[PHP] PHP Session Variables Not Being Set For Certain Browsers
Hello All,
I have been racking my head over a problem where a large percentage of users
are unable to log into my php site due to what seems to be a problem with
setting php session variables on certain end user browsers (certain versions
of AOL seem to be particularly problematic). Below are some snippets of code
that are used to do the authentication/ login.
Has anyone encountered the same problem and if so do you have a solution?
The only solution I can think of is to pass the session using PHPSESSION in
the URL however I would like to avoid this if at all possible as it involves
a major re-write of the code (as session variables are used elsewhere in the
session) and if I am not mistaken if a user accesses a non-php page then the
session is lost requiring them to log in again.
Currently the following code is used to check whether a user is logged in:
And in Login.php after doing a check on the username and password the
following session variables are set:
session_start();
session_register("authenticatedUser");
$HTTP_SESSION_VARS['authenticatedUser'] = $userId;
session_register("loginIpAddress");
$HTTP_SESSION_VARS['loginIpAddress'] = $_SERVER["REMOTE_ADDR"];
It is the setting of the above session variables in Login.php that appears
to be failing for some browsers resulting in users using these browsers
continually being redirected to the Login page when the above check to see
if they are logged in is done.
Any help that could be supplied would be greatly appreciated.
Thank you.
Regards,
Andy
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] PHP Session Variables Not Being Set For Certain Browsers
-Original Message-
From: Andy Higgins [mailto:[EMAIL PROTECTED]
Sent: Saturday, December 27, 2003 6:04 AM
To: [EMAIL PROTECTED]
Subject: [PHP] PHP Session Variables Not Being Set For Certain Browsers
Hello All,
I have been racking my head over a problem where a large percentage of users
are unable to log into my php site due to what seems to be a problem with
setting php session variables on certain end user browsers (certain versions
of AOL seem to be particularly problematic). Below are some snippets of code
that are used to do the authentication/ login.
Has anyone encountered the same problem and if so do you have a solution?
The only solution I can think of is to pass the session using PHPSESSION in
the URL however I would like to avoid this if at all possible as it involves
a major re-write of the code (as session variables are used elsewhere in the
session) and if I am not mistaken if a user accesses a non-php page then the
session is lost requiring them to log in again.
Currently the following code is used to check whether a user is logged in:
And in Login.php after doing a check on the username and password the
following session variables are set:
session_start();
session_register("authenticatedUser");
$HTTP_SESSION_VARS['authenticatedUser'] = $userId;
session_register("loginIpAddress");
$HTTP_SESSION_VARS['loginIpAddress'] = $_SERVER["REMOTE_ADDR"];
It is the setting of the above session variables in Login.php that appears
to be failing for some browsers resulting in users using these browsers
continually being redirected to the Login page when the above check to see
if they are logged in is done.
Any help that could be supplied would be greatly appreciated.
Thank you.
Regards,
Andy
-
Andy,
Not sure, but maybe AOL users on proxy and their ip address can change.
Andras Kende
http://www.kende.com
-
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Session Variables Not Being Set For Certain Browsers
Hi Andras,
Yes, good point Thank you. It could be that the IP address of the user is
changing on each HTTP request that is made, which would explain the problem
(although that does seem quite odd). Can anyone confirm whether AOL (or any
other ISPs for that matter) change a user's IP address as seen by the web
server (for eample through a proxy) within the same session?
Assuming that the above is the problem, does any one know whether by
removing the check in the authentication to see whether the user is using
the same IP address as they logged in with comprises the security of the
login i.e. will it be possible for some one to hijack the login if this
check is not there? Or does anyone have any other suggesstions for doing
authentication?
Thank you.
Regards,
Andy
"Andras Kende" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> -Original Message-
> From: Andy Higgins [mailto:[EMAIL PROTECTED]
> Sent: Saturday, December 27, 2003 6:04 AM
> To: [EMAIL PROTECTED]
> Subject: [PHP] PHP Session Variables Not Being Set For Certain Browsers
>
> Hello All,
>
> I have been racking my head over a problem where a large percentage of
users
> are unable to log into my php site due to what seems to be a problem with
> setting php session variables on certain end user browsers (certain
versions
> of AOL seem to be particularly problematic). Below are some snippets of
code
> that are used to do the authentication/ login.
>
> Has anyone encountered the same problem and if so do you have a solution?
> The only solution I can think of is to pass the session using PHPSESSION
in
> the URL however I would like to avoid this if at all possible as it
involves
> a major re-write of the code (as session variables are used elsewhere in
the
> session) and if I am not mistaken if a user accesses a non-php page then
the
> session is lost requiring them to log in again.
>
> Currently the following code is used to check whether a user is logged in:
>
>
> $notAuthenticated = !isset($HTTP_SESSION_VARS['authenticatedUser']);
>
> $notLoginIp = isset($HTTP_SESSION_VARS['loginIpAddress']) &&
> ($HTTP_SESSION_VARS['loginIpAddress'] != $_SERVER["REMOTE_ADDR"]);
>
> if ($notAuthenticated || $notLoginIp) {
>
> if (!session_is_registered("targetURL"))
>session_register("targetURL");
>
> $HTTP_SESSION_VARS['targetURL'] = $_SERVER["REQUEST_URI"];
>
> header("Location: /smartbid/php/Login.php");
>
> }
>
> ?>
>
> And in Login.php after doing a check on the username and password the
> following session variables are set:
>
>session_start();
>
>session_register("authenticatedUser");
>$HTTP_SESSION_VARS['authenticatedUser'] = $userId;
>
>session_register("loginIpAddress");
>$HTTP_SESSION_VARS['loginIpAddress'] = $_SERVER["REMOTE_ADDR"];
>
> It is the setting of the above session variables in Login.php that appears
> to be failing for some browsers resulting in users using these browsers
> continually being redirected to the Login page when the above check to see
> if they are logged in is done.
>
> Any help that could be supplied would be greatly appreciated.
>
> Thank you.
>
> Regards,
> Andy
>
>
>
> -
>
> Andy,
>
> Not sure, but maybe AOL users on proxy and their ip address can
change.
>
> Andras Kende
> http://www.kende.com
>
> -
>
>
>
>
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Session Variables Not Being Set For Certain Browsers
On Saturday 27 December 2003 07:03 am, Andy Higgins wrote: > Hello All, > > I have been racking my head over a problem where a large percentage of > users are unable to log into my php site due to what seems to be a problem > with setting php session variables on certain end user browsers (certain > versions of AOL seem to be particularly problematic). Below are some > snippets of code that are used to do the authentication/ login. > > Has anyone encountered the same problem and if so do you have a solution? > The only solution I can think of is to pass the session using PHPSESSION in > the URL however I would like to avoid this if at all possible as it > involves a major re-write of the code (as session variables are used > elsewhere in the session) and if I am not mistaken if a user accesses a > non-php page then the session is lost requiring them to log in again. > Im just putting the finishing touches to my code, that I had to rewrite for similar reasons as you. You're going to have to include the session id in the url for those users who do not allow cookies. Using this fact about the constant SID a) If the user's browser accepts cookies, SID will be empty "" b) If the user's browser does not accept cookies, SID will be "PHPSESSID=xxx" So what I did, was append the constant SID to all urls/forms and php header() (for redirection) functions that point to the site that is serving the content (dont append SID to urls going to other sites). So the final results will be a) If the user's browser accepts cookies, urls/forms/php header() will be normal b) If the user's browser does not accept cookies, the session id is appended to urls/forms/php header() OR you can take the easy way out, and turn on transparent ids with -> http://us2.php.net/manual/en/ install.configure.php#install.configure.enable-trans-sid -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Session Variables Not Being Set For Certain Browsers
Hi Gerard, Thank you very much for the response. Please can you clarify the following: 1. At the time of login will the login code need to check if the clients browser accepts cookies and if not then append the SID as described? If so, do you perhaps have a sample piece of code that does this? 2. Am I correct in understanding that if the client has logged in (with no cookies enabled i.e. the SID needs to be passed) and the site contains other static pages (that cannot pass the SID) that if the client browses any of these static pages and then returns to a page that required the client to be logged that they will have to log in again? 3. For forms, where the SID need to be passed, do you pass this as a hidden form variable or do you do it on the URL? You help is greatly appreciated. Thanks again. Regards, Andy "Gerard Samuel" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > On Saturday 27 December 2003 07:03 am, Andy Higgins wrote: > > Hello All, > > > > I have been racking my head over a problem where a large percentage of > > users are unable to log into my php site due to what seems to be a problem > > with setting php session variables on certain end user browsers (certain > > versions of AOL seem to be particularly problematic). Below are some > > snippets of code that are used to do the authentication/ login. > > > > Has anyone encountered the same problem and if so do you have a solution? > > The only solution I can think of is to pass the session using PHPSESSION in > > the URL however I would like to avoid this if at all possible as it > > involves a major re-write of the code (as session variables are used > > elsewhere in the session) and if I am not mistaken if a user accesses a > > non-php page then the session is lost requiring them to log in again. > > > > Im just putting the finishing touches to my code, that I had to rewrite for > similar reasons as you. > You're going to have to include the session id in the url for those users who > do not allow cookies. > Using this fact about the constant SID > a) If the user's browser accepts cookies, SID will be empty "" > b) If the user's browser does not accept cookies, SID will be "PHPSESSID=xxx" > > So what I did, was append the constant SID to all urls/forms and php header() > (for redirection) functions that point to the site that is serving the > content (dont append SID to urls going to other sites). > > So the final results will be > a) If the user's browser accepts cookies, urls/forms/php header() will be > normal > b) If the user's browser does not accept cookies, the session id is appended > to urls/forms/php header() > > OR > > you can take the easy way out, and turn on transparent ids with -> > http://us2.php.net/manual/en/ > install.configure.php#install.configure.enable-trans-sid -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] PHP Session Variables Not Being Set For Certain Browsers
> -Original Message- > From: Andy Higgins [mailto:[EMAIL PROTECTED] > Can anyone confirm whether > AOL (or any > other ISPs for that matter) change a user's IP address as seen by the web > server (for eample through a proxy) within the same session? It's been pointed out and confirmed many, many times here. An IP is not useful for authentication in the general case (you may have a specific case on an intranet, but major players like AOL put everything through load balancing proxies that change from request to request). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Session Variables Not Being Set For Certain Browsers
Hi Mark, Thank you for confirming that for me. I am new to the list and did do a search though past messages but did not find this point (obvioulsy I did not look hard enough). Thanks again. Regards, Andy "Mark Charette" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > > -Original Message- > > From: Andy Higgins [mailto:[EMAIL PROTECTED] > > Can anyone confirm whether > > AOL (or any > > other ISPs for that matter) change a user's IP address as seen by the web > > server (for eample through a proxy) within the same session? > > It's been pointed out and confirmed many, many times here. An IP is not > useful for authentication in the general case (you may have a specific case > on an intranet, but major players like AOL put everything through load > balancing proxies that change from request to request). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Session Variables Not Being Set For Certain Browsers
On Saturday 27 December 2003 10:54 am, Andy Higgins wrote: > 1. At the time of login will the login code need to check if the clients > browser accepts cookies and if not then append the SID as described? If so, > do you perhaps have a sample piece of code that does this? No, php does this for you. Thats why I gave the explanation of the value of SID when browsers accept, or dont accept cookies. Sample code CLICK ME'; ?> If the browser does accept cookies, on the first page load, it will report "Cookie doesn't exist" because the cookie wont become available till the next page load. After the initial page load, it will report "Cookie Exists". If the browser does not accept cookies, it will always say "Cookie doesnt exists". > 2. Am I correct in understanding that if the client has logged in (with no > cookies enabled i.e. the SID needs to be passed) and the site contains > other static pages (that cannot pass the SID) that if the client browses > any of these static pages and then returns to a page that required the > client to be logged that they will have to log in again? Yes that is correct. The session id must stay in all urls within the site. If you are able to direct them to a static page, you should still be able to pass the SID in the url/form/iframe/etc they click. > 3. For forms, where the SID need to be passed, do you pass this as a hidden > form variable or do you do it on the URL? > I have it passing in the form's action attribute, so it stays in $_GET domain like regular links. echo ' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Session Variables Not Being Set For Certain Browsers
Hi Gerard,
Thank you for your assistance you have been of enormous help.
Regards,
Andy
"Gerard Samuel" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> On Saturday 27 December 2003 10:54 am, Andy Higgins wrote:
>
> > 1. At the time of login will the login code need to check if the clients
> > browser accepts cookies and if not then append the SID as described? If
so,
> > do you perhaps have a sample piece of code that does this?
>
> No, php does this for you. Thats why I gave the explanation of the value
of
> SID when browsers accept, or dont accept cookies.
>
> Sample code
>
> session_start();
> if (SID === '')
> {
> echo 'Cookie Exists';
> }
> else
> {
> echo 'Cookie doesnt exist';
> }
>
> echo 'CLICK
ME';
>
> ?>
>
> If the browser does accept cookies, on the first page load, it will report
> "Cookie doesn't exist" because the cookie wont become available till the
next
> page load. After the initial page load, it will report "Cookie Exists".
> If the browser does not accept cookies, it will always say "Cookie doesnt
> exists".
>
> > 2. Am I correct in understanding that if the client has logged in (with
no
> > cookies enabled i.e. the SID needs to be passed) and the site contains
> > other static pages (that cannot pass the SID) that if the client browses
> > any of these static pages and then returns to a page that required the
> > client to be logged that they will have to log in again?
>
> Yes that is correct. The session id must stay in all urls within the
site.
> If you are able to direct them to a static page, you should still be able
to
> pass the SID in the url/form/iframe/etc they click.
>
> > 3. For forms, where the SID need to be passed, do you pass this as a
hidden
> > form variable or do you do it on the URL?
> >
>
> I have it passing in the form's action attribute, so it stays in $_GET
domain
> like regular links.
> echo '
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
