PHP Session Problem

[Judahnator]

I am going to apologize in advance for the length of this post, i couldnt figure out how to do the spoilers. However, if i figure out how i will edit the post and insert them.

 

I need to carry session information through a few pages, but i keep running into problems.

 

 

Here is what i am doing. I have this at the top of my users "login" page.

<?phpsession_id ();session_start();?>

Now here is the login form information:

<form action="login_form.php" method="post"><?php	if(isset($_COOKIE["TTGlogin"])){		if($_COOKIE["TTGlogin"] == "username_fail"){			echo "User not found, please try again";			echo "<br><br>";		}elseif($_COOKIE["TTGlogin"] == "password_fail"){			echo "Incorrect password, please try again";			echo "<br><br>";		}elseif($_COOKIE["TTGlogin"] == "bad_session"){			echo "There was something wrong with your session";			echo "<br><br>";		}elseif($_COOKIE["TTGlogin"] == "timed_out"){			echo "Your session timed out, please log in again";			echo "<br><br>";		}elseif(!isset($_COOKIE["TTGlogin"])){			echo "Please enter your information below:";			echo "<br><br>";		}		}	setcookie("TTGlogin", "", time()-3600);?>Username: <br><input type="text" name="username"><br>Password: <br><input type="text" name="password"><br><input type="submit">

They enter their info on the login page, and hit submit. They hit the authentication page, and here is some code from that:

<?php$username = $_POST['username'];$password = $_POST['password'];$TIME = time();$sha = hash('sha256', $password);    $con = mysqli_connect("");	$result = mysqli_query($con,"SELECT * FROM Persons WHERE username=	  		'".mysql_real_escape_string($username)."' ");	$row = mysqli_fetch_array($result, MYSQLI_ASSOC);	  	/* fetch associative array */	if($row["username"] != $username){		setcookie("TTGlogin", "username_fail", time()+10);		header('Location: login.php');	}elseif($row["password"] != $sha){		setcookie("TTGlogin", "password_fail", time()+10);		header('Location: login.php');	}else{	  	if($row["password"] == $sha){    		// Redirect to user profile page after successful login.    		mysqli_query($con,"UPDATE Persons SET TimeStamp=    				'".mysql_real_escape_string($TIME)."'    				WHERE username='$username'");    		$_SESSION['time'] = $TIME;    		$_SESSION['username'] = $username;    		header("Location: user_profile.php?PHPSESSID=".session_id());    		exit();    	}	}	  /* close connection */	  mysqli_close($con);?>

After that, they hit the profile page. This is the code that checks if the user is logged in:

<?php	session_id ($_COOKIE["PHPSESID"]);	session_start();	if (!isset($_SESSION['username'])){			setcookie("TTGlogin", "bad_session", time()+10);			header('Location: login.php');		  }?>

My problem is i ALWAYS get the "bad_session" cookie. I dont know what im doing wrong, but whatever it is it is driving me nuts. I tried doing a completely cookie-based login system, but i saw some major security flaws in that so i switched to Sessions. Im having a hard time figuring this out though. Anyone know what im doing wrong?

 

Also, i have tested sessions on other more-basic pages. Everything seems to work fine. I just keep running into this problem here.

[technovore]

I thougt there was a difference between a cookie and a PHP session variable, could this be the cause?

[Ciccioo]

from my mobile i'm having a hard time checking your code, but
1. using sessions, you should never have to use cookies
2. you should never have to get or set the session id

 

edit:

alright, i have a laptop now, here, more comments:

3. you use the TTGlogin cookie to pass information from the login processing page back to the login form. for that purpose, you should pass the data via the url (get method) just like you pass the PHPSESSID on successful login

4. on successful login, you call exit() but it's not the best idea: it's not elegant and it prevents the script from closing the connection to the database

5. on the script that checks if the user is logged in, you access the "PHPSESID" cookie, but it should be written "PHPSESSID"

6. that PHPSESSID cookie shouldn't be accessed anyway, you don't need to call the session_id() function, the session_start() is enough

[Judahnator]

from my mobile i'm having a hard time checking your code, but

1. using sessions, you should never have to use cookies

2. you should never have to get or set the session id

 

I know, but on the "user_profile" page it does not recognize the session as set, so it redirects back to the login page. That is why i tried to manually set it using cookies

[alpenwasser]

It's been a few months since I last tinkered around with PHP, so I'm not

really sure what's wrong with your code from just looking at it, but I

did a login system for a website I designed last year, and I had a quick

look at that so see how I did it, and noticed something: I have the

session_start() command in a conditional command:

 

if (strlen(session_id()) < 1){    session_start();}

It's probably not the most elegant way to do it, but I found it necessary

because otherwise every time the page environment would be bootstrapped,

a new session was started, so my page doesn't work without that.

Not sure if this solves your problem, but it's just something that stuck

out to me a bit when comparing your code to mine.

[Ciccioo]

I know, but on the "user_profile" page it does not recognize the session as set, so it redirects back to the login page. That is why i tried to manually set it using cookies

i edited my post, try give it a read

 

anyway i tried your code and it works, are you sure you call session_start() in the authentication page? i only had to add that

(i removed the PHPSESSID part)