PHP $_SESSION problem

Bananna man

Hey,

Im having a problem with this code. Im trying to set up a login system but my $_SESSION variables dont seem to be being passed back to my index page. When someone comes to the page first of all they should see the login box as they have not yet started a session. The code for this bit is as follows:

<?php

 	if (isset($_SESSION['first_name'])) {
  		echo "Currently logged in as: '".$_SESSION['first_name']."'	
				<br><form name='form2' method='post' action='php_scripts/transact_user.php'>
  				<input type='submit' name='Submit' value='Logout'>
				</form><br>";
 }

 	if (!isset($_SESSION['user_id'])) {
			echo "<table width='240' border='0' cellpadding='0' cellspacing='0' class='text_main'>
            <tr>
              <td height='125' align='right'>
				<form name='form1' method='post' action='../apple_php_scripts/transact_user.php'>
                <p>Email: 
                    <input type='text' name='email' maxlength='255'>
                </p>
                <p>Password: 
                  <input type='text' name='password' maxlength='50'>
                </p>
                <p>
                  <input type='submit' class='submit' name='action' value='Login'>            
                        </p>
              </form>
				</td>
			<td width='20'>&nbsp;</td>
            </tr>
          </table>";
		}

?>

The secong if statement is done as the $_SESSION has not yet been set.

When you enter your email address and password you are brought to the transact_user.php page which is as follows:

<?php
require_once 'conn.php';
require_once 'http.php';

if (isset($_REQUEST['action'])) {
 switch ($_REQUEST['action']) {
  case 'Login':  
 	if (isset($_POST['email'])
     and isset($_POST['password']))
   {
    $sql = "SELECT user_id,access_lvl,first_name,last_name " .
        "FROM apple_users " .
        "WHERE email='" . $_POST['email'] . "' " .
        "AND password='" . $_POST['passwd'] . "'";
    $result = mysql_query($sql,$conn)
     or die('Could not look up user information; ' . mysql_error());

    if ($row = mysql_fetch_array($result)) {
     session_start();
     $_SESSION['user_id'] = $row['user_id'];
     $_SESSION['access_lvl'] = $row['access_lvl'];
     $_SESSION['first_name'] = $row['first_name'];
	 $_SESSION['last_name'] = $row['last_name'];
    }
   	}
}
}

    include ('redirect_homepage.php');  // This include just goes to another file which tells it to redirect back to the homepage
	break;
?>

So once all this is done the session should now have began and the user should be redirected back to the homepage.

The code at the very beginning of the scripts i showed you i.e.

<?php

 	if (isset($_SESSION['first_name'])) {
  		echo "Currently logged in as: '".$_SESSION['first_name']."'	
				<br><form name='form2' method='post' action='php_scripts/transact_user.php'>
  				<input type='submit' name='Submit' value='Logout'>
				</form><br>";
 }

Should now take affect as the users 'first_name' variable should have been set when the session was started but this is not happening. This is being ignored and the next if statement is just showen again i.e. the login box.

I have tried changing the first bit of code to if (!isset($_SESSION)) to see what happens and in this case this code is being done. Therefore, it seems to me that the session variables are not being transfered when i am redirected to the homepage.

Anyone know where im going wrong?

Thanks

chilled

You need to have session_start() on the homepage. To access variables stored in a session you must put session_start() at top of that page. So that should be why its not displaying "currently logged in as ".

Becareful posting your login scripts up publicly, makes it easier for dirtbags to find flaws if any and hack in.

Bananna man

Hey,

Thanks for the reply. I already have the session_start() command on the transact_user.php page. Should this not be sufficient?

I tried putting session_start() at the start of the home page anyway to try it and it is still doing the same as before.

Bananna man

Man!!! Got it sorted at last. I had this line:

$_POST

when it should have been $_POST

Thanks for the replys anyway!!