Re: [PHP] sessions/cookies
others have given good advice, but let's learn to walk before we run shall we. 1. session_start() should be called once per request. 2. checkValidUser() does a select on all the users in the database, this is *wrong* - do a select with a suitable WHERE clause the retrieves the one user that matches the given user name and password. 3. GetAccessLevel() uses an undefined property. 4. all the properties ($UserID, $AdminLevel, etc) are only set during the request where the user's login credentials are checked. subsequent requests will not have that info. 5. use php5? 6. go back and read the other replies regarding seperation of responsibilities and encapsulation. nihilism machine schreef: I wrote an authentication class in php4. The sessions dont seem to be working with internet explorer, just with FF. here is the code below, a cookies notice pops up when you try and login: ?php class auth { var $UserID; var $AdminLevel; var $FirstName; var $LastName; var $DateAdded; var $MobileTelephone; var $LandLineTelephone; // Connect to the database function auth() { mysql_connect('','','') or die('ERROR: Could not connect to database'); mysql_select_db('') or die('ERROR: Could not select database'); } // Attempt to login a user function CheckValidUser($Email,$Password) { $result = mysql_query('SELECT * FROM Users'); $Password = $this-encode($Password); if (mysql_num_rows($result) != 0) { while($row = mysql_fetch_assoc($result)) { if (!strcmp($row['Email'],$Email)) { if (!strcmp($row['Password'],$Password)) { // User info stored in Globals $this-UserID = $row['ID']; $this-AdminLevel = $row['Admin_Level']; $this-FirstName = $row['First_Name']; $this-LastName = $row['Last_Name']; $this-DateAdded = $row['Date_Added']; $this-MobileTelephone = $row['Telephone_Mobile']; $this-LandLineTelephone = $row['Telephone_Land_Line']; // User info stored in Sessions session_start(); $_SESSION['Status'] = loggedIn; $_SESSION['Email'] = $row['Email']; $_SESSION['AdminLevel'] = $row['Admin_Level']; $_SESSION['LandLine'] = $row['Telephone_Land_Line']; $_SESSION['MobileTelephone'] = $row['Telephone_Mobile']; $_SESSION['FirstName'] = $row['First_Name']; $_SESSION['LastName'] = $row['Last_Name']; return true; } } } header(Location: index.php?error=invalidLogin); } else { die('ERROR: No Users in the database!'); } } // Create a new user account function CreateUser($Email, $Password, $AdminLevel, $LandLineTelephone, $MobileTelephone, $FirstName, $LastName) { $Password = $this-encode($Password); $this-AccessLevel = $AdminLevel; $DateAdded = date(Y-m-d H:i:s); mysql_query(INSERT INTO Users (Email, Password, Admin_Level, Date_Added, First_Name, Last_Name, Telephone_Land_Line, Telephone_Mobile) VALUES ('$Email','$Password','$AdminLevel', '$DateAdded', '$FirstName', '$LastName', '$LandLineTelephone', '$MobileTelephone')) or die(mysql_error()); return $this-UserID = mysql_insert_id(); } // Update a users access level function UpdateAccessLevel($ID,$AdminLevel) { mysql_query(UPDATE Users SET Admin_Level='$AdminLevel' WHERE ID=$ID) or die(mysql_error()); return true; } // Delete a user function DeleteUser($ID) { mysql_query(DELETE FROM Users WHERE ID=$ID) or die(mysql_error()); return true; } // Get a users access level function GetAccessLevel() { return $this-AccessLevel; } // Get a users ID function GetUserID() { return $this-UserID; } // Log user out function LogOut() { session_start(); session_unset(); session_destroy(); header(Location: index.php); } // Check users access level to see if they have clearance for a certain page function CheckUserLevel($RequiredLevel) { if ($_SESSION['AdminLevel'] $RequiredLevel) { if ($_SESSION['AdminLevel'] == 2) { header(Location: financial.php); } else if ($_SESSION['AdminLevel'] == 1) { header(Location: user.php); } else { header(Location: index.php); } } } // Check to see if a user is logged in function CheckLoggedIn() { session_start(); if ($_SESSION['Status'] !=
Re: [PHP] sessions/cookies
On Jan 22, 2008 9:15 PM, nihilism machine [EMAIL PROTECTED] wrote: I wrote an authentication class in php4. The sessions dont seem to be working with internet explorer, just with FF. here is the code below, a cookies notice pops up when you try and login: Hi, I took a quick look at your code. I haven't pin-pointed exactly what the issue is because there is really way too much going on there. I'd suggest you look at your error log and see if there are any warnings. Here is some advice: - Having a class named auth is a bad idea. Is auth authentication or authorization? - The auth class itself really shouldn't be directly accessing the session or database. You should write drivers and interfaces that implement this functionality for you. - Hard coding header redirects (That aren't absolute by the way) means you have to modify your authorization class instead of behavior based on if you log in or not. That isn't a good idea. By separating out concerns it will make your class a lot smaller and easier to work with. I realize this link I'm posting is called auth too, but that wasn't my choice. You can see that they have drivers so that authentication itself is a generic idea and you implement it against a specific thing such as a mysql users table or htpassword. http://solarphp.com/package/Solar_Auth -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions/cookies
On Jan 22, 2008 9:54 PM, Eric Butera [EMAIL PROTECTED] wrote: I realize this link I'm posting is called auth too, but that wasn't my choice. that was kind of funny after your initial criticizm above, but to solars credit, its the auth 'package' so really the name isnt too bad, id say. You can see that they have drivers so that authentication itself is a generic idea and you implement it against a specific thing such as a mysql users table or htpassword. eric is totally right here; at a quick look at you code, i saw auth, ... create user,.. database.. cookie; im thinking what exactly is going on here. the general idea behind a class is to 'encapsulate' things that change into a little self-contained unit. ideally the class doent know how the insides of other classes work, nor do other classes know how it works on the inside. in order to realize this, you should strive for classes with a high degree of cohesion. http://en.wikipedia.org/wiki/Cohesion_(computer_science) although there is no real metric for this concept, most people can grasp the concept and have an idea when code has either a low or high degree of cohesion. if you want some advice on your class, i would start by breaking out the CheckUserLevel(), and CreateUser() methods into a User class, you might also consider a Session class. if you want some advice on how to solve your problem here is my suggestion; you need to isolate the behavior that is not working correctly. this feat becomes difficult when you have lots of variable behaviors in one place. break your class into pieces and test the pieces individually; once they all work individually, then they should work as a group without too much effort. if that isnt working (when you get there) then the code that glues it all together is to blame. -nathan
Re: [PHP] Sessions /cookies issue
Dave Goodchild wrote: Hi all. I am building a web app which uses sessions to retain user data between pages and finally enter that data into mysql - I have noticed that out of 100 entries in the database, 10% are blank. I tested this by setting a cookie on the home page and when the user navigated to the form pages, tested whether that cookie was set and if not issuing a warning with some cookie tutorial info for the user. Before I used the simple test cookie, obviously the only cookie that was being set was PHPSESSID. All the users who entered blank records were using IE. When I test using IE this end, the session cookie is set with no problems and my IE security settings are set to medium. I know IE will accept certain third-party cookies at this setting, but what's the criteria and has anyone else encountered this problem? 3rd party cookies are tough. You'll need to look at p3p headers a p3p policy to get them through IE. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] sessions cookies
Scott Taylor wrote: How exactly do sessions work? I've heard that if cookies are disabled that a session will then pass it's variables in the url (through GET). Yet when I manually disable cookies none of my pages work (because the $_SESSION variables do not seem to be working). The variables themselves aren't passed, only a session ID, and that is only passed through GET/POST if transparent SID support is enabled (it is disabled by default). You can change the session.use_trans_sid setting in your php.ini file or if your server supports .htaccess you can create one and add php_flag session.use_trans_sid on to it. For more information see the manual: http://www.php.net/manual/en/ref.session.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Sessions, Cookies, and Subdomains
[snip] I want to have my website split into several subdomains with a shared user system. That is to say that when someone logs into foo.mysite.com they'd also be logged into bar.mysite.com when they go to it. It is my understanding that php sessions will not work in this way, being that each subdomain has its own sessions. If this is the case, is there a way around this? If it is the case and there isn't a way around this, is this able to be done with regular cookies? You'll want to implement your own session handler and store the data in a database. Then you can access and load the session variables from any domain with access to the database. Also, php sessions only last a certain amount of time. I'd like for users to remain logged in indefinitely if they choose to do so while logging in. Assuming this is absolutely impossible in sessions, is it feasible to use php sessions as the basis of my user system, but use cookies as a secondary to it if users choose to remain logged in? Any help at all would be really appreciated, because I'd like to get the new version of my site rolled out soon. If you want a remember me feature, then you'll have to implement something with cookies. Sessions will remain active as long as the user is active. If they are inactive for a certain amount of time (which you can set in php.ini) then their session file will be erased. Hope that helps. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sessions/Cookies and HTTP Auth
When using cookies, if you don't set an expiration time, the cookie is only good until the session expires. It doesn't get saved, and it disappears when the user closes their browser. Many browsers have different settings/preferences for session cookies, and because they don't get saved to your disk, you may not be prompted. This might also explain someone's question a little while back (not sure if it got answered or not) about why they couldn't find the cookie on their hdd. Maxwell - Original Message - From: David McInnis [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 27, 2002 7:10 PM Subject: [PHP] Sessions/Cookies and HTTP Auth Here is the scenario. 1. I set my browser to block all cookies. 2. I access this script. 3. I am thinking that I should get an error because I presume that session_start() will attempt to set a cookie (which it appears to do). (I tried setcookie() too and the cookie was accepted.) My question is this. When using httpauth, does httpauth override your cookie preferences? David *** my code ** ?php require /home/www/common/_ini/_main.ini.php; $auth = false; // Assume user is not authenticated if (isset( $PHP_AUTH_USER ) isset($PHP_AUTH_PW)) { $sql = SELECT * FROM staff WHERE username = '$PHP_AUTH_USER' AND password = '$PHP_AUTH_PW'; $result = @mysql_query($sql, $connection) or die ('Database Error - Could not select create data from projects.'); // Get number of rows in $result. $numrows = mysql_num_rows( $result ); if ( $numrows 0 ) { // A matching row was found - the user is authenticated. $auth = true; } } if ( ! $auth ) { header( 'WWW-Authenticate: Basic realm=Private Extranet' ); header( 'HTTP/1.0 401 Unauthorized' ); echo 'Authorization Required.'; exit; } else { session_start(); echo 'PYou are authorized!/P'; phpinfo(); } ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] sessions / cookies / header(Location...
yup, your browser is not accepting cookies. thats a good guess. when a browser does not accept cookies, trans-sid will kick in, trans-sid will not work on full urls, just reletive urls. no trans-sid http://www.mediawaveonline.com/index.php trans-sid /index.php header redirectect require (supposed to require) full urls. in other words its a good idea to put PHPSESSID=$PHPSESSID on all your full urls anyhow, just incase for non-cookie browsers. -- Chris Lee [EMAIL PROTECTED] Christian Dechery [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have a page that does a login... right after the login is successfull it registers a session var called 'userid'... and does a header(Location: newpage.php) which checks for the existance of this var... if it exists it will show, otherwise it goes back to the login page... the weird thing is... it always worked fine, even if I logged in and out with three different users to test it... but now it only works if I replace the header() thing with: header(Location: newpage.php?PHPSESSID=$PHPSESSID) why is this weird now? it use to work... and the weird thing is... while in newpage.php the user does some stuff which calls itself and also gets this 'userid' var... and gets it fine without any PHPSESSID stuff... any clues? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] sessions / cookies / header(Location...
it does not have anything to do with my browser... that's for sure... I'm using MSIE 5.5, and never had any trouble... and as I said on the email... it used to work fine... it just stopped working... and now yet some fresh info... it's working again now... I've tried... one thing I noticed, that when I was testing and it was not working f2s.com was relly slow... sluggish really... then 1 hour later got faster... I tested it and it worked... so... does speed has anything to do with it? Maybe they were doing some maintenance or whatever... At 14:35 17/5/2001 -0500, Chris Lee wrote: yup, your browser is not accepting cookies. thats a good guess. when a browser does not accept cookies, trans-sid will kick in, trans-sid will not work on full urls, just reletive urls. no trans-sid http://www.mediawaveonline.com/index.php trans-sid /index.php header redirectect require (supposed to require) full urls. in other words its a good idea to put PHPSESSID=$PHPSESSID on all your full urls anyhow, just incase for non-cookie browsers. -- Chris Lee [EMAIL PROTECTED] Christian Dechery [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have a page that does a login... right after the login is successfull it registers a session var called 'userid'... and does a header(Location: newpage.php) which checks for the existance of this var... if it exists it will show, otherwise it goes back to the login page... the weird thing is... it always worked fine, even if I logged in and out with three different users to test it... but now it only works if I replace the header() thing with: header(Location: newpage.php?PHPSESSID=$PHPSESSID) why is this weird now? it use to work... and the weird thing is... while in newpage.php the user does some stuff which calls itself and also gets this 'userid' var... and gets it fine without any PHPSESSID stuff... any clues? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] . Christian Dechery (lemming) . http://www.tanamesa.com.br . Gaita-L Owner / Web Developer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]