PHP Sessions Not working

R

ruchir7

New Member
Messages
1
Reaction score
0
Points
0
I was testing my site on X10. Everything was working fine, but now PHP Sessions are not working.

I have a login page on my site, which sets a $_SESSION variable called ['user']. When the user logs in, the navigation bar on the top is supposed to change. Everything was working fine till yesterday, but now, the session is not working!

When I login, it shows the message that the user is logged in. But when I try to log out, the page shows an error 'No user was logged in'! The navigation bar doesn't change as well. :(


Here is the code for the login script :

PHP: 
<? $title = 'Login' ?>
<?require ('scripts/top.php'); ?>
<link rel='stylesheet' type='text/css' href='scripts/form.css'/>
<div id='content'> <center><div id='login'>
<?$login_form = "<form action='login.php' method='POST'>		 		 <table>		 <td>					Username				</td>				<td>					<input type='text' name='username'class='textbox'/>				</td>			</tr>			<tr>				<td>					Password				</td>				<td>					<input type='password' name='pass' class='textbox'/>				</td>			</tr>			<tr>				<td>				</td>				<td>					<input type='submit' name='loginbtn' value='Login'class='button'/>				</td>			</tr>		</table>				</form>";
				if ($_POST['loginbtn']) {					$username = strip_tags($_POST['username']);			$pass = strip_tags($_POST['pass']);
						if ($username && $pass) {						require ("scripts/connect.php");						$password = md5(md5($pass));									$query = mysql_query("SELECT * FROM members WHERE `username`='$username' and `password`='$password'");									$numrows = mysql_num_rows($query);								if ($numrows == 1){															$row = mysql_fetch_assoc($query);					$dbid = $row['id']; 					$dbuser = $row['username'];															$_SESSION ['user']= $dbuser;					$_SESSION ['id']= $dbid;															$date = date("F d,Y");					mysql_query("UPDATE members SET `last_login`='$date' where `id`='$dbid'");															echo "<div id='success'> Successfully logged in as <b>$dbuser</b> </div>";					echo "<script type='text/javascript'>setTimeout(\"location.href = 'index.php';\",1500);</script>";										}								else {										echo "<div id='error'> Invalid username/password </div>";															}															}			else {						echo "<div id='error'> Please fill in all the fields </div> $form";						}								}
				else {			echo $login_form;		}



?>
</div>


<?echo "<div id='login'>Want an account instead? <br/> <br/><a href='register.php'> Register now! </a> It takes just a few moments! </div>";?>


</center></div>
<?require ('scripts/bottom.php'); ?>



This is my logout script :
PHP: 
<? $title = 'Logout' ?>
<?require ('scripts/top.php'); ?>
<link rel='stylesheet' type='text/css' href='scripts/form.css'/>
<div id='content'> <center><div id='login'>
<?
		$user = $_SESSION['user'];
		if ($user) {						session_destroy;						echo "<div id='success'> <b>$user</b> has been successfully logged out </div>";			echo "<script type='text/javascript'>setTimeout(\"location.href = 'index.php';\",1500);</script>";				}
		else {		echo "<div id='error'>No user was logged in</div>"; 		}
?>
</div>
</center></div>
<?require ('scripts/bottom.php'); ?>


This is how the TOP.PHP file is set up :
PHP: 
<? session_start();?>
<?
	require ('scripts/navbar.php');	?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<link rel='stylesheet' type='text/css' href='scripts/main.css'/><link rel='shortcut icon' type='image/x-icon' href='/favicon.ico'>
<head><title><?echo $title.' | My site;?></title></head>

<body>
<div id='wrapper'>
<div id='header'> <center><a href = 'index.php'> <img src='images/logo.png' title='My site'/> </a> </div> </center>

And this is the NAVBAR.PHP file

PHP: 
<?


if ($_SESSION ['user']) {
echo "<div id='topnavbar'> <div id='e'> <a href = 'index.php'> <img src='images/blank.png' title='Enderspace' /> </a> </div><div id='home'> <a href = 'index.php'> <img src='images/blank.png' title='Home' /> </a> </div><div id='users'> <a href = '#'> <img src='images/blank.png' title='Members' /> </a> </div><div id='messages'> <a href = '#'> <img src='images/blank.png' title='Messages'/> </a> </div><div id='logout'> <a href = 'logout.php'> <img src='images/blank.png' title='Logout'/> </a> </div><div id='settings'> <a href = '#'> <img src='images/blank.png' title='Settings'/> </a> </div></div>";


}
else {
echo "
<div id='nologin'> <form action='login.php' method='POST'>		 		 <table>		 <tr>				<td>					<span style='color:#fff'>Username</span>				</td>				<td>					<input type='text' name='username' class = 'navtext'/>				</td>							<td>					<span style='color:#fff'>Password</span>				</td>				<td>					<input type='password' name='pass' class = 'navtext'/>				</td>							<td>				</td>				<td>					<input type='submit' name='loginbtn' value='Login' class='navbutton'/>				</td>			</tr>		</table>		</form>				<div id='navbarregister'> <a href='register.php'> <input type='button' value=\"Register now\" class='button'> </a> </div>				</div>";

}

?>


Any help would be appreciated
 
M

misson

Community Paragon
Community Support
Messages
2,572
Reaction score
72
Points
48
Please pick a better indent style; the one you're using now is nigh unreadable.

If you're actually using capital letters in the filenames, don't. The file system on the X10 servers is case sensitive. Generally, follow Postel's robustness principle, which (for case sensitivity) means assume whichever of case sensitivity or insensitivity will cause the most problems in the given context (always use the same case when using a given name, and never assign the same names that differ only in case to two different things).

The whitespace between the first few PHP tags will be output (if it's output at all) in the body of the response. As the manual page for session_start says:

To use cookie-based sessions, session_start() must be called before outputing anything to the browser.
Click to expand...

It's vital you read up on how HTTP works (in particular, understand the response header and body) for you to understand sessions.

The sample code is vulnerable to SQL injection, which is a very serious security risk. To fix this hole, switch from the outdated mysql extension to PDO and use prepared statements. If you need a PDO tutorial, try "Writing MySQL Scripts with PHP and PDO". The site you save may just be your own.

MD5 is considered broken by security professionals. Applying MD5 twice adds nowhere near enough computational complexity; you'd need to apply it at least thousands of times. No less than Bruce Schneier has written:
But -- come on, people -- no one should be using MD5 anymore.
Click to expand...
Use a newer hashing function, such as whirlpool or something from the SHA2 family (SHA256, SHA512) or (better still) Blowfish (using crypt(). Your password scheme is also vulnerable to rainbow tables. Add salt to fix this. You could use the username + a system salt, or give each user a unique salt (a "nonce") and store that in a column in table `users`.

<center> is non-semantic, and <br/> isn't being used semantically. Using tables for layout is also non-semantic and very outdated. HTML is about document structure, not presentation. Use more appropriate elements, such as a paragraph or a list. For styling and layout, use CSS.

Don't use SELECT * unless you're writing a DB administration program; select only the columns you need.

In your logout script, you have session_destroy, which is an undefined constant. Add the missing parentheses.
 
You must log in or register to reply here.
Top