[RESOLVED] STRANGE session problem

@blackangus87May 15.2010

Hey everyone,

This is driving me NUTS! I finished up some final changes today on my website. I noticed once I put it live, it was having problems with the sessions. It works fine on my computer (using xampp).

I have session_start and ob_start in my header.php file (which is included on every file that is part of the website). I have a login page to handle the login. Here’s a little snippet of the code that handles the login (I X’ed out sensitive information):

[code=php]$username = $_POST[‘username’]; $password = sha1($_POST[‘password’]); $login = $_POST[‘login’];

if(isset($_POST[‘login’])) {

if ($username && $password) { $connect = mysql_connect(“xxxxx”, “xxxxx”, “xxxxx”) or die(“Can’t connect to database!”); mysql_select_db(“xxxxx”) or die(“Couldn’t find the correct database!”); $query = mysql_query(“SELECT * FROM users WHERE username =’$username'”); $numrows = mysql_num_rows($query);

if($numrows != 0) { while ($row = mysql_fetch_assoc($query)) { $dbusername = $row[‘username’]; $dbpassword = $row[‘password’]; $dbname = $row[‘name’]; $dbadmin = $row[‘admin’]; }

if ($username==$dbusername && $password==$dbpassword) { $_SESSION[‘username’] = $dbusername; $_SESSION[‘name’] = $dbname; $_SESSION[‘admin’] = $dbadmin; header(‘Location: /’); exit; } else { echo “Incorrect password!”; } } else echo(“That user doesn’t exist!”); } else { echo(“Please enter a username and a password!”); } }[/code]

The last thing I have is a footer page that is included on every page of the site just like the header. Here is a little snippet of the code that handles the logout/checking if you’re logged in:

[code=php]if(!isset($_SESSION[‘username’]) || isset($_POST[‘logout’]) || !isset($_SESSION[‘name’])) echo ‘<a href=”login.php”>Login</a> © 2009-‘.date(“Y”).’ <a href=”contact.php”>Aaron Wood</a>’; elseif($_SESSION[‘username’] && $_SESSION[‘admin’] == 1) echo “Welcome “.$_SESSION[‘name’].”. You are an administrator. <form class=’logout’ name=’logout’ method=’post’ action='”.$PHP_SELF.”‘> <input type=’hidden’ name=’logout’ /><a href=’javascript: document.logout.submit();’>Logout </a></form> © 2009-“.date(‘Y’).” <a href=’contact.php’>Aaron Wood</a>”; else echo “Welcome “.$_SESSION[‘name’].”. <form class=’logout’ name=’logout’ method=’post’ action=”.$PHP_SELF.”> <input type=’hidden’ name=’logout’ /><a href=’javascript: document.logout.submit();’>Logout </a></form> © 2009-“.date(‘Y’).” <a href=’contact.php’>Aaron Wood</a>”; if(isset($_POST[‘logout’])) { session_destroy(); header(‘Location: /’); exit; }[/code]

I am completely stumped because it works fine on my end but not on the live server. Logging in on the live server works okay, and it redirects me to the home page once you log in (which is good). After that, if I click on another page (Contact me for example), my footer does not show me being logged in or a logout button. Another VERY strange issue is on the ~~[URL=”http://aaronjwood.com/projects.php?type=newsletter&name=nerej”]~~nerej[/URL] and ~~[URL=”http://aaronjwood.com/projects.php?type=newsletter&name=nyrej”]~~nyrej[/URL] newsletter pages, the footer says I’m logged in as nerej or nyrej (depending on which one you’re viewing). That page only uses $_GET to determine what newsletter to show. It’s almost as if it injects nerej or nyrej into the session somehow.

This is driving me absolutely nuts and I’ve spent too much time on it today ? Anyone have any ideas as to what in the WORLD is happening?

Thanks a bunch!

to post a comment

PHP

7 Comments(s) _↴

@Jarrod1937May 15.2010 — #Part of your problem (or maybe all of it) is that you more than likely have register globals on. This can be seen by the fact that the page name changes the session variable echo'ed out, aka $_SESSION['name']. What happens with register global being on is that it will make the get var &name=nerej equal to $_SESSION['name'], so by having register globals on you're in effect accidentally overwriting the value of your session var through the url get var. This can have deeper consequences as it then allows me to to inject my own code into your application, i could effectively use it as an attack vector for xss by doing:

&name=<script type="text/javascript">attack code here, may to steal a visitors cookie to impersonate them</script>

Though this could be sent in an encoded form to be less suspicious looking.

Hopefully you have not accidentally designed your code to work using register globals. If you haven't then you can easily disable it and continue working on the site.

http://drupal.org/node/210311

@blackangus87authorMay 15.2010 — #Thank you very much for your reply Jarrod. I have in fact verified that register globals is on! I used phpinfo for that. Unfortunately, the php.ini and if I try the .htaccess way, it throws a 500 error. I guess I'll have to talk to my host. There is no other way to override this is there?

Thank you once again for helping me narrow this down. I hope I am able to get this solved ASAP...

@Jarrod1937May 15.2010 — #Thank you very much for your reply Jarrod. I have in fact verified that register globals is on! I used phpinfo for that. Unfortunately, the php.ini and if I try the .htaccess way, it throws a 500 error. I guess I'll have to talk to my host. There is no other way to override this is there?

Thank you once again for helping me narrow this down. I hope I am able to get this solved ASAP...[/QUOTE]
Well, there are three ways to alter php settings that i know of.

1.) Within code

2.) Within a .htaccess file

3.) Within a custom php.ini file in the directory in question.

The problem with 1 is that by the time the setting is disabled within the code, the damage has already been done. So your only other choices are 2 and 3. However, they shouldn't give a 500 error unless you misconfigured either the .ini or the htaccess.

I recently had used the htaccess method and it worked fine, simply open your htaccess file and place this on its own line (preferably the first line in the file):

php_flag register_globals off

That should either disable register globals or do nothing (if your host does not permit the setting being changed by htaccess). If you see a 500 error then you must have not done it correctly. If you're sure you've done it correctly and still get a 500 error, then the last thing you can try is to contact your hosting provider and see what they say.

@blackangus87authorMay 15.2010 — #I double checked how I put the line in the .htaccess file and it's just like you explained. php_flag register_globals off on the first line of the file. I still get a 500 error ?

The php.ini file I tried before didn't throw any errors.

Just to make sure, I am supposed to put the .htaccess file (or php.ini file) in the directory above my root, correct? Right now, using an FTP client, the place where all my files sit (php, html, images, the whole site basically) is located at this area /aaronjwood.com

I have my .htaccess at / (which also has the folder to view all the files that create my site). That is correct, right?

Hope that made sense.

Thanks again!

@Jarrod1937May 15.2010 — #Not above your root, it should be [I]in[/I] your root document directory (www/public_html). So the same directory your index.php for your home page is in.

@blackangus87authorMay 15.2010 — #Hmmm...I'm still getting the same 500 error. I guess I'll try to contact my host and see what they say. I'll post back with any info ASAP if they explain what's happening.

@blackangus87authorMay 16.2010 — #Well, I talked to my host and I guess they were using the wrong file to set the configuration for this stuff. It's all set now. Thanks so much again Jarrod for pointing me in the right direction. ?

Also in #PHP _↴

Buggy MySQL Syntax How to Delete Coppermine Footer??Login Script Problwm

Success!

Help @blackangus87 spread the word by sharing this article on Twitter...

Tweet This

[RESOLVED] STRANGE session problem

7 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

[RESOLVED] STRANGE session problem

7 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

7 Comments(s) _↴

Also in #PHP _↴