0

I've tried building a secured area using php session(). Basic workflow:

log in->go to checkuser page that:

  • queries database for user
  • starts a session -> session_start(); and then sets session variables
  • goes to home member page

code on check userpage

session_start();
error_reporting(E_ALL); ini_set('display_errors', 1);
include 'dbconnect.php';
$email_address = isset($_POST['email_address']) ?        $_POST['email_address'] : '';
$password = isset($_POST['password']) ? $_POST['password'] : '';

  $passwordmd5 = md5($password);
  $result = mysqli_query($con, "SELECT * FROM users WHERE email_address='$email_address' AND password='$passwordmd5' AND activated='1'");
  $login_check = mysqli_num_rows($result);
  if($login_check > 0){
  while($row = mysqli_fetch_array($result)){
  foreach( $row AS $key => $val ){
    $$key = stripslashes( $val );
}
      $_SESSION['first_name'] = $first_name;
}

i notice if i leave the site and hit back in browser i get from the session variable being undefined. Makes sense to me because i left the secure page. But something seems wrong here. Is this supposed to work like this. What is best method to fix? This is what sits on top of each page in the secured site

ob_start();
session_start();
require_once ('verify.php'); 
$page_title = 'sponsor.php';
$sid = session_id();
$first_name=$_SESSION['first_name'];

An error occurred in script '/home/buzrw/public_html/web/website/php/main.php' on line 8: Undefined index: first_name

the verify.php script which contains my error handler is as follows: 

<?php 

// Flag variable for site status:
define('LIVE', TRUE);

// Admin contact address:
define('EMAIL', 'myemail');

// Site URL (base for all redirections. This is the address they will be redirected to if they try to access a protected page and they are not logged in.):
define ('BASE_URL', 'http://www.website.org/index.php');

// Location of the MySQL connection script:
define ('MYSQL', 'dbconnect.php');


// Create the error handler:
debug_backtrace;
function my_error_handler ($e_number, $e_message, $e_file, $e_line, $e_vars) {

// Build the error message.
$message = "<p>An error occurred in script '$e_file' on line $e_line: $e_message\n<br />";

// Add the date and time:
$message .= "Date/Time: " . date('n-j-Y H:i:s') . "\n<br />";

// Append $e_vars to the $message:
$message .= "<pre>" . print_r ($e_vars, 1) . "</pre>\n</p>";

if (!LIVE) { // Development (print the error).

    echo '<div class="error">' . $message . '</div><br />';

} else { // Don't show the error:

    // Send an email to the admin:
    mail(EMAIL, 'Site Error!', $message, 'From: admin@website.org');

    // Only print an error message if the error isn't a notice:
    if ($e_number != E_NOTICE) {
        echo '<div class="error">A system error occurred. We apologize for the inconvenience.</div><br />';
    }
} // End of !LIVE IF.

} // End of my_error_handler() definition.

// Use my error handler.
set_error_handler ('my_error_handler');
rhill45
  • 559
  • 10
  • 35
  • 1
    Where is the code? That would probably help. **Edit** all the code preferably. Make you haven't forgotten `session_start` on any of the pages. – Script47 Oct 31 '15 at 01:47
  • Where is `$_SESSION['first_name']` defined. I do not see this. – Twisty Oct 31 '15 at 01:52
  • @Script47 the form just sends to the checkusr page. as stated, the log in is working and a session is getting 'set'. the only time i get the error is if I leave the secure session and go back to a page with it. What is the best way to prevent re-entry into a page with the session requirment if you have already left – rhill45 Oct 31 '15 at 02:06
  • do you left secure page after make a session..? i mean, you make a session in secure page, and then you access session variable in non secure page..? – check Oct 31 '15 at 02:25
  • @check no. but I have placed session unset in my pages that are not part of the secure session – rhill45 Oct 31 '15 at 02:27
  • you can passing your `session_id` between http and https, maybe this link will help you.. [link](http://stackoverflow.com/questions/441496/session-lost-when-switching-from-http-to-https-in-php) – check Oct 31 '15 at 02:35

0 Answers0