PHP Sessions Not Being Set, No Error

Question

I am trying to set sessions using PHP in my login script although it doesn't seem to be setting any sessions. I'm setting all sessions to be written to the path '/'. I am using AJAX to log in.

Start_secure_session function:

function start_secure_session() {
    $session_name = "CodeCluster";
    $http_only = true;
    $https = false;
    ini_set("session.use_only_cookies", 1);
    $cookie_parameters = session_get_cookie_params();
    session_set_cookie_params($cookie_parameters['lifetime'], "/", $cookie_parameters['domain'], $https, $http_only);
    session_name($session_name);
    session_start();
    session_regenerate_id(true);
}

Login Function :

function login($email, $password, $database) {

try {

    $query = $database -> prepare("SELECT id, email, password, salt, activated FROM members WHERE email = :email LIMIT 1");

    $query -> execute(

        array(
            "email" => $email
        )

    );

    $info = $query -> fetch();

    if(strlen($info[0]) > 0) {

        if(account_is_locked($info['id'], $database)) {

            echo "<response>Your account is locked, please try again in two hours!</response>";

            exit();

        } else {

            if($info['activated'] == 1) {

                $password = hash('sha512', $password.$info['salt']);

                if($password === $info['password']) {

                    $_SESSION['cc_id'] = $info['id'];

                    $_SESSION['cc_email'] = $info['email'];

                    $_SESSION['cc_login_string'] = hash('sha512', $password.$_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT']);

                    $last_login = time();

                    $query = $database -> prepare("UPDATE members SET last_login = :last_login WHERE id = :id LIMIT 1");

                    $query -> execute(

                        array(
                            "last_login" => $last_login,
                            "id"              => $info['id']
                        )

                    );

                    return true;

                    exit();

                } else {

                    $query = $database -> prepare("INSERT INTO login_attempts(user_id, ip_address, attempt_time) VALUES (:id, :ip, :time)");

                    $query -> execute(

                        array(

                            "id" => $info['id'],
                            "ip" => $_SERVER['REMOTE_ADDR'],
                            "time" => time()

                        )

                    );

                    echo "<response>Email or password is incorrect! Please check your credentials!</response>";

                    exit();

                }

            } else {

                echo "<response>Please activate your account! You should have received an email with an activation link!</response>";

                exit();

            }

        }


    } else {

        echo "<response>Account with those details does not exist!</response>";

        exit();

    }

} catch(PDOException $e) {

    echo "<response>We could not log you in; A report of the error has been sent to tech support!</response>";

    mail("codecluster.official@gmail.com", "CodeCluster Login Error", "Login Error; Timestamp @ " . time() . " ; IP Address : " . $_SERVER['REMOTE_ADDR'] . " ;\r\n" . $e);

    exit();

}

}

is_user_logged_in function :

function is_user_logged_in($database) {

if(isset($_SESSION['cc_id'], $_SESSION['cc_email'], $_SESSION['cc_login_string'])) {

    try {

        foreach ($_SESSION as $session) {
            strip_tags($session);
        }

        $query = $database -> prepare("SELECT password FROM members WHERE id = :id AND email = :email LIMIT 1");

        $query -> execute(

            array(

                "id" => $_SESSION['cc_id'],
                "email" => $_SESSION['cc_email']

            )

        );

        if(strlen($query -> fetch()) > 0) {

            $password = $query -> fetch();

            $password = hash("sha512", $password.$_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT']);

            if($password == $_SESSION['cc_login_string']) {

                return true;

            } else {

                return false;

            }


        } else {

            return false;

        }

    } catch(PDOException $e) {

        mail("codecluster.official@gmail.com", "Code-Cluster Error", "Error occured whilst checking users logged in status; Timestamp @ ". time() . " ; \r\n" . $e);

        return false;

        exit();

    }

} else {
    return false;

}

 }

When I do if(is_user_logged_in($database)) {header("Location: home.php"); exit();} it does not redirect me. I have tested and it seems that the script can't find the sessions which lead me to believe that they're null.

Is there any reason why this is acting like this?

EDIT: I just did a var_dump on $_SESSION on the index.php and it printed out : array(3) { ["cc_id"]=> string(1) "6" ["cc_email"]=> string(24) "toxiclogic@hotmail.co.uk" ["cc_login_string"]=> string(128) "This is redacted because it is a hashed password" }

EDIT: This is not being resolved by the 'Headers being sent' question.

Lack of displayed error messages does not mean there aren't any. Use `error_reporting`. And it's certainly [Headers already sent](http://stackoverflow.com/questions/8028957/headers-already-sent-by-php) again. — mario, Feb 20 '13 at 15:51
I call start_secure_session() on every web page. @mario I am using error_reporting(E_ALL); and it still shows no errors. — Liam Potter, Feb 20 '13 at 15:53
Use `set_error_handler("var_dump");` right prior the header and session_start calls. — mario, Feb 20 '13 at 15:56
No error, maybe check out [error_reporting](http://www.php.net/manual/en/errorfunc.configuration.php#89648) — Ron van der Heijden, Feb 20 '13 at 15:58

score 1 · Accepted Answer · answered Feb 20 '13 at 15:52

1

Do not output anything before using header() and session_start().

Check for whitespaces as well.

Encode your files into UTF-8 without BOM.

answered Feb 20 '13 at 15:52

sybear

7,837
1
22
38

Nothing is being outputted before calling session_start() or header() These are located at the top of the page before it loads. Encoding with UTF-8 without BOM did not help either. – Liam Potter Feb 20 '13 at 15:57
1

Try checking `if (!session_start()) exit ("Cannot start session");`. `session_id()` also must return true if all is ok with session. – sybear Feb 20 '13 at 15:59
The sessions for the user data are not being set but I can see the global session that has the name "CodeCluster" – Liam Potter Feb 20 '13 at 16:02
I just checked your code, you are kinda doing something strange. Function `login()` should receive parameters `$db, $email, $password` --> execute query, check for user in database. User exists: set `$_SESSION['user'] = array("id"=> 1, "name" => "Liam Potter")`. While function `is_logged_in()` should just check if the values in `$_SESSION['user']` are set. Just as an example. – sybear Feb 20 '13 at 16:09
I have updated the OP. When using var_dump on the $_SESSION array it displays: array(3) { ["cc_id"]=> string(1) "6" ["cc_email"]=> string(24) "toxiclogic@hotmail.co.uk" ["cc_login_string"]=> string(128) "REDACTED HASHED PASSWORD" } – Liam Potter Feb 20 '13 at 16:14
Grats, your session is working well. What is still not working? :> – sybear Feb 20 '13 at 16:17

score 0 · Answer 2 · answered Feb 20 '13 at 16:23

0

You have ANYTHING (other than PHP comments) on the page before you call session_start(). Move this outside of the function at the top of each page.

Also, make sure you encode your files UTF-8 without BOM. For more information on what a BOM is, see here.

answered Feb 20 '13 at 16:23

adamdehaven

5,890
10
61
84

PHP Sessions Not Being Set, No Error

2 Answers2