For some strange reason I am having problems with sessions, ainly in safari I believe which is wierd considering php is a server-side programming language. anyways, when a person goes to /cp (control panel) for example, it redirects them to login.php?url=/cp. then they login, the sessions are created, and then it redirects them to /cp. but for some strange reason if there is $_GET, the session is only set for the pages in the /cp directory, even if the $_GET is in the same directory as login.php. Its strange. can anyone help me out?

Login.php

<?
ob_start();
session_start();
include ("config.php");

?>

<html>

<head>
<title>login</title>
<LINK REL=StyleSheet HREF="/style.css" TITLE="main" TYPE="text/css">
</head>

<body background="bg.bmp">




<?require 'header.php';?>
<h2>Login</h2>

<?
if ($logged_in){
echo "you are already logged in!";
}else
{

if ($_POST['username'] || $_POST['password'])
{
$dbh=mysql_connect($host, $user, $pass) or die ('I cannot connect to the database because: ' . mysql_error());
mysql_select_db($database, $dbh); 

$result=mysql_query("SELECT * FROM `members` WHERE `username`='".$_POST['username']."' AND `password`='".$_POST['password']."'") or die ("error in login.php" . mysql_error());


if (!$_POST['username'] || !$_POST['password']){
echo "<div id='error'>Please fill in all fields</div>";
}

else if (mysql_num_rows($result)==0){
echo "<div id='error'>That username/password you entered is incorrect</div>";
}
else
{
if(isset($_POST['rememberme'])){
      setcookie("username", $_POST['username'], time()+60*60*24*100, "/");
      setcookie("password", $_POST['password'], time()+60*60*24*100, "/");
   }
$_SESSION['username']=$_POST['username'];
$_SESSION['password']=$_POST['password'];
session_write_close();
header("location:".$_GET['url']);
exit;
}
}
if (!$_GET['url'])
$_GET['url']="/cp";
?>
Please enter your username and password to continue
<form method="post" action="/login.php?url=<?echo $_GET['url']?>">
<table border="0">
<tr><td>Username:</td><td><input type="text" name="username" size="20"></td></tr>
<tr><td>Password:</td><td><input type="password" name="password" size="20"></td></tr>

<tr><td></td><td><input type="checkbox" name="rememberme">Remember me?</td></tr>
<tr><td></td><td><input type="submit" value="login"></td></tr>
<tr><td></td><td><a href="/forgot.php">forgot password?</a></td></tr>
<tr><td></td><td><a href="/register.php">not registered?</a></td></tr>
</table>
</form>

<?
}
include('footer.php');?>
</body>

</html>
<?ob_end_flush();?>

config.php

<?
 $host=""; //host
 $user=""; //username
$pass=""; //password
$database=""; //db

function confirmUser($username, $password){
 global $host;
 global $user;
global $pass;
global $database;


   if(!get_magic_quotes_gpc()) {
	//$username = addslashes($username);
   }

$dbh=mysql_connect($host, $user, $pass) or die ('I cannot connect to the database because: ' . mysql_error());
mysql_select_db($database, $dbh); 

   $q = "SELECT `password` FROM `members` WHERE `username`= '".$username."'";
   $result = mysql_query($q) or die("error in config.php".mysql_error());
   if(!$result || (mysql_num_rows($result) < 1)){
      return 1; //Indicates username failure
   }

   $dbarray = mysql_fetch_array($result);
   $dbarray['password']  = stripslashes($dbarray['password']);
   $password = stripslashes($password);

   /* Validate that password is correct */
   if($password == $dbarray['password']){
      return 0; //Success! Username and password confirmed
   }
   else{
      return 2; //Indicates password failure
   }
}

function checkLogin(){
   /* Check if user has been remembered */
   if(isset($_COOKIE['username']) && isset($_COOKIE['password'])){
      $_SESSION['username'] = $_COOKIE['username'];
      $_SESSION['password'] = $_COOKIE['password'];
   }

   /* Username and password have been set */
   if(isset($_SESSION['username']) && isset($_SESSION['password'])){
      /* Confirm that username and password are valid */
      if(confirmUser($_SESSION['username'], $_SESSION['password']) != 0){
         /* Variables are incorrect, user not logged in */
         unset($_SESSION['username']);
         unset($_SESSION['password']);
         return false;
      }
      return true;
   }
   /* User not logged in */
   else{
      return false;
   }
}
global $logged_in;
$logged_in = checkLogin();
function checkAccess(){
if (checkLogin()==true){
 global $host;
 global $user;
global $pass;
global $database;
$dbh=mysql_connect($host, $user, $pass) or die ('I cannot connect to the database because: ' . mysql_error());
mysql_select_db($database, $dbh); 
$result=mysql_query("SELECT `access` FROM `members` WHERE `username`='".$_SESSION['username']."' AND `access`=1") or die (mysql_error());
if (mysql_num_rows($result)==0){
return false;
echo "<script>alert('not enough access')</script>";
}
else{
return true;
}

}
else{
return false;
echo "not logged in";
}
}
global $check_access;
$check_access=checkAccess();
?>

Hello I do not know the answer to your problem but I noticed you are outputting HTML to the browser before calling the header(); function.

You may get errors doing that.

Hi cjm771,

In your login form, you're setting the action of the form to:

/login.php?url=<?echo $_GET?>

The form sends its data to the server via HTTP POST and you have a URI string that would usually be sent via a HTTP GET.
It usually works, but maybe Safari isn't sending the url param for some reason?
What you could do is use a hidden field instead of appending it to the url.
<input type="hidden" name="url" value="<?php echo $_POST; ?>" />

but for some strange reason if there is $_GET, the session is only set for the pages in the /cp directory, even if the $_GET is in the same directory as login.php.

Isnt sessions limited only by domain? It doesnt matter which directory is it.

The frequent problem is if you redirect to say: http://www.example.com/ when you set the session for http://example.com
Browsers treat www.example.com as a different domain from example.com

Its a bit hard to read your code, I suggest you seperate the database connection into a seperate class or function. Maybe just calling functions instead of making database calls in login.php (so that all the functions that call the database are in config.php or a seperate file). Just a suggestion.

This article has been dead for over six months. Start a new discussion instead.