2

I'm going through the pain of upgrading PHP on my server from 5.2 to 5.3. Having migrated my old php.ini to the new and upgraded my mysql passwords, my PHP sessions no longer work.

This is my login code below, it executes correctly and even logs my login correctly in the activity log. (updatelog function) I have also posted my session valid check code.

Is there anything obvious in my login code that is no longer valid in PHP 5.3, having previously worked under 5.2?

// Login User///

if(@$_POST["dologin"] == 1)
{
    //record login attempt
    updatelog("",$_SERVER['REMOTE_ADDR'],"Login Attempt By: ".$_POST['username']);

    $user_name = escape($_POST["username"]);
    $password = escape(md5(SALT.$_POST["password"]));

    $login = $query->GetSingleQuery("--SINGLE","SELECT user_name, id, user_email FROM url_users WHERE user_name='".$user_name."' and user_password='".$password."';",array("user_name","id","user_email"));

    if(!isset($login['user_name'])) //failed login
    {
        $_SESSION['loggedin'] = 0;
        //record failure
        updatelog("",$_SERVER['REMOTE_ADDR'],"Login Failure By: ".$_POST['username']);
        header("Location: index.php?failed=1&user=$user_name");
    }else
    { 
    //login valid
    //get country details
    $getcountry = $query->GetSingleQuery("--SINGLE","SELECT geo_ip.ctry FROM admin_adfly.geo_ip geo_ip WHERE INET_ATON ('".$_SERVER['REMOTE_ADDR']."') BETWEEN geo_ip.ipfrom AND geo_ip.ipto;",array("ctry"));

    //set session items
        $_SESSION['country'] = $getcountry['ctry'];
        $_SESSION['username'] = $login['user_name']; 
        $_SESSION['userid'] = $login['id']; 
        $_SESSION['loggedin'] = 1;
        $_SESSION['email'] = $login['user_email'];
    //session salt
        $hsh = md5($_SERVER['HTTP_USER_AGENT'].SALT);
        $_SESSION['_XXX(*@#!_D@R*&$%(){*@)_D_296']['user_agent'] = $hsh;

    //update the ui transaction log
        updatelog($login['id'],$_SERVER['REMOTE_ADDR'],"Login Success For: ".$_POST['username']);

        // run function to check if any adverts have completed
        adcomplete($_SESSION['userid']);

    //redirect
        header("Location: index.php");
    }

}

// Check users login session is valid, this is called on each page I want to restrict by login. ////

if(isset($_SESSION['_XXX(*@#!_D@R*&$%(){*@)_D_296']['user_agent']) ==  $_SERVER['HTTP_USER_AGENT'].SALT)
                {
                    return 1; //session success
                }else
                {
                    return 0; //session failure
                }
hakre
  • 193,403
  • 52
  • 435
  • 836
Damo
  • 1,898
  • 7
  • 38
  • 58
  • follow up: session is retained if I link between page a->b. However when I use header redirect, all session data is lost. – Damo Aug 10 '11 at 19:25
  • update: reviewing the server session files, session data does not get saved under php 2.3. Session files are created, but no data is saved in them. Session data is saved under 5.2 ok – Damo Aug 10 '11 at 20:12

3 Answers3

1

The check for login is not checking the hash of user agent and salt, should be :

if (isset($_SESSION['_XXX(*@#!_D@R*&$%(){*@)_D_296']['user_agent']) == md5($_SERVER['HTTP_USER_AGENT'].SALT))
{
    return 1; //session success
} else {
    return 0; //session failure
}

Edit:

Since the problem persists and it seems to be a php configuration issue I would try to make the simplest php page that uses sessions and try it out in the 5.3 environment to confirm that it is a php configuration problem and use that simple page to test the configuration while trying to fix the issue.

A simple php page:

<?php
error_reporting(E_ALL);
ini_set('display_errors', '1');
session_start();

if (isset($_SESSION['views']))
    $_SESSION['views'] = $_SESSION['views'] + 1;
else
    $_SESSION['views'] = 0;

echo '<pre>';
var_dump(session_id()); // I should stay the same
var_dump($_SESSION); // I should start at 0 and increase
echo '</pre>';
CodeReaper
  • 5,988
  • 3
  • 35
  • 56
  • Thanks for the correction, it works before and after the change under PHP 5.2, quite odd how that worked I don't know. Under PHP 5.3 however, it made no difference. I get the same session issue – Damo Aug 10 '11 at 17:26
  • Looking at http://www.php.net/manual/en/migration53.incompatible.php nothing really jumps out at you... maybe you could trying running the code (in test environment) with this statement included as early as possible : error_reporting(E_ALL); ... and watching the logs? – CodeReaper Aug 10 '11 at 17:42
  • Thanks CR, I'm doing this now. I've discovered that I can set and view the session var on the same PHP page, but I can't view them between pages..... which suggests it's a PHP configuration problem maybe..... but what I don't know.... – Damo Aug 10 '11 at 17:57
  • Are you doing session_start() in your php files? ... if it still not work, try going thru this question http://stackoverflow.com/questions/155920/php-session-data-not-being-saved – CodeReaper Aug 10 '11 at 19:37
  • I am, I had a fully working site before the 5.3 upgrade. It appears to be related to header redirects. Sessions are lost when doing this.. again only under 5.3. If I revert back to 5.2, everything is fine. I did check the session.save_path. I copied the value from my old php.ini (which worked) – Damo Aug 10 '11 at 19:47
0

Simple solution: Go to /var/lib/php and set attributes 777 to "session" directory.

EDIT: Yes, I know it is not recommended solution, but it works. For do it right, you should set owner to php, httpd or nginx - I don't have time to check which it should be

akjoshi
  • 15,374
  • 13
  • 103
  • 121
ULLISSES
  • 1
  • 1
0

After much messing about, it turns out that the problem was related to the last session name, it was somehow invalidating the entire browser session, removing all data from the session.

After removing "(*@#!_D@R*&$%(){*@)_D_296" from the $_SESSION array, my login session started working again.

hakre
  • 193,403
  • 52
  • 435
  • 836
Damo
  • 1,898
  • 7
  • 38
  • 58