Saturday, 15 March 2014

php - session_start() creates new session every reload -



php - session_start() creates new session every reload -

i've read before:

how prepare “headers sent” error in php

i have session page, when refresh/reload it, creates new session id!

<?php $islogin=0; $idadmin=0; session_start(); $sid=session_id(); include("connect.php"); $result=mysql_query("select * session_noti sid='$sid'",$cn); if(mysql_num_rows($result) > 0){ $row=mysql_fetch_object($result); $islogin=$row->islogin; $idadmin=$row->idadmin; }else{ if(mysql_query("insert session_noti (sid,islogin) values ('$sid',0);")){ }else{ } } $user_cookie=@$_cookie["*****"]; if($user_cookie != ''){ $user_cookie_res=mysql_query("select * session_noti sid='$user_cookie'"); $user_cookie_row=mysql_fetch_object($user_cookie_res); $islogin=$user_cookie_row->islogin; $idadmin=$user_cookie_row->idadmin; } ?>

connect page:

<?php $cn = mysql_connect("localhost","root",""); mysql_select_db("***"); ?>

why? works fine on localhost, when want upload on server,this scenario happens.

this code seems designed poorly. except usual "php4-style" errors (more on later), doesn't create sense me.

if you're using php's sessions, why need replicate session table in database? y using session_start() you're telling php handle hassle. why accessing users' cookies directly?

i recommend stick design , follow it. want manage sessions yourself, including passing session ids, handling cookies, etc? don't php's builtin sessions (but careful: possibility write flawed code here high). want utilize php's builtin sessions? stick them.

if want attach each users details "isadmin", can utilize session variables: that's they're made :)

<?php session_start(); if(empty($_session)) { // redirect login } else { if(empty($_session['logged_in'])) { // redirect login } else { // user logged in // admin? if(!empty($_session['is_admin'])) { // yes } else { // no } } } ?>

there's plenty of guides , tutorials on using sessions php. example: http://www.phpro.org/tutorials/introduction-to-php-sessions.html

additionally, create sure in php.ini sessions enabled. recommend utilize "cookie_only" sessions: is, never create php pass session id or post parameter. screw users cookies disabled (are there still some?), save others beingness easy targets session hijacking.

thus said... "php4-style" code:

don't utilize mysql_* functions. they're deprecated. utilize mysqli or pdo, , utilize prepared statements when possible. example, line mysql_query("select * session_noti sid='$user_cookie'"); perfect place sql injection attack. don't utilize @ operator. it's bad! instead, check if variable exists isset() or empty().

php session

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)