on 10/09/02 1:01 PM, Jiaqing Wang ([EMAIL PROTECTED]) wrote:
Hello, Everyone,
I'm having some problem with the session handling in my code, it's kind of
hard to explain the whole problem but let me try.
I currently have a login page login.php which will take user input for
userid and passwd and check them against my backend PostgreSQL database,
after the password is verified I then open a session with
session_name($_POST['userid']);
session_start(); -- presumebly this will set a cookie with session_name
as the cookie name and session_id as the cookie value
usually PHPSESSID is the name of the cookie, and I tend to leave it like
that. I'd name it something else other than $_POST['userid'] though... the
whole point of sessions is to store a session id on the client side (usually
a long number), and store all the sensitive data (usernames, passwords, etc)
on the SERVER SIDE, associating them with the session ID.
at this point you haven't assigned any values to the session. If you want
the userid to be available on other pages (a session!!!), you shouldn't name
the session after the userid.
assuming you have PHP 4.1:
?
// login page
// validate $_POST['userid'] first
if($validuser)
{
session_start();
$_SESSION['userid'] = $_POST['userid'];
}
?
then I redirect user to his/her own custome page (like my place or my site)
using header(Location: https://www.domain.com/cgi/mysite?userid=$userid;)
function call. in mysite.php script I will then open the session with the
session_name with
session_name($_GET['userid']);
session_start(); --presumebaly this will get the session opened previously
by login page.
No. The whole point of sessions is that you don't have to carry the userid
around in the URL. You just redirect to wherever you want:
?
// login page
// validate $_POST['userid'] first
if($validuser)
{
session_start();
$_SESSION['userid'] = $_POST['userid'];
header(Location: https://www.domain.com/cgi/mysite.php;); // added
}
?
Then on subsequent pages (the rest of your site), you check to see who your
user is with this code:
?
session_start();
echo $_SESSION['userid'];
?
Make sense?
I've been trying tog et enough time together to write an article about this
stuff, but for the moment, you need to do some more research and get a grip
on what sessions are really used for.
Just as an example, you could assign more variables (user preferences for
example) to the session at login time (or at any time during the session):
$_SESSION['favcolor'] = 'blue';
$_SESSION['shoesize'] = '14';
$_SESSION['language'] = 'en';
$_SESSION['pageviews'] = $_SESSION['pageviews']++;
$_SESSION['blah'] = 'foo';
$_SESSION['blahblah'] = 'foo foo';
There's a nice article on webmasterbase.com in the PHP section by Kevin
Yank. The code is a little out-dated (pre $_SESSION and all the superglobal
arrays, so you'll need register_globals on in your php.ini for it all to
work), however, it's clean, and he does a great job of explaining it all.
You should read it, twice :)
It was the basis of my session code a while back.
In theory, any pages you call on your site which have
? session_start(); ? as the first line will maintain a COOKIE based
session. If you do not call session_start(), you *may* loose the session,
even under cookies.
If users don't have cookies, your sessions won't work at this stage... the
sid needs to be passed around in the URL.
This arrangement works correctly in the regular IE v5 and Netscape v4.72
without a problem, I can tell the session is being opened by login.pho page
and passed onto mysite.php page. However, it doesn't work in frameset/frame
setup at all, for example, if I put the whole login.php page which is
login.php under a frame within a frameset
frame src=cgi/login.php target=body
The concept of having framed content is fine if you are using cookie based
sessions, as long as each framed page (the frameset and all pages within it)
call session_start()... otherwise (again) you need to pass the sid to the
framed page through the URL.
The problem is that I can't get the same session previously opened in
login.php in mysite.php, mysite.php will start a different session if it
can't find previous opened session with session_name as userid as this is
the default behavior of session_start() function. So I assume that login.php
either didn't set the cookie or the cookie can't be read by mysite.php.
see above :) I think your session setting code aint working the way you
intended, and certain not the way PHP developers intended.
If it helps the situation, I also noticed that my SSL cerificate warning
page being prompt twice, the first time is when opening page login.php(it's
also under https), the second time is when opening mysite.php, I'm currently
using self-signed certificate so every time the https page opens up in a new
browser it will prompt you for whether or not accept the ceritificate).
Sure, there may
