PHP Forum

**johanesw** · 08:07 AM

Hi everyone...i'm makin a login script which uses session. It works like this: if id and pw is correct, make sessions called $_SESSION['id'] and $_SESSION['pw']. Then...if $_SESSION['id'] and $_SESSION['pw'] is set, redirect to controlpanel.php .
Then after it's redirected to controlpanel.php, there's another check. If $_SESSION['id'] and stuff doesn't exist, redirect to error.php. This is supposed to work. I tested with IE, and it worked perfect, but in the infamous Netscape and Mozilla...after it's redirected to controlpanel.php, it turns out that those sessions don't exist.....so it redirected to error.php .....

The way i'm redirecting is like this :

[PHP]
if(blahblah){
echo '<meta http-equiv="refresh" content="0;url=blahblah.php">;
}

....so what's the point here.....

I'm asking if you know whether Netscape and Mozilla supports session or not...and if it does, will the session still exist if the page is redirected to another page using meta refresh.

What's the difference between Netscape/Mozilla's session than IE's....

Please Liberate me from this treacherous agony caused by these rebellious monsters, NETSCAPE AND MOZILLA

....

Note: I entered the same id and pw in both browsers (IE and netscape/mozilla)

**ibbo** · 07-09-2004, 08:15 AM

Microsofts browsers have allways been full of security holes and they have numerous flaws with other thigs too.

Netscape on the other hand is open source thus free and thats allways better IMHO. Plus its a damned good browser.

The sessions should work fine in either browser though.

If its working in one it should be working fine in the other.

Ibbo

**johanesw** · 10:09 AM

1st of all: I ain't makin this thread to argue 'bout browsers

2nd of all: you haven't answered my question: Does netscape/mozilla can still read session variables even though it's redirected using meta refresh?

3rd of all: It's not working fine here

**ibbo** · 07-09-2004, 11:08 AM

I allready said it should make no difference. A session is a session no matter what browser you are using.

The browser is simply a method of displaying what you wish to. It is part of the presentation layer.

The application layer that has you php code and session stuff is not even bothered about the browser if you have it working in IE I cant see why it isnt working under Netscape/ Mozzila/ firefox.

If it isnt working then post your code I am more than happy to take a look.

Also Netscape may have cookies & what have you turned off, I dont know if this would effect the session (I cant see it) but you can try for nothing.

Ibbo

**cmonkey** · 07-09-2004, 11:13 AM

I'm using a similar login setup on several of the sites that I manage and have never had a problem with Mozilla browsers, double check your code, and post if here like ibbo said if you want someone to look it over.

**johanesw** · 07-09-2004, 05:49 PM

I didn't post my code because it was too long and complicated, but I'll put the important ones only, and we programmers always deal with complicated things anyway

.

Ok this is the form. It is located in my index.php:

HTML Code:

<form name="login" method="post" action="secure/clientsarea/index.php?id=logging_in">
Client's ID : <br>
								<img src="images/spacer.gif" width="10" height="20">
								<input type="text" size="15" name="un" align="top" class="input" maxlength="25"><br>
								<img src="images/spacer.gif" width="10" height="20">
								Password : <br>
								<img src="images/spacer.gif" width="10" height="20">
								<input type="password" size="15" name="pw" class="input" maxlength="25">
								<br>
								<img src="images/spacer.gif" width="10" height="20">
								<input type="button" value="Log In" onClick="document.login.submit();">
							</span>
						  </form>

Ok...now this is the login processing code. As you can see from the form above, it's secure/clientsarea/index.php?id=logging_in.

This index.php actually contains nothing but the design. The content is actually in logging_in.php . That's why there's id=logging_in. It's for including logging_in.php.

So this login processing code is in logging_in.php : (NOTE: the session is already started in the first line of the index.php. As I have said, this logging_in.php is just included in the index.php)

PHP Code:


			
<?php

include('../../php_library/lib_db.php');

$host = "secret";

$un = "secret";

$pw = "secret";

$db = "secret";

$conn = jw_connect_db($host,$un,$pw,$db);

$query = "SELECT * FROM clients_area WHERE username='{$_POST['un']}'";

$data = jw_fetch($query,$conn);

$theid = $data->username;

$password = $data->pw;

function log_in($thepw){

    if(isset($_POST['un']) && isset($_POST['pw'])){

        if($_POST['pw'] == $thepw){

        

            $_SESSION['un'] = $_POST['un'];

            $_SESSION['pw'] = $_POST['pw'];

            return "correct";

        }

        else{

            return "wrong";

        }

    }

    else{

        return "id wrong";

    }

}

$iscorrect = log_in($password);

?>

Ok...as you can see, if the username and pw is correct, $iscorrect will contain the string "correct".

This code is the PHP code for writing the meta refresh tag. It is located in the head section of this logging_in.php:

PHP Code:


			
<?php 

if($iscorrect == "correct"){

    echo '

    <meta http-equiv="refresh" content="0;url=index.php?id=controlpanel">

    ';

}

elseif($iscorrect == "wrong"){

echo '

             <meta http-equiv="refresh" content="0;url=../../index.php?id=log_in&pwwrong=true">';

}

elseif($iscorrect == "id wrong"){

    echo '

             <meta http-equiv="refresh" content="0;url=../../index.php?id=log_in&idwrong=true">



    ';

}

?>

So the code above is for redirecting to specific pages depends on what the situation is. When I tried to login with Netscape/Mozilla, it redirected to index.php?id=controlpanel which means that the username and password that I entered were correct, and supposedly there will be session variables:

$_SESSION['un'] and $_SESSION['pw']

So we're redirected to index.php?id=controlpanel.

Before I do the next piece of explanation, I'll show you the code of the very first lines of the index.php:

PHP Code:


			
<?php

    session_start();

    $inside_nav = true;

    if(empty($_GET["id"]))

    {

        $theid = "controlpanel";

    }

    else{

        $theid = $_GET["id"];

    }

    if(isset($_SESSION['un'])){

        $c_un = $_SESSION['un'];

    }



?>

As you can see, the session is started here. Now, in the head section of the index.php, there's also a piece of PHP code:

PHP Code:


			
<?php

if(empty($_SESSION['un']) && empty($_POST['un']) && empty($_POST['pw'])){

    echo '

        <meta http-equiv="refresh" content="0;url=../../index.php?id=log_in&nosession=1">

        ';

}

?>

This code is for in case if someone accessed the index.php without logging in which means that there will be no $_SESSION['un'], no $_POST['un'] and no $_POST['pw']. If someone did, it should redirect to this index.php?id=log_in&nosession=1 which will display an error that the person must log in first.

Ok so what's going on between these browsers? When I log in with IE, from root's index.php which contains the form, the form is posted to /secure/clientsarea/index.php?id=logging_in. The username and pw is correct so it redirects to index.php?id=controlpanel and stays there. But in Netscape/Mozilla's case, after it redirected to index.php?id=logging_in, it redirects to index.php?id=controlpanel and then when the index.php checks whether $_SESSION['un'], which is the username, exists or not, it turned out that it doesn't exist while it's already set before. So it redirects to ../../index.php?id=log_in&nosession=1.

Phew...that was long...I know how it feels so a million..no a bazillion thanks for any help.

**Kyrnt** · 07-10-2004, 10:40 AM

johan,

ibbo is right. A session has nothing to do with the browser. Unless you are specifically checking the type of browser then terminating the session based on the results (which I doubt), then there is no relevance. A session is completely handled by the server and is not subject to browser differences.

**DarkLordTed** · 08-15-2006, 05:38 PM

Hi to all!
The johanesw is absolutely right the problem is real. I known - the PHP work on Server but I have code that work perfect with Internet Explorer, Opera and Mozila but have bug under Netscape similar to this! All $_SESSION varibles are unregister -
the print_r($_SESSION) return array{} Why I don't known but is fact.
In addition: I'm programmer from 11 years (not lamer) this is not my error!
Sorry for bad english.

**TwistMyArm** · 08-15-2006, 06:27 PM

You should be able to see pretty quickly in Firefox, for example, what cookies are set by your server. Assuming you're storing your session ID in a cookie, which is most likely.

Maybe your server is setting the cookie for a different domain (eg. Viber Informatik GmbH CH-6072 Sachseln vs. servername.com vs. .servername.com).

Just a thought. At least then you can see if it's trying to set some sort of session up!

**Oneway** · 08-15-2006, 06:50 PM

My guess exactly.. Almost all session problems are caused by faulty cookie sessions. And with accepting faulty cookies, the difference between browsers comes into play.
Some accept cookies from faulty domains, other reject if even the path is wrong.
And to top it off most of the browsers are user configurable for this behaviour (to some extent anyway).

It's been a long time since i had to work with sessions so my knowledge is a bit rusty. But i wish you good fortune in solving these issues.

**mgraphic** · 08-15-2006, 09:17 PM

One reason I can think of is that the browser might configured to ignore cookies and session cookies. There is a workaround to this by checking the constent SID which will contain both the session name and id if the sessions are not being accepted. You can only pass this thorugh the URL.

PHP Code:


			
<form name="login" method="post" action="secure/clientsarea/index.php?id=logging_in<?php if(SID) echo '&' . SID; ?>">

Also, if you have a SSL certificate on your domain, you will need to address the full URL in order to go into secure mode:

PHP Code:


			
<form name="login" method="post" action="https://www.domain.com/secure/clientsarea/index.php?id=logging_in<?php if(SID) echo '&' . SID; ?>">

If I were you, I wouldn't trust using meta refresh. You can redirect using php, but it only works if you have not sent any output to the browser first:

PHP Code:


			
header('Location: http://www.domain.com/index.php?id=controlpanel' . ( (SID) ? '&' . SID : '' ));

BTW - I have to say that your login script offers too many chances for a hacker to exploit. You might want to consider to sanitize all user request input (get, post, cookie) before passing into your sql queries. Don't put as much trust into your URL vars.

Read: http://www.webmaster-talk.com/php-fo...icks-must.html

Hope this helps!