hallo there,

i ve build a very small cms that a user can install to a web server (apache). Its about school pages. I am writing this piece of info because i have tested it enough and it had been and still is working fine for several users.

Yestarday, a friend tried to install the pages but the log in system did not work.

The login system works like this (very brief discription):
the users writes to a form the username and password
then connects to the database and checks if the username and password exists.
If all that exists the system writes some info to sessions and redirect to login page.
The login page reads the info from session (if that info exists) and screens out welcome message.

it seems that, there is nothing written to session and the page just refreshes.

Of course i have started the session at the very beggining of every page involved. Also the folder i am keeping the sessions is set to 777 mode.

the system:
Apache/2.2.17 (Ubuntu)
MySQL: 5.1.54
PHP Version 5.3.5-1ubuntu7.2

I suspect that it is about a server setting. I do not know which.

Does anyone have any ideas. I will post some code if the description i ve made is not enough.

anyone?? a comment? You need more info? what kind of info?

Hi,

How is the login system written? Is it in OOP or procedural.. If procedural, how does it check if the session exist? Is the application checks if the session exist, before setting a new one? OR if it does exist? How does the application validates if the new one is needed?

If it is written in OOP, the session should be located in the constructor and not anywhere in the page..

Something like this..

class login{

    public function __construct(){

    session_start(); 

    ## validate the existence

    ## destroy if needed..

    }

    ## validate or check if the session does exist for specific user

    private function check_session(){

   ## validate session here
    if(isset($_SESSION['username']))
    return true;


    }
    }

    ## destroy session

    private function destroy_session(){

    if(isset($_SESSION['username']) && (self::check_sesssion === true)){

   ## session definitel exist, you can destroy it here
   session_destroy();
    return true;

    }

}

## create the login function and make the visibility as public, because that is the method accessable from the outside.
}

You can write another comparator in the constructor to make sure the user has not log-out yet,and if it does, then the method destroy_session() must prevail by just calling it this way

    self::destroy_session(); 

Ok, lets see the code
i have a form that posts username and password to login.php

in login.php

include '../just_paths.php';

session_save_path($absolute_path.'sessions');
session_start();

   $username = str_replace("'","''",$username);
   $password1 = md5($password);


   // Verify that user is in database
   $q = "SELECT * FROM members WHERE login='$username' AND passwd='$password1'";
   $result = mysql_query($q);
   if(!$result || (mysql_numrows($result) < 1)){
     $flag=1; //Indicates username failure
   } 
   else
   {
   $flag=0;
   }    

   $q1 = "SELECT * FROM members WHERE login='$username' AND passwd='$password'";
   $result1 = mysql_query($q1);
   if(!$result1 || (mysql_numrows($result1) < 1)){
     $flagg=1; //Indicates username failure
   }  
   else
   {
   $flagg=0;
   }   


  if (($flag == 1) and ($flagg==1))
  {
  return 1;
  }

  if ($flag==0)
  {
  $password=$password1;
  }

   // Retrieve password from result
   if ($flag==0)
   {
   $member = mysql_fetch_array($result);
   }

   if ($flagg==0)
   {
   $member = mysql_fetch_array($result1);
   }

   // Validate that password is correct
   if($password == $member['passwd']){

            $_SESSION['SESS_MEMBER_ID'] = $member['member_id'];
            $_SESSION['SESS_FIRST_NAME'] = $member['firstname'];
            $_SESSION['SESS_LAST_NAME'] = $member['lastname'];
            $_SESSION['SESS_CLASS'] = $member['class'];
            $_SESSION['SESS_FATHERSNAME'] = $member['fathersname'];
            $_SESSION['SESS_LOGIN'] = $member['login'];


      return 0; //Success! Username and password confirmed
   }
   else{
      return 1; //Indicates password failure
   }
}

    include '../config_db.php';

    //Sanitize the POST values
    $login = $_POST['login'];
    $password = $_POST['password'];


if (checkUserPass($login, $password) == 0)
{



            header("location: ../index.php");
            exit();
}
else 
{


            //Login failed
        header("location: login-failed.php");
        exit();
}

and in the index.php

include 'just_paths.php';

session_save_path($absolute_path.'sessions');
session_start();
...
if(isset($_SESSION['SESS_LAST_NAME']))

{ echo 'welcome....'}
...

I want to say one more time that this code works fine in my system and in several others. In the specific system i mentioned the index page (in which inside is the log -in form) seems like it just refreshes (no login-fail)

So anyone can tell me if there is a setting maybe in php.ini or somewhere else that should be on or 1 or something and stops the writing into sessions?

i remind u that the system the user facing the problem is
the system:
Apache/2.2.17 (Ubuntu)
MySQL: 5.1.54
PHP Version 5.3.5-1ubuntu7.2

considering that the login system works fine in my apache 2.4.2 and php 5.4.6 and also works fine into other systems, (5-6 individuals that uses the login system never complaigned) isnt it a secure assumption that the problem is about some setting?

I noticed that you have initialised password as an md5 encryption, and yet in the select query, you use just the password text ...

Unless your passwords in the database are not encrypted ....

you did not noticed very carefully. It takes both. I ve told you that this is not the matter. the code works fine. the problem concerns the sessions. when i try to pass values into the sessions ( e.g $_SESSION['SESS_MEMBER_ID'] = $member['member_id'];) somehow it does not work. is there any setting that i should turn on in some configuration file in the server? it finds the user in the database but when it tries to read the session it finds it empty... Someone.....

Member Avatar for iamthwee

I've just skimmed through this so I apologize if this is not relevant or repeated.

But I noticed an issues with sessions when I was on a lower version of php on the same machine, (I was using mamp.)

Soon as I switched to higher version, no problems.

include 'just_paths.php';
session_save_path($absolute_path.'sessions');
session_start();
...
if(isset($_SESSION['SESS_LAST_NAME']))
{ echo 'welcome....'}
...

Why don't you put

session_start();

in very first line?

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.