header("location: with session_register() & sessio

A

Anonymous

Guest
The server I'm on has session.auto_start turned off. It's php version 4.3.11.

I'm writing a login routine. From what I read at php.net, it seems like you shouldn't use session_register() with session_start(). I'm stumped. If I use session_register(), this works fine (the header location redirects perfectly):

Code: 
		session_start(); // nearly at the top of the script
		....

		if ($dataValid)
		{
			session_register("SESSION");
			session_register('adminUsername');
			session_register('adminClass');

			header("location: adminTaskSelect.php");
			exit;
		}

		....

But if I remove the session_register and simply define the session variables, the script fails. I don't get any warnings or error messages, I just get shown the same login page again (the header: location doesn't work even though the login was correct). This fails:
Code: 
		session_start(); // nearly at the top of the script
		....

		if ($dataValid)
		{

			$_SESSION['adminUsername'] = $_POST['username'];
			$_SESSION['adminClass'] = $adminClass;

			header("location: adminTaskSelect.php");
			exit;
		}

		....

Can anyone tell me what I'm doing wrong?

Is it bad to use session_start() an d session_register() together?

-------

Here's one other oddity with the script. No where in the script does it say "login.php" but if my file loginPP4.php fails (like the second example), the script will sometimes redirect to login.php, not to the original script loginPP4.php. The form on the page says:
Code: 
<form name="loginForm" method="post" action="<?=$_SERVER['PHP_SELF'] ?>" id="loginForm">
When I look at the code, loginPP4.php's form has the correct action:
Code: 
<form name="loginForm" method="post" action="/scripts/loginPP4.php" id="loginForm">

Why does it return to the wrong page?
 
hmmz...check that you use $_SESSION variable when checking if a user is logged in ( seems to me that you are checking for session registred variable instead and therefore is sent to login page)..
after starting a session with session_start() put this for security reasons: session_regenerate_id()
 
Hi, Alexei,

Thanks for the really quick response. Actually, I've not even gotten off the login page. So I'm not checking to see if I'm logged in.

What I'm doing below is making sure my data gets carried over to the next page.
Code: 
          session_register("SESSION");
          session_register('adminUsername');
          session_register('adminClass');

          header("location: adminTaskSelect.php");


I added the following to the first message above while you were responding to it. This may give us a clue as to what's going on:
-----------
Here's one other oddity with the script. No where in the script does it say "login.php" but if my file loginPP4.php fails (like the second example), the script will sometimes redirect to login.php, not to the original script loginPP4.php. The form on the page says:
Code: [Download]

Code: 
<form name="loginForm" method="post" action="<?=$_SERVER['PHP_SELF'] ?>" id="loginForm">


When I look at the code, loginPP4.php's form has the correct action:
Code: [Download]

Code: 
<form name="loginForm" method="post" action="/scripts/loginPP4.php" id="loginForm">
Why does it return to the wrong page?
 
Oops. I think I now see what you meant.

Yes, on the second page, there is a test for a current session.
Code: 
if (!session_is_registered("SESSION"))

I'll try changing that.

Thanks, again.
 
Great! I've got one of the test scripts working now. I'll play with it more and let you know if I can't fix the main one.

Thanks a million, Alexei!
 
unless you are using a really old php version...
use

Code: 
<?php
$_SESSION['variablename'] = 'some value';

//and the use

if (isset($_SESSION['variablename']) && $_SESSION['variablename']=='some value') {
   // do something
}
?>
 
Ruturajv, what is the reasoning behind using both isset and =='some value'?

Code: 
if (isset($_SESSION['variablename']) && $_SESSION['variablename']=='some value')
 
well..sometimes to logout you way want to set it to false first.. and then session destroy... however think of the problem when it may be some error and it didnt got destroyed ;)

a small precaution :) nothing more
 
You must log in or register to reply here.
Back
Top