PHP session side-effect warning - how to get solve?

Question

I have this script:

<?php
if ($_POST["username"]=="") {
    include($_SERVER['DOCUMENT_ROOT'] ."/login.inc.php");
} else { 
    $username=$_POST["username"];
    $password=$_POST["password"];
    session_start();
    if ($username=="bob" AND $password=="123"){ $permission="yes";}
    $username=$_POST["username"];
    session_register("permission");   
    session_register("username");  

    if ($permission=="yes"){
        // Show stuff
    }
}
?>

Excuse the funky formatting of my code - can't seem to get it to show properly.

So, I keep getting this error:

Warning: Unknown: Your script possibly relies on a session side-effect which existed until PHP 4.2.3. Please be advised that the session extension does not consider global variables as a source of data, unless register_globals is enabled. You can disable this functionality and this warning by setting session.bug_compat_42 or session.bug_compat_warn to off, respectively in Unknown on line 0

Which I'm assuming means I need to change one of my variable names so it doesn't conflict with the session variable right? That's what I read, but I'm not sure which one to change.

Answer 1

It is happening because of

session_register("username");  

It is not recommended, and deprecated as of PHP 5.3.

If you want your script to work regardless of register_globals, you need to instead use the $_SESSION array as $_SESSION entries are automatically registered. If your script uses session_register(), it will not work in environments where the PHP directive register_globals is disabled.

Source.

As we all know, register_globals is terrible, and should always be off.

The most common way to register a session var is with the $_SESSION superglobal, i.e.

$_SESSION['username'] = $username;

Answer 2

You better start on getting rid of deprecated functions such as session_register().

Use the $_SESSION array, e.g.

$_SESSION['username'] = $_POST['username'];