0

I have created session name ($_SESSION['valid'] = "yes";) to be reflecting in all pages, its working in some pages but some not, especially in (pwdchange.php) I don’t know why. Can someone see my code and let me know where is the error is. And guide me thru. And also session files isn’t created in /tmp directory.

My code

Frist page ifstatment.php

<html>
<body>
<h1>Welcome To Internet HotSpot</h1>

<form action="auth.php" method="post">
Username: <br><input type="text" name="username"></br>
Password: <br><input type="password" name="password"></br>


<div id="main">
<div class="floatdiv">

<input type="submit" name = 'submit' value= 'Login'>
</form>
</div>

<div class="floatdiv">

<form method="POST" action="adminlogin1.php">
<button type="submit">admin login</button>
</form>
</div>
</div>


 <style type="text/css">
 #main
 {
 position:relative;
    width:200px;
 }
.floatdiv
 {
 float:left;
    width=80px
  }
</style>

</body>
</html>

Second page

Auth.php

<? ob_start(); ?>
<?php

session_start();

//connecting to database

$db = mysql_connect("localhost","sqldata","sqldata") or die(mysql_error());

//selecting our database

$db_select = mysql_select_db("accounts", $db) or die(mysql_error());

ini_set('session.bug_compat_42',0);
ini_set('session.bug_compat_warn',0);

//Retrieving data from html form

if(empty($_POST["username"]))
{

echo "Error you must enter username and password</br>";

}

$username = $_POST['username'];

$password = $_POST['password'];


$_SESSION['username']= $_POST['username'];
//for mysql injection (security reasons)

$username = mysql_real_escape_string($username);

$password = mysql_real_escape_string($password);



//checking if such data exist in our database and display result

$result= mysql_query("select * from uptable where username = '$username' ");

$row = mysql_fetch_array( $result );

$storedPassword = $row['password'];


$hash= crypt($password,$storedPassword)===$storedPassword;

if ($hash)
{

$_SESSION['valid'] = "yes";

$_SESSION['logged_in'] = true;

header("Location: check.php");

$ip = $_SERVER['REMOTE_ADDR'];

exec("/usr/bin/sudo -u apache sudo  /sbin/iptables  -I INPUT -s $ip -j ACCEPT");

exit;
}


else
{
if ($_SESSION['valid'] != "yes")

{

$ip = $_SERVER['REMOTE_ADDR'];

exec("/usr/bin/sudo -u apache sudo  /sbin/iptables  -D INPUT -s $ip -j ACCEPT");

session_destroy();

session_unset();

header("location:ifstatment.php");

exit();
}
}

?>
<? ob_flush(); ?>

Check.php

<? ob_start(); ?>

<html>
<body>
<?php

error_reporting(E_ALL);


session_start();


$username= $_SESSION['username'];
print_r($valid= $_SESSION['valid']);

include('search.php');

if ($_SESSION['valid'] != "yes")

{

$ip = $_SERVER['REMOTE_ADDR'];

exec("/usr/bin/sudo -u apache sudo  /sbin/iptables  -D INPUT -s $ip -j ACCEPT");

session_destroy();

session_unset();

header("location:ifstatment.php");

exit();
}

$page = $_SERVER['PHP_SELF'];
$sec = 10;
header("Refresh: $sec; url=$page");

$ip = $_SERVER['REMOTE_ADDR'];
timeout($username, $ip);

echo "<br> Hi $username.</br>";

echo "<br>You Have Logged In Successfully.</br>";

$ip = $_SERVER['REMOTE_ADDR'];

$txt="Your ip Address Is ";

echo $txt . " " .  $ip;

?>

</body>
</html>
<? ob_flush(); ?>

<html>
<body>
<form method="POST" action="logout.php">
<button type="submit">Logout</button>
</form>

<br> update your account password </br>

<form method="POST" action="pwdchange.php">
<button type="submit">update</button>
</form>

</body>
</html>

pwdchange.php

<?php

session_start();

print_r($valid= $_SESSION['valid']);
print_r($hadi=$_SESSION["valid"]);
print_r($logged_in= $_SESSION["logged_in"]);

?>
Hadi
  • 73
  • 1
  • 6

1 Answers1

1

session_start() must go before any output:

<? ob_start(); ?>

<html>
<body>
<?php

error_reporting(E_ALL);


session_start();

should be:

<? 
ob_start(); 
session_start();
error_reporting(E_ALL); // This should be up here, too
?>

<html>
<body>

(You should consider using a doctype, too)

John Conde
  • 217,595
  • 99
  • 455
  • 496
  • session is working in the page you mention, but not in pwdchange.php page. – Hadi May 30 '14 at 18:22
  • Which you don't show in your question – John Conde May 30 '14 at 18:23
  • please see again pwdchange.php page its there. – Hadi May 30 '14 at 18:27
  • Do a `print_r($_SESSION);` in that file after `session_start();`. Do you see anything? If not, make sure there isn't any accidentally whitespace at the top of the file. – John Conde May 30 '14 at 18:28
  • i did print_r($valid= $_SESSION['valid']); it show Notice: Undefined index: valid in /var/www/html/phptest/pwdchange.php on line 3. no whitespace, i checked. – Hadi May 30 '14 at 18:37
  • Just do `print_r($_SESSION);` – John Conde May 30 '14 at 18:39
  • Ok, then your array is indeed empty. Have you confirmed there is no whitespace at the top of that file and, if there are other files included, that they do not have any whitespace at the top of them? Do you do any kind of redirection before reaching this file? – John Conde May 30 '14 at 18:42
  • no whitespaces at any files. once the user login in the first page `ifstatment.php` he have to click update button to reach to this file. that's what i have. in some pages its working but this page isn't. – Hadi May 30 '14 at 18:52
  • The only other thing I can think of is your session cookie is being deleted. Are you switching back and forth between the www and naked domain of your website? – John Conde May 30 '14 at 18:54