php session problem

ConsultClifford

hi

ive been working with a newsletter php app - simply writing messages to mysql.
its working sweet locally but when i up load it - no go!

The problem is a session problem. I can log in alright but then when i try to select a link to add a newsletter or something it sends me right back to the log in !! THIS is not happening locally.

Can any of you more experienced php'ers let me know is there any config on my host that disables my session creation or something?

Tnx

nahdoic

Ok not even nearly enough information to make an informed decision.

What versions of php are you dealing with locally and remotely? What operating systems/web server are you using locally and remotely?

At best guess it sounds like you might be experiencing the wonderful world of cookies.

http://ie2.php.net/manual/en/function.session-start.php

I use a Windows machine for development, Apache and PHP (in CGI mode). The same script that was working fine on Linux, failed to use PHPSESSID cookie.

After many trials, I have noticed that if I send a cookie using header('Set-Cookie:'), PHPSESSID will not be sent by PHP. If I send my cookies using setcookie(), PHPSESSID cookie is sent.

After all, this bug comes in the following situation:
- PHP win32 CGI mode
- other header('Set-Cookie:') commands in the initial page script

Solution: use setcookie() or send PHPSESSID cookie yourself.

Ste.phen

It could be similar to my problem, where internet explorer is serving cached pages, and not the new ones after you log in?

on my own site, theres a fairly simple cookie based auth.; enter username / password, they're passed to "users_login.php", which checks the database, sets a cookie (if login was ok) and bounces you back to the referring page..
IE doesnt reload this page though, and the cached copy with "error, you're not logged in, enter details below" is shown instead...
Anyone know how i can force IE to re-request the page?
(netscape / mozilla work OK)

Enygma

You can send HTTP headers that force the browser to get the 'latest version' of a page.

Google: HTTP Cache headers.

ConsultClifford

nahdoic


Im using Apache 1.3 , and mysql 1.4 and php 4.3 on XP locally.

the host i use uses
PHP 4.3.* and Apache 1.3.29.


i'll take a look into you cookie talk below BUT corect me if im wrong - should the use of sessions not remove the need for cookies??

You may be thinking right now, well that's nice, but I can do this with Cookies! This may come to you as a suprise, but Cookies are about 30% unreliable right now and it's getting worse every day. More and more web browsers are starting to come with security and privacy settings and people browsing the net these days are starting to frown upon Cookies because they store information on their local computer that they do not want stored there. PHP has a great set of functions that can achieve the same results of Cookies and more without storing information on the user's computer. PHP Sessions store the information on the web server in a location that you chose in special files. These files are connected to the user's web browser via the server and a special ID called a "Session ID". This is nearly 99% flawless in operation and it is virtually invisible to the user.

dahamsta

Presumably we're talking about PHP's inbuilt session handler...

Originally posted by ConsultClifford
should the use of sessions not remove the need for cookies??

No, the default handler for PHP sessions is cookies, it only moves to GET if cookies don't work. (It does this by setting a cookie /and/ pushing a QUERY_STRING into the page that started the session. If the cookie exists on the next request, it stops munging the HTML.) If your problem is in fact cookies, it's likely the problem is that PHP was compiled without '--enable-trans-sid' or has trans-sid turned off. Try creating a phpinfo() file and checking the Configuration Options for '--enable-trans-sid'.

I dunno where you got that quote from, but the suggestion that "Cookies are about 30% unreliable right now" is bollocks. Yes, browsers have security settings these days and the defaults are more secure, but they nearly all still default to "accept from local server", which is all you need. And regular users don't frown on cookies. Regular users wouldn't know what a cookie was if it came up and bit them on the arse.

adam

ChicoMendez

adam

this is some of the Configure Command info
[PHP]'./configure' '--prefix=/usr/local' '--enable-exif' '--enable-track-vars' '--with-calendar=shared' '--enable-magic-quotes' '--enable-trans-sid' '--enable-wddx' '--enable-ftp' '--enable-inline-[/PHP]

--enable-trans-sid is there! ive also added a print screen of the phpinfo() session info.

does anything jump out at you that may be causing the problem?

ChicoMendez

tnx

nahdoic

Did you compare the phpinfo with the local and remote system?

It all looks good to me though, can you post the code you are using to create the session?

[edit]Wait a second you have use_trans_sid set to 0 that would defintely be the problem. If you don't have cookies enabled you won't be able to go anywhere after the first page.[/edit]

dahamsta

What nahdoic said.

ConsultClifford

heres my code

remote and local settings look to be same

nahdoic

session.auto_start is also set to off and in your code you have no session_start in your code.

ConsultClifford

sorry should have stated

i call session_start(); in the included header.php file

do you reckon the problem is in the code as i have also installed osCommerce on that remote server that uses sessions and that is working grand!

dahamsta

osCommerce seems to use an internal session handler. Did you change the use_trans_sid setting in php.ini as nahdoic suggested?

adam

ConsultClifford

i would if i could find it on the remote host which i have access to via ftp.

as its another company hosting my site have a rights to change this? for my site?

phpinfo() says php.ini is in /usr/local/lib/php.ini but i cant find it on the host.

nahdoic

well you may want to get in touch with the other company hosting your website and ask them to change it.

flamegrill

Sean may i suggest the following:

session_cache_limiter('private');
session_cache_expire(30);
session_start();

$sid = session_name() . "=" . session_id();

and pass the $sid to each page as you move around the system.

The use session.use_trans_sid = 1 is not recomended and can lead to bad things where sessions are concerned.

Regards,

Paul

dahamsta

The use_trans_id config var can't be set on the fly using ini_set() but it does have PHP_INI_PERDIR permissions, which means you can set it in .htaccess if your host allows it. Try creating a file called .htaccess in the root directory of your application with this in it:

php_flag use_trans_sid on

Now load a phpinfo() file in that directory and see if the local config has changed. You'll find the documentation for configuration settings, and how and what you can change here.

Flamegrill, what bad things?

adam

flamegrill

Without looking farther than the php.ini, it says a few things about it.

; trans sid support is disabled by default.
; Use of trans sid may risk your users security.
; Use this option with caution.
; - User may send URL contains active session ID
; to other person via. email/irc/etc.
; - URL that contains active session ID may be stored
; in publically accessible computer.
; - User may access your site with the same session ID
; always using URL stored in browser's history or bookmarks.

I personally don't think it's needed, just pass the session name to each url and bobs yer uncle

Paul