Issue with session cookies

kedwards · February 29, 2012, 5:19am

Hi,

My website creates a session cookie when the user logs on, which is located on the root directory of the website.

As soon as the user clicks on a link that goes to a different folder ie. www.site.com\admin or somthing like that, the session no longer is reconized by the root site ie. www.site.com and the user is no longer logged into the site.

The Session cookie is still there, and the only php code on www.site.com\admin\index.php is as follows

[php]<?php session_start(); ?>[/php]

which causes the session to break,

if this code is not on the www.site.com\admin\index.php page, the session is not broken.

If i move the index.php from the admin folder to the root directory renamed as index1.php the session does not break. if it is names index.php on the root directory it still dosent break the session.

The only change is the folder from root to admin which seems to break the session.

when the user logs in the only variables that are set is a $_SESSION[‘username’] no other variables to the session is set.

Hope that is clear enough for you to understand

Thanks in advance

Kyle.

richei · February 29, 2012, 9:06am

session_start() has to be on each and every page that the user goes to, unless its a template or something like that. Generally speaking, you don’t want the same session to be used between the public and your staff unless you’re setting a session variable to give specific permissions based upon what’s in a db table.

ErnieAlex · February 29, 2012, 5:59pm

Also, you were talking about cookies. What is your cookie-code?

For user-sessions, I usually just use the session variables and pass them from page to page.
On the login page, I set $_SESSION[‘userid’]=user-id-pulled-from-database after validation.
Then, on EVERY other page, the first code checks for the session’s userid variable. If not set, it
redirects to a “not allowed here” page.

Using cookies are fine. But, you must make sure they expire correctly and you still have to check
them on every page to be secure. Here is a nice explanation of cookies:
http://www.w3schools.com/php/php_cookies.asp

One note, cookies are great if you are keeping notes on users, such as the last time they logged in without keeping this data in your database. BUT, some browser do not work well with cookies. AND, users can clear their cookies. A large number of users now automatically destroy all cookies regularly. I would just use regular session variables and save whatever you are saving by cookies in the login database. Much easier and more secure.

kedwards · March 5, 2012, 7:38am

Awesome, thanks for your replys, i made a cookie instead of a session cookie to include the user type instead of reading it from the session cookie wich is destroyed when changing directorys, users with a normal user type cannot access that area, but admin users can.

Works ok i guess.

Thanks again

kyle.