ID: 23526 Comment by: SKJoy2001 at Yahoo dot Com Reported By: sa dot hassam at ntlworld dot com Status: Bogus Bug Type: Session related Operating System: WinXP (NTFS Filesystem) PHP Version: 4.3.2RC2 New Comment:
u must use session_name("sessionname") before the session_start() statement. Previous Comments: ------------------------------------------------------------------------ [2003-05-09 05:22:33] [EMAIL PROTECTED] Please do not submit the same bug more than once. An existing bug report already describes this very problem. Even if you feel that your issue is somewhat different, the resolution is likely to be the same. Because of this, we hope you add your comments to the existing bug instead. Thank you for your interest in PHP. Search the bug db before you submit new report.. ------------------------------------------------------------------------ [2003-05-07 07:12:16] sa dot hassam at ntlworld dot com I am hosting an rpg Gaming site, under windows xp (tfs filesystem), and apache web server (httpd). I have set up PHP FULLY, and everything works. The problem is, we use session_start(); session_register("user_id"); on our index page (ALL pages are called through this indx page, to setup variables and configs/includes). When a user logs in CORRECTLY, t will show the new/updates page and so on. but when a link is clicked, it says You arent logged in. this is not a code defect of our own, as the site was fully functional under red hat Linux webserver at www.flump.net temporarily. I have included the index page in full and extracts from my current php.ini file, of which i think are relevant to the issue... <<<--INDEX.PHP--->>> <?php session_start(); session_name("user_id"); /* Index.php * All pages should be called through this page. * It sets up objects needed and config. */ // Register globals and magic_quotes must be on for this script to work. if ((strtolower(ini_get('register_globals')) != 1) or (get_magic_quotes_gpc() != 1)) { die('<b>Fatal error</b><br />Register globals and magic quotes <i>must</i> be set to on in php.ini for this script to work.'); } require_once('config.ssl-secure'); if ($config['debug']) $start_time = microtime(); require_once('lib/db.class.ssl-secure'); require_once('lib/user.class.ssl-secure'); require_once('lib/html.ssl-secure'); require_once('lib/recordset.class.ssl-secure'); require_once('lib/misc.ssl-secure'); // Start session-handling // session_start(); // session_register('user_id'); // Timestamp var // Note: The array is used in drugmarked to seed a random number generator $timestamp = time(); $correct_timestamp_array = getdate(correct_timestamp($timestamp)); // Setup db-object $db = new db($config['db']['host'], $config['db']['user'], $config['db']['pass'], $config['db']['db']); // Define user_groups define('UC_GROUP_MEMBER', 1); define('UC_GROUP_POLICE', 2); define('UC_GROUP_MOD', 3); define('UC_GROUP_ADMIN', 4); // Call daily_update.ssl-secure if a new day is breaking. $last_action_row =& $db->row_query(" SELECT max(last_action) as last_action FROM users "); $total_last_action_array = getdate(correct_timestamp($last_action_row['last_action'])); for ($i = $total_last_action_array['yday']; $i < $correct_timestamp_array['yday']; $i++) { // Includes the daily_update for as many days that has gone by since last action. include('lib/daily_update.ssl-secure'); } // Login and logout if ($do_login == 1) { $user_id = user::login($frm_username, $frm_password); if ($user_id > 0) { // Success // When ppl login, they see the news $p = 'news'; } else { // Wrong username and password sent. redirect_page(highlight('Username or password was wrong, please try again.'), '?p=lost_pass'); exit(); } } else if ($do_logout == 1) { user::logout(); // Default page redirect_page('Thanks for visiting urbanconflict.net.<br />Come back soon!', 'index.php'); exit(); } // Setup user object if logged in. if ($user_id > 0) { // set $user_id variable $user = new user($user_id); // check banned if ($user->fields['banned'] == 1) { user::logout(); // banned message and logout and default page redirect_page('You have been BANNED from our site<br />Contact us via e-mail found on Game Rules!', '?p=tos'); exit(); } // carry on with the set update last_action arrays /* This is now moved to daily_update.php... Keep the code in case the var is used someplace else. $last_action_array = getdate(correct_timestamp($user->fields['last_action'])); if (($last_action_array['mday'] != $correct_timestamp_array['mday']) or ($last_action_array['mon'] != $correct_timestamp_array['mon'])) { // It's a new day since last action, update what ever needs to be updated // TODO: Update energy... How? $db->query(" UPDATE users SET battles_today=0, energy=max_energy WHERE user_id=$user_id "); } */ // Update last action $db->query("UPDATE users SET last_action=$timestamp WHERE user_id=$user_id"); // Add log entry $db->query(" INSERT INTO logs (page, action, user_id, money, money_in_bank, loaned_money, timestamp) VALUES ('$p', '$action', {$user->fields['user_id']}, {$user->fields['money']}, {$user->fields['money_in_bank']}, {$user->fields['money_loaned']}, $timestamp) "); $user->fields['last_action'] = $timestamp; // Setup var depending on if user is in jail or not. $user_jailed = ($user->fields['days_left_in_jail'] > 0) ? TRUE : FALSE; } // Display the page $guest_pages = array('index', 'register', 'activate', 'about', 'lost_pass', 'tos', 'user_list', 'help', 'GnuPGP-KEY'); $jailed_pages = array('index', 'news', 'profile', 'user_list', 'police_dept', 'apartment', 'help', 'GnuPGP-KEY'); if (isset($p)) { if (!preg_match('/[\w]+/', $p)) $p = $default_page; if (($user_id == 0) and !in_array($p, $guest_pages)) { redirect_page(highlight('You\'re not logged in.'), '?p='.$default_page); exit(); } if (($user->fields['days_left_in_jail'] > 0) and !in_array($p, $jailed_pages)) { redirect_page(highlight('You\'re in jail, and cannot access this page!'), '?p=police_dept'); exit(); } if (!include('pages/'.$p.'.ssl-secure')) { die("<br /><br /><b>erm...contact us about this err0r above...if it is common then it will be sorted in 5 minutes if it hasn't been noticed please e-mail us - [EMAIL PROTECTED] -</b><br /><br />Thankyou..."); } } else { $default_page = 'index'; // SET DEFAULT PAGE, easy change here. // No page specified, call default include('pages/'.$default_page.'.ssl-secure'); } ?> <<<---END-INDEX.PHP--->>> <<<---PHP.INI-EXTRACTS--->>> [PHP] ; register_globals to be on; Using form variables as globals can easily lead ; to possible security problems, if the code is not very well thought of. register_globals = On ; This directive is deprecated. Use variables_order instead. gpc_order = "GPC" ; Magic quotes ; ; Magic quotes for incoming GET/POST/Cookie data. magic_quotes_gpc = On ; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc. magic_quotes_runtime = On ; Use Sybase-style magic quotes (escape ' with '' instead of \'). magic_quotes_sybase = On [Session] ; Handler used to store/retrieve data. session.save_handler = files session.save_path = c:/temp ; Whether to use cookies. session.use_cookies = 1 ; This option enables administrators to make their users invulnerable to ; attacks which involve passing session ids in URLs; defaults to 0. ; session.use_only_cookies = 0 ; Name of the session (used as cookie name). session.name = PHPSESSID ; Initialize session on request startup. session.auto_start = 1 ; Lifetime in seconds of cookie or, if 0, until browser is restarted. session.cookie_lifetime = 5000 ; The path for which the cookie is valid. session.cookie_path = c:/temp ; The domain for which the cookie is valid. session.cookie_domain = ; Handler used to serialize data. php is the standard serializer of PHP. session.serialize_handler = php ; Define the probability that the 'garbage collection' process is started session.gc_probability = 1 session.gc_dividend = 100 ; After this number of seconds, stored data will be seen as 'garbage' session.gc_maxlifetime = 1440 session.bug_compat_42 = 1 session.bug_compat_warn = 1 ; Check HTTP Referer to invalidate externally stored URLs containing ids. ; HTTP_REFERER has to contain this substring for the session to be ; considered as valid. session.referer_check = ; How many bytes to read from the file. session.entropy_length = 0 ; Specified here to create the session id. session.entropy_file = ;session.entropy_length = 16 ;session.entropy_file = /dev/urandom ; Set to {nocache,private,public,} to determine HTTP caching aspects ; or leave this empty to avoid sending anti-caching headers. session.cache_limiter = public ; Document expires after n minutes. session.cache_expire = 180 ; trans sid support is disabled by default. ; Use of trans sid may risk your users security. ; Use this option with caution. ; - User may send URL contains active session ID ; to other person via. email/irc/etc. ; - URL that contains active session ID may be stored ; in publically accessible computer. ; - User may access your site with the same session ID ; always using URL stored in browser's history or bookmarks. session.use_trans_sid = 0 ; End: <<<---END-PHP.INI-EXTRACTS--->>> Hopefully this info helps resolve the bug or misconfiguration. In apache I have used <directory c:/temp> to allow it to be accessed from the webserver, although my permissions to it may be incorrect i have used, AllowOverride ALL, hopefully that helps aswell. Please email me with support, If it cannot be fixed, or you require more info, email me and i would be happy to send you back more. also if this issue isnt fixed anytime soon, please point me into another direction of logging on to an account stored in the mysql db and keep it loged until log out is specified (other session handlers alternatives and so on). Thanx. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=23526&edit=1