1

To pretty up my url and make the multi-step activation process easier, I've programmed my page to store the userID and activation code from the activation email as session variables. When a userID and actCode are in the url, it saves them as session variables, then redirects to activate (I've used htaccess to take off the .php part)

It works the first time (when the page refreshes itself) but when you move to a different step or refresh the page manually, it erases them.

Here's my code:

  <?php
error_reporting (E_ALL ^ E_NOTICE);
session_start();

if ( (!empty($_GET['u'])) && (!empty($_GET['a'])) ) {
    $_SESSION["activate_userID"]        = $_GET['u'];
    $_SESSION["activate_actCode"]       = $_GET['a'];
    header( 'Location:activate') ;
}else{
    $userID = $_SESSION["activate_userID"];
    $actCode = $_SESSION["activate_actCode"];
    echo 'session variable found: '.$actCode;
}

if ($actCode == ""){$actCode = "nUlL";}


require "***connection script***";



$checkCode = "SELECT ***account details***, `activationExpire` FROM `users` WHERE `userID` = \"$userID\"; ";
$result = $conn->query($checkCode);

if ($result->num_rows > 0) {
    // output data of each row
    while($actInfo = $result->fetch_assoc()) {
    *** account details are here ***
    $step               =   $actInfo['activationStatus'];
    $activationCode     =   $actInfo['activationCode'];
    $activationExpire   =   $actInfo['activationExpire'];
    }
}
?>

<head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
    <title>Activate - FiestaUSA</title>
    <link href="includes/css/materialize.min.css" type="text/css" rel="stylesheet" media="screen,projection"/>
    <link href="https://fonts.googleapis.com/icon?family=Material+Icons" rel="stylesheet">

</head>

<body class="blue" background="includes/images/bg.jpg" style="background-size: cover;">
    <div class="row">
        <div class="col s10 m8 l6 offset-s1 offset-m2 offset-l3" style="padding-top: 50px">
            <div class="card-panel z-depth-2 ">
                <div class="row center">
                    <img src="includes/images/white480.png">
                </div>
                <div class="row">

    <?php
                $now = date('Y-m-d H:i:s');
                if($actCode !== $activationCode) {
          echo '
              <p>
                  There was a problem activating your account. Please email
                  <a href="mailto:activation@fiestausa.com?Subject=Account%20Activation">activation@fiestausa.com</a>
              </p>
          ';
        }
        elseif ($activationExpire < $now){
                    echo '
                            <p>
                                    Your activation code has expired. Please email
                                    <a href="mailto:activation@fiestausa.com?Subject=Account%20Activation">activation@fiestausa.com</a>
                            </p>
                    ';

                ;} else {

                    if ($step == 6){
                        header( 'Location:signin') ;
                    }

                    if ($step == 5){
                        require "includes/php/activation/s5.php";
                    }

                    if ($step == 4){
                        require "includes/php/activation/s4.php";
                    }

          elseif ($step == 3){
            require "includes/php/activation/s3.php";
          }

          elseif ($step == 2){
            require "includes/php/activation/s2.php";
          }

          elseif ($step == 1){
            require "includes/php/activation/s1.php";
          }
        }
    ?>
                </div>
            </div>
        </div>
    </div>
</body>

</html>

You can test it at http://fiestausa.com/myevent/activate.php?u=2&a=fiverr

Timothy Richard Elliott
  • 173
  • 1
  • 1
  • 10
  • your code seems to be correct as far as i can see, and the session cookie gets send to the server. can you look into the php/tmp directory on the server and open one of the session files (they have the session id as name) and look if they contain the values? edit: also try print_r($_COOKIE) and look if there is the session cookie – x4rf41 Sep 21 '15 at 22:54
  • I get Array ( [PHPSESSID] => 170f07f1467f149eda07f3******* ) – Timothy Richard Elliott Sep 21 '15 at 23:01
  • @x4rf41 Should I do it as a cookie instead of a session variable? – Timothy Richard Elliott Sep 21 '15 at 23:03
  • well, if its not a security issue if the user edits the information you could just do that. btw. i just ran your the session code up to `if ($actCode == ""){$actCode = "nUlL";}` on my local server and it works without a problem, this is some server or php config issue i would think. can you access the php.ini or print the phpinfo() ? – x4rf41 Sep 21 '15 at 23:06
  • In your step 6, you can not change the header once you have output any html at all. – Rohit Gupta Sep 21 '15 at 23:06
  • Maybe in the .htaccess you are fogetting to add the [QSA] property which appends the query string when it Rewrites the url intrenally. If you miss this the GET params won't be passed and you will lose them. – MarkSkayff Sep 21 '15 at 23:16
  • Also In your code you are only assigning $userID and $actCode if the GET params aren't found. If they are present these vars aren't initialized unless you have register_globals on. – MarkSkayff Sep 21 '15 at 23:20

1 Answers1

0

A reason why your session may be returning unexpected behaviour. You mentioned a redirect you are issuing. But are you redirecting to the same domain and subdomain?

If your website is querying both www and non-www versions, then you may be getting different sessions because they are being treated as different sub-domains. You can change your htaccess to fix this, or you can check by going into your development console and typing document.cookie and comparing the two pages.

q.Then
  • 2,743
  • 1
  • 21
  • 31