I wrote some php code, using session variables.
At first it wouldn’t work for me, it seemed like the session variables weren’t passed from one page to another.
I finally got it to work, as I changed my Internet Options - Privacy - Advanced to
Of course I can not tell anybody who visits my site to first change this in their internet settings. Is there another way to deal with this?
Thanks a lot!
Put a note in your ToS or bottom of pages stating that your site uses cookies and session variables and they must be enabled for users to use your site to its maximum functionality.
But aren’t session variables saved on the server, so they don’t have anything to do with cookies?
I’m using this php code to check my login, i close my session because i’m using a header(location)
this redirects me to titel2.php
there i use include(‘titelloginnaam.php’)
checklogin.php:
[php]<?php
session_start();
include(‘config.php’);
// username and password sent from form
$mygebruikersnaam=$_REQUEST[‘mygebruikersnaam’];
$mypassword=$_REQUEST[‘mypassword’];
// To protect MySQL injection (more detail about MySQL injection)
$mygebruikersnaam = stripslashes($mygebruikersnaam);
$mypassword = stripslashes($mypassword);
$mygebruikersnaam = mysql_real_escape_string($mygebruikersnaam);
$mypassword = mysql_real_escape_string($mypassword);
$sql=“SELECT * FROM $tbl_name WHERE gebruikersnaam=’$mygebruikersnaam’ and paswoord=SHA1(’$mypassword’)”;
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $mygebruikersnaam and $mypassword, table row must be 1 row
if($count==1){
$_SESSION[‘login’] = true;
$_SESSION[‘gebruiker’] = $mygebruikersnaam;
session_write_close();
header(“location:titel2.php”);
}
else {
echo “Verkeerde naam en/of paswoord!”;
}
?>[/php]
titel2.php
[php]<?php
session_start();
?>
De Voetbalprono
De Voetbalprono
   editie 2012-13
      
      
      
titelloginnaam.php
[php]<?php;
session_start();
include(‘config.php’);
$db_handle=mysql_connect($db_host,$username,$password);
$db_found=mysql_select_db($db_name,$db_handle);
if(!$db_found){
print “database not found”;
mysql_close($db_handle);
}
$query = “SELECT * FROM deelnemers WHERE gebruikersnaam=’{$_SESSION[‘gebruiker’]}’”;
$data = mysql_query($query);
$info = mysql_fetch_array($data);
$naamdeelnemer = $info[‘naam’];
$voornaamdeelnemer = $info[‘voornaam’];
echo "Je bent ingelogd als “.$voornaamdeelnemer.” ".$naamdeelnemer;
$_SESSION[‘naam’]=$naamdeelnemer;
$_SESSION[‘voornaam’]=$voornaamdeelnemer;
$_SESSION[‘email’]=$info[‘email’];
session_write_close();
?>[/php]
Now I’m at my parents computer, i could log in, but the session variables were lost going from one page to another.
If I check the “overrule automatic cookie handling” in the advanced options in the privacy tab of the internet options, it does the job…
???
(when using the Firefox it works right away)
Is there any possibility to solve this issue?
Thanks a lot!
$_SESSION variables are saved in a client which is why you can read them still when user changes page. They last untill the users browsing session ends (closes browser)
No, session variables are stored SERVER-SIDE. They are held in a simple array on the server as all PHP arrays are.
There are no session variables save inside a browser in any manner!
Let’s explain my comments further. PHP is SERVER-SIDE only. Nothing in PHP exist at all in any browser.
PHP is executed on the server before the browser knows it exists. Before the page is sent to the browser,
all PHP code is stripped from the page and the rest, including PHP outputs are sent to the browser. All of the
session info is saved SERVER-SIDE only. When a browser connects to a webpage, it is attached to the server
using a form of session info. Actually, the PHP server handles this and add all of the info into the session array.
This session array contains many many items depending on the server’s set up. This include IP address and
other such info.
You may manipulate session arrays and variables, save them, delete them, BUT only SERVER-SIDE. Once
the info is sent to the browser, all that is on it is HTML, Javascript and other CLIENT-SIDE programming tools.
You can prove this fact by VIEW-SOURCE any page and look for PHP code… There will be none. It is all on the
server. (One exception, you can print or echo PHP code into a HTML display to show code to people, but, this
is NOT PHP code, just plain text.
Now, on to cookies… Cookies are CLIENT-SIDE only. They are not saved on a server, they are saved on the
local machine attached to the webpage. That is why they are not usually used for anything having to do with
security as they can be changed by any smart programmer. They are usually used to save a small note such
as what page the user was on last, the time they last logged in, something similar. They are small text files
and can contain encrypted text info. So, you could encrypt a user name and if it matches, allow them in with
no user name check. But, again, security issues with that.
Now, Panther, you have one small issue with your file titel2.php. Sessions should only be started once. You
start the session at the top of the page as you should. Then, inside your “include” you start it again. This can
cause the session to be altered and might be causing an issue. If not, you must show us how you are storing
your cookies as that is most likely where the errors are hiding.
Oh, also, you usually never close a session unless the user log’s out. (Or times out from lack of use.)
If you keep closing sessions and reopening a new one, the server wastes a lot of time recapturing your IP
address and all of the other session values. Unless you are tracking the session ID’s for some odd use of
security. Usually, you create one session using session_start; and use this again at the top of every page
that needs to access session variables and then close it out when the user logs out. You can set a time
limit on a session and have it close after that amount of time so they must log back in. Also, when a user
closes his/her browser, it drops the session.
Hope this “book” doesn’t mix you up further, but, it is most likely a cookie issue not session issue.
Also, it is very easy to check for cookie’s being enabled, but, not in PHP… PHP is SERVER-SIDE only and
does not see the browser at all. BUT, Javascript does. It can read the browser’s settings and alert the
user to turning on their cookies… (You actually can do it server-side with perl or cgi, but…)
Here is javascript sample for checking cookies…
function are_cookies_enabled()
{
var cookieEnabled = (navigator.cookieEnabled) ? true : false;
if (typeof navigator.cookieEnabled == "undefined" && !cookieEnabled)
{
document.cookie="testcookie";
cookieEnabled = (document.cookie.indexOf("testcookie") != -1) ? true : false;
}
return (cookieEnabled);
}
You can call the above function using a Javascript “onload” command and check for the results.
Then, send an alert to the user telling them to turn on cookies…
One problem with this is it is Javascript. So, you might have to check to see if Javascript is turned on.
(Some companies do not allow Javascript…)
I never use cookies, I just store that data in a database and force users to log in each time. Much more
secure and never have to rebuild a cookie when the user deletes all theirs…
Hope this helps and wasn’t too long a note!
Just a quick note regarding ErnieAlex’s post. Though sessions are server-side, in order to keep the session active, a cookie is created client-side storing the session id.
RaythXC’s explanation of the session being lost on closing the browser, is actually due to the cookie being lost therefore losing the session id, meaning a new session has to be created.
That is true, but, that is not what he stated. He said all session variables are client-side.
They are not and since a new programmer is using session cookies and session variables,
I wanted to make sure he totally understands what he is doing. His code opens and closes the
session twice and then also opens a new session. (Which does not actually work.) So, that is
why I expounded on the details…
Also, if you close your browser, you WANT the session to be broken, otherwise it is insecure.
I say everyone in this discussion is somewhat correct!