To set up a login system by Sessions in PHP

Question

I found the source of the problem #2. It is the use of *session_register(foo)*.

I put the following to my *handle_registration.php*.

session_register("foo");
session_register("foo2");

$foo2 = $_POST['email'];
$foo['email'] = $_POST['email']

The problem still persists, since no variables are stored to my session cookie.

---

This is the logic of my login script.

1. Solved by Pascal Martin and The Disintegrator: Which is the right place to put the function session_write_close in generating sessions for login?
2. How can you get a permanent session for user "session" such that a new session is not started each time index.php is loaded?

I have the session_start() at the beginning of my index.php.

The very Beginning of my index.php

 session_start();       
 if($_SESSION['logged_in'] == false) {
     $random_number = rand(1,100000);                                                       
     session_id($random_number);
     session_id['email'] = '';
 }

while the very end of my index.php

<?php
session_write_close();        // Session code ends here!
?>

I have right after the very beginning of the session code the validation process of user's password by

 $dbconn = pg_connect("host=localhost port=5432 dbname=masi user=masi password=123");
 $result = pg_prepare($dbconn, "query22", "SELECT passhash_md5 FROM users
         WHERE email=$1;");

 $passhash_md5 = pg_execute($dbconn, "query22", array($_REQUEST['email']));     
 // users from registration/login form
 if ($passhash_md5 == md5($_REQUEST['password'])) {
     $_SESSION['logged_in'] = true;
     $_SESSION['email'] = $_REQUEST['email'];
     $_SESSION['passhash_md5'] = md5($_REQUEST['password']);
 }

 // this may be unnecessary if the passhash_md5 cannot be changed by the user 
 $passhash_md5_2 = pg_execute($dbconn, "query22", array($_SESSION['email']));  
 // users staying in the site
 if ($passhash_md5_2 == $_SESSION['passhash_md5'])) {
     $_SESSION['logged_in'] = true;
 }

The code generates me continuously random sessions such that no user's data is being saved for the user. I replaced each $_REQUEST after the login/registration handlers by $_SESSION in my code, since $_REQUEST does not include $_SESSION - still the same problem and I cannot see the username in the homepage after registration/login.

Answer 1

You should use output buffering to prevent this

<?php
ob_start();
everything here
ob_end_flush();
?>

You can't send headers once the normal output takes place.

Answer 2

• http://www.php.net/manual/en/function.session-regenerate-id.php#53480
• http://www.php.net/manual/en/function.session-regenerate-id.php#85433

Answer 3

Your code looks like this :

                             -- content cut --
</html>
<?php
session_regenerate_id(true);               // Session code ends here!
session_write_close();
?>

You definitly have some output (the whole content of your page, actually) before session_regenerate_id is called ; hence the error.

The problem is not with "empty lines" or spaces : it is with output ; and HTML is output ;-)

Like the call to session_start, the call to session_regenerate_id should be done at the beginning of the script, before anything is sent to the browser.
So, here, in the block at the "top" of your index.php.

---

EDIT : more thoughts.

BTW? I'm not sure you actually need to call session_write_close ; I've probably never used that function, I believe... And, quoting the doc :

Session data is usually stored after your script terminated without the need to call session_write_close()

The only case you might need to call this function yourself is if you are doing long calculations :

session data is locked to prevent concurrent writes only one script may operate on a session at any time. When using framesets together with sessions you will experience the frames loading one by one due to this locking. You can reduce the time needed to load all the frames by ending the session as soon as all changes to session variables are done.

But this doesn't seem to be your case, as you are calling this at the end of your script.

So, you could try removing the (useless ?) call to that function...

And, about session_regenerate_id : do you really need to call this function on each page ?

I suppose never calling it would be enough for your site to work... Even if you might want to call it when the user logs in, for security precautions (If I remember correctly, it's nice to call this function whenever the privileges level of a user changes)

Same about session_id, btw : do you really need to call this function on each page ?

Answer 4

session_regenerate_id — Update the current session id with a newly generated one

If you use it the way you are, you will be generating new sessions over and over.

session_id — Get and/or set the current session id

You are setting a new session every time with a random number.

Actually, the only thing you NEED to use sessions is to put a session_start() statement at the beginning of the script.