ID: 29419 Updated by: php-bugs@lists.php.net Reported By: roberto_stivanello at libero dot it -Status: Feedback +Status: No Feedback Bug Type: Session related Operating System: * PHP Version: 4.3.9 New Comment:
No feedback was provided for this bug for over a week, so it is being suspended automatically. If you are able to provide the information that was originally requested, please do so and change the status of the bug back to "Open". Previous Comments: ------------------------------------------------------------------------ [2005-01-08 13:55:23] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php4-STABLE-latest.tar.gz For Windows: http://snaps.php.net/win32/php4-win32-STABLE-latest.zip ------------------------------------------------------------------------ [2004-12-20 22:27:21] roberto_stivanello at libero dot it Member details prevoiusly missing: ===========authentication.php <?php # Script 12.13 - authentication.php // This page handles the authentication for the admin pages. // require_once ('mysql_connect_auth.php'); // Connect to the database. Suppressed as from PHP Bugs request function getAdminUser() { return 'adminuserid'; } // end function function getAdminPsw() { return 'adminpassword'; } // end function function checkAdminIdPsw($iadmin,$ipsw) { if ( ($iadmin == (getAdminUser()) ) AND ($ipsw == (getAdminPsw()) ) ) { // If the correct values were entered... return 0; } else { return 1; } } // end function ?> <?php # Script 12.10 - authentication.inc // Session handling added for administrator too as HTTP authentication allowed only with php4 on Apache // Start output byffering and initialize a session ob_start(); session_start(); ?> <?php # Script 12.11 - authentication.inc $authorized = FALSE; // Initialize a variable. // Check for authentication submission. // Begin authentication code - server independent if ( (isset($_SESSION['usera'])) ) { if ( getAdminUser() == $_SESSION['usera'] ) { $authorized = TRUE; } } // If they haven't been authorized, create the pop-up window. if ((!$authorized) AND (!$fromlogin)) { // show Admininistrator login page ob_end_clean(); // Delete the buffer header("Location: http://"; . $_SERVER['HTTP_HOST'] . "/administratordirectory/index.php"); exit(); } ?> =========================index.php================= <?php # Script 12.01 - index.php (site administration) // Initial page for Administrator // Include config file for error handling require_once ('../includes/config.inc'); //requires authentication $fromlogin = TRUE; require_once ('../authentication.php'); $reldir ='/'; // posizione relativa rispetto a pagina attuale: '/' o '../' // Includi testata $bodyid = 'bodyadmin'; $idprimarymenu = 'menu'; $titolo_pagina_h2 = 'Home'; // Administrator header include_once ('../includes/admin_header.inc'); // Corpo della pagina ?> <!-- href deliberatamente anonimo --> <H2 id=essentials><A href="/" rel=bookmark>Login Amministratore</A></H2> <?php echo "<h3>Sessione = " . session_id() . "</h3>"; if (isset($_POST['submit'])) { // Check if the form has been submitted. // Create e function for escaping the data /* function escape_data ($data) { global $dbc; // Need the connection if (ini_get('magic_quotes_gpc')) { $data = stripslashes($data); } return mysql_real_escape_string ($data, $dbc); } // End of function. */ if (empty($_POST['username'])) { // Validate the username. $u = FALSE; echo '<p><font color="red" size="+1">Administrator name missing!</font></p>'; } else { $u = escape_data($_POST['username']); } if (empty($_POST['password'])) { // Validate the password. $p = FALSE; echo '<p><font color="red" size="+1">Administrator password missing!</font></p>'; } else { $p = escape_data($_POST['password']); } if ($u && $p) { // If everything's OK. $rc = checkAdminIdPsw($_POST['username'],$_POST['password']); if ( 0 == $rc ) { // If the correct values were entered... // Start the session, register the values & redirect. $_SESSION['usera'] = $_POST['username']; // $_SESSION['pswa'] = $_POST['password']; echo '<p><font color="green" size="+1">You are logged in as administrator.</font></p>'; } else { // No match was made. echo '<p><font color="red" size="+1">Wrong user and password.</font></p>'; } } else { // If everything wasn't OK. echo '<p><font color="red" size="+1">Please try again!</font></p>'; } } // End of SUBMIT conditional. ?> <!-- <h1>Login</h1> --> <p>Il tuo browser deve consentire i cookies per il "login".</p> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> <fieldset> <p><b>Nome Utente:</b> <input type="text" name="username" size="10" maxlength="20" value="<?php if (isset($_POST['username'])) echo $_POST['username']; ?>" /></p> <p><b>Password:</b> <input type="password" name="password" size="20" maxlength="20" /></p> <div align="center"><input type="submit" name="submit" value="Login" /></div> </form><!-- End of Form --> </DIV> <?php //include pie' di pagina require_once ('../includes/admin_footer.inc'); ?> ====================admin_footer.inc================= <DIV id=footer> </DIV></DIV></BODY></HTML> <?php # Script fine sessione // Aggiunto gestione sessione anche per ADMIN in quanto autenticazione HTTP permessa solo con PHP4 su Apache ob_end_flush(); ?> ======================admin_header.inc ================= <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd";> <HTML xmlns="http://www.w3.org/1999/xhtml";> <HEAD><TITLE>Il Portico</TITLE> <META http-equiv=Content-Type content="text/html; charset=ISO-8859-1"> <META http-equiv=Content-Language content=en-us> <META content=all name=robots> <META http-equiv=imagetoolbar content=false> <META content="Roberto Stivanello." name=author> <META content="Copyright (c) 2004-2005 Roberto Stivanello" name=Copyright> <META content="Il Portico Onlus: specializzata in pietre scartate dai costruttori che divengono testate d'angolo." name=description> <META content="onlus, umanitari, diversabili, emarginazione, handicap, associazioni" name=keywords> </HEAD> <BODY id=mybody > <DIV id=headwrap> <H1 id=nufront>Il Portico (onlus)</H1></DIV> <UL id=menu> <LI id=chisiamomenu><A title="Ci presentiamo" href="/chisiamo/">chi siamo</A></LI> </UL> <DIV id=wrapper> <DIV id=bravefourhundred> ===================config.inc==================== <?php # Script 12.3 - config.inc // This script sets the error reporting and logging for the site. //error_reporting (0); // Production level error_reporting (E_ALL); // Development level // Use my own error handling function. function my_error_handler ($e_number, $e_message) { $message = 'Error in: ' . __FILE__ . ' line # ' . __LINE__ . ": $e_message"; //error_log ($message, 1, '[EMAIL PROTECTED]'); // Production (send email) echo '<font color="red" size="+1">', $message, '</font>'; // Development (print the error in red) } set_error_handler('my_error_handler'); ?> ------------------------------------------------------------------------ [2004-07-28 06:42:45] roberto_stivanello at libero dot it Description: ------------ Same problem as previous notified bugs, currently marked "closed". Errore arise in production (webserver is ISP owned). No problem during test on "localhost" on my machine: software works properly under ISS/WinXP. Therefore I guess I cannot try last CVS solution: if you think it is available, tell me, and I'll endorse your advice to my ISP. Do you think I should have appended this report to any of the previous ones instead of opening a new one? To which one, in your opinion? (If so, pardon me). Thanks. Reproduce code: --------------- <?php # Script 12.13 - logoutadm.php require_once ('../includes/config.inc'); // Include the configuration file for error management and such. require_once ('../authentication.php'); // connects to mysql + defines functions + ob_start() + session_start() include_once ('../includes/admin_header.inc'); // administrator page header ?> <H2 id=essentials><A href="/" rel=bookmark>Logout</A></H2> <?php if (!isset($_SESSION['usera'])) { ob_end_clean(); // Delete the buffer. header ("Location: http://"; . $_SERVER['HTTP_HOST'] . "xxxxx.php"); exit(); // Quit the script. } else { // Logout the user. echo "<h3>Session = " . session_id() . "</h3>"; // for test purpose $_SESSION = array(); // Destroy the variables. session_destroy(); // Destroy the session itself. setcookie (session_name(), '', time()-300, '/', '', 0); // Destroy the cookie. } echo "<h3>Logout successful! </h3>"; // Print a customized message. ?> <?php // Include the HTML footer. include ('../includes/admin_footer.inc'); ?> Expected result: ---------------- As in test: user logged out, with no error displayed. Actual result: -------------- "session object destruction failed" error returned and displayed by error handler routine. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=29419&edit=1
