following:
session_start();Other than that, I don't see where there is a potential problem. See if that help any. If it is the same user over and over again then maybe it is their browser screwing it up. Also make sure that
session_startAnd Welcome to WebmasterWorld!
Another area to check is the session cookie being set. Check the domain and path to be certain you don't have something awry there. A common issue is using the domain name and you have canonical issues (example.com and www.example.com).
If you are on a shared server you may be finding that the session is being destroyed by the garbage collection routine, especially if you are sharing your session directory with others on the same server (which is a huge security issue).It's a virtual, so although the hardware is shared the settings are all my own. There were some garbage collection issues at first, which is why I added the line with manual session cookie removal on logging out. Due to the nature I don't think that's involved here. These are people who log in and instantly their session is missing.
It's as if they are blocking cookies - except I have to believe them when they say they're not. Especially if they've logged in successfully on other days.
Another area to check is the session cookie being set. Check the domain and path to be certain you don't have something awry there. A common issue is using the domain name and you have canonical issues (example.com and www.example.com).It's my own domain so I don't think so. But it's worth a look.
Thanks
[edited by: eelixduppy at 3:26 pm (utc) on Feb. 3, 2009]
[edit reason] no personal URLs, please [/edit]
It's my own domain so I don't think so. But it's worth a look.
That's not what I am referring to. I'm speaking specifically of the cookie specification [php.net] and the values being provided for certain arguments. If they vary, you will be prompted for another login as the cookie/session will not be the same session.
