CODEWITHSUNDEEP
phpsession
S.M_Emamian
S.M_Emamian

Reputation: 17383

session_start() creates new session every reload

I've read this before:

How to fix “Headers already sent” error in PHP

I have a session page, when I refresh/reload it, it creates a new session id!

<?php

$islogin=0;
$idadmin=0;
session_start();
$sid=session_id();
include("connect.php");
$result=mysql_query("select * from session_noti where sid='$sid'",$cn);


if(mysql_num_rows($result) > 0){
    $row=mysql_fetch_object($result);

    $islogin=$row->islogin;
    $idadmin=$row->idadmin;

}else{
    if(mysql_query("insert into session_noti (sid,islogin) values ('$sid',0);")){
    }else{

    }
}

$user_cookie=@$_COOKIE["*****"];
if($user_cookie != ''){
    $user_cookie_res=mysql_query("select * from session_noti where sid='$user_cookie'");
    $user_cookie_row=mysql_fetch_object($user_cookie_res);  

    $islogin=$user_cookie_row->islogin;
    $idadmin=$user_cookie_row->idadmin;
}
?>

connect page:

<?php
$cn = mysql_connect("localhost","root","");
mysql_select_db("***");
?>

why? It works fine on localhost, when I want to upload it on server,this scenario happens.

Upvotes: 0

Views: 2256

Answers (1)

ItalyPaleAle
ItalyPaleAle

Reputation: 7296

This code seems designed very poorly. Except for the usual "PHP4-style" errors (more on that later), it doesn't really make sense to me.

  1. If you're using PHP's sessions, why do you need to replicate a session table in your database? Y using session_start() you're already telling PHP to handle all that hassle.
  2. Why are you accessing users' cookies directly?

I recommend that you stick with a design and follow it.
Do you want to manage sessions yourself, including passing session ids, handling cookies, etc? Then don't PHP's builtin sessions (but be careful: the possibility to write flawed code here is really high).
Do you want to use PHP's builtin sessions? Then just stick with them.

If you want to attach to each users details like "isAdmin", you can use session variables: that's what they're made for :)

<?php
session_start();

if(empty($_SESSION)) {
    // Redirect to login
}
else {
    if(empty($_SESSION['logged_in'])) {
        // Redirect to login
    }
    else {
        // User is logged in

        // Is admin?
        if(!empty($_SESSION['is_admin'])) {
            // YES
        }
        else {
            // NO
        }
    }
}
?>

There's plenty of guides and tutorials on using sessions with PHP. For example: http://www.phpro.org/tutorials/Introduction-To-PHP-Sessions.html

Additionally, make sure that in php.ini sessions are enabled. I strongly recommend to use "cookie_only" sessions: that is, never make PHP pass the session id as GET or POST parameter. That will screw those users with cookies disabled (are there still some?), but will save all the others from being easy targets for session hijacking.

Thus said... About your "PHP4-style" code:

  1. Don't use mysql_* functions. They're deprecated. Use MySQLi or PDO, and use prepared statements when possible. For example, the line mysql_query("select * from session_noti where sid='$user_cookie'"); is a perfect place for an SQL Injection attack.
  2. Don't use the @ operator. It's bad! Instead, just check if the variable exists with isset() or empty().

Upvotes: 2

Related Questions