PHP :: Creating User Sessions W/out Using Sessions

Security With User Input And Sessions
I have two sort of related questions, if anyone would be so kind as to answer:

1. When I do an form for input (into a database) that is used for subsequently displaying on a web page, is there a function written to parse out all dodgy stuff, like putting HTML tags that could break the page, or filter out SQL that could corrupt or invalidate the entry or is there a regular expression that someone has already done to cover all areas?

2. If I am displaying data from a database and using sessions and the like, should I be putting something like this in my code (I found it in the php manual):

header ("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); // past
header ("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
// always modified
header ("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header ("Pragma: no-cache"); // HTTP/1.0

Display Form Only Once Per User Using Sessions
I'd like a form with four questions to appear on each page of my web site, but only once per page. At the moment, if someone visits a page twice they get a questionnaire about it again.

Is the a way to use PHP sessions to remember not to display the form if it has already been used?

*SECURE* User Authentication Using Sessions.
I'm developing a member-based web site and I'm using a combination of PHP and MySQL. The way I currently have it set up is the user enters his username and password and the form handling script verifies the username and password and sets a session variable named "$verified_user" equal to the user's username. In each page that requires membership, I insert the "session_start()" at the top of the document, and then include an if statement such as:

if ($verified_user) {
// Display content
}
else {
You need to login.
}

This works perfectly, but I have found a security issue with this method. If the person is not logged in, they can simply append the variable "$verified_user" to the URL and set it equal to whatever they want. Such as:

http://www.mysite.com/topsecret.php3?verified_user=root

How do I implement a SECURE method using sessions?

Problems With Sessions - User Login
I have problems with sessions. It looks like the session variable "MM_UserID" is not passing from one page to another.

I created a login page (login.php) and built the form and added dreamweaver mx's login behavior to it.I then created a user info page (login_success.php)which users reach right after logging in that displays several bits of information from their entry in the database table. When I login, the login is successful but no dynamic data (the user's info) is displayed on the user info page. The codes for both the login page and the userinfo page are below:

Deleting Sessions If User Restarts
A user submits a form and thus a session has been created. What I want to do is if the user presses the back button or decides to re-submit another form, it'll overwrite the current one. How can I do this ?

Secure Site User Sessions
What I want to do is make a website im working on more user friendly, so ive completed the registration and login side to the site, but i need advice on what to use from here?, im using sessions at the moment while the user is logged in, but some people say there not to secure?, then I see things about HTTP authorization?, and also cookies?, im confused........

My question is, what is the most secure and reliable thing to use as users login, and go about the website?, what do most of you use?.

PHPLIB + One User + Detecting Multiple Sessions
I need to avoid new PHPLIB sessions from the same user on the same application.

If A User Closes His Browser, All Sessions Will Be Destroyed ?
how can i check wheter a user closed his browser ?

PHP Sessions - User Login Webpage - Preventing Autologout Due To Inactivity
I have a website where users can log into. This users sessions as I believe
most people use when implementing a login section of a website (each php
page first checks a valid parameter has been set to authorise that the user
has logged in and if it is not found it redirects the user to the login
page).

I have my code and it works fine, however on the live server, after a period
of inactivity the user will be logged out automatically.
However on my test server this is not the case and the user remains logged
no matter how long they have no activity for.
The exactly the same code is in place on both servers, just the servers are
from different providers so I assume set up differently.

What could be set up differently on the servers to be causing this
difference in behaviour and what can I do to override it? In an ideal world
I would be able to control the amount of inactive time before I user is
logged out automatically.

Creating A User Login
I want to create a link on a site that prompts a visitor with a login prompt. Once they enter in the code (could be one line or could be username and password) they will be taken to a different webpage within the site. Can this be done? ...and if so, how?

Creating A User-Comments Box
I'm having a bit of trouble creating a user-comments box. Basically, I'm working on a website like YouTube, which offers videos. Next to the videos, I'd like a comments table/box where users can post their comments about the video. There should only be 5 comments, so as not to flood the page. I would like the comments to be picked randomly from a database or sorted by newest first. Up to now I've got:

User input through a form -> Data is entered into database (MySQL)
However, as I mentioned before, I'm unsure about how this data would be entered into the comments table (and sorted).

Creating Active Directory User
does anyone already tried to create a user into active directory through
php_ldap ?

i tried something like this but still don't work :-/

$adduserAD["cn"][0] = "phpldapuser";
$adduserAD["samaccountname"][0] = "guguseli";

$adduserAD["objectclass"][0] = "top";
$adduserAD["objectclass"][1] = "person";
$adduserAD["objectclass"][2] = "organizationalPerson";

$adduserAD["givenname"][0] = "thomas";
$adduserAD["name"][0] = "tester";
$adduserAD["sn"][0] = "btester";
$adduserAD["description"][0] = "TEST-Account ldap";
$adduserAD["title"][0] = "Programm Manager";

ldap_add($ad, "ou=test, dc=my,dc=domain", $adduserAD) or die("error!");

PHP Sessions
Hello... im trying to start a session on my page... and it kind of works... after initializing the session, and assigning a value to that variable, when i print that variable... it prints the value, but also shows some error messages...

This is my code...
session_start();
session_register('userNum');
$userNum = mysql_result($res,0,"userId");
printf($userNum);

These are my errors...
Warning: Cannot send session cookie - headers already sent
by (output started at 'examplesiteandpage':2)
in 'examplesiteandpage' on line 8

Warning: Cannot send session cache limiter - headers already
sent by (output started at 'examplesiteandpage':2)
in 'examplesiteandpage' on line 8

Does anyone know why this happens? The variable is still created, and the value assigned... but i get the errors... thanks

Sessions Help
I am getting strage problems with sessions - actually rarely used them before.

I am basically just testing passing a session variable from one page to another.

Everything works great when uploaded to my hosting server but not when used locally!

Locally I am using Apache 1.3.20 and Php 4.0.6 on win2k with browser IE6

I am using the simplest session setup -

PAGE 1
session_start();
$_SESSION['name'] = "Kevin";
echo $_SESSION['name'];

Then a link to the second page -

PAGE 2
session_start();
echo $_SESSION['name'];

As I said everything works great on the hosting server but not locally.

I have looked at the output from phpinfo() on PAGE 2 and it shows that the session is being created and even has a value -

PHPSESSID=4c0ba2b373b1faf9dfd0c1c98705dfa0

This value showing in HTTP_COOKIE , Cookie and HTTP_SERVER_VARS["HTTP_COOKIE"]

The sessions are stored as cookies and if I look in the php/temp directory yup they are there!

So it looks like the sessions are being started, store the data in the cookie ok but are not being read on PAGE 2.

As I mentioned on the hosting server it works great.

Can someone please give us a clue why it isn't working locally?

thanks

Kevin
PS I also tried including a session_register('name')

as well as the older $HTTP_SESSION_VARS["name"] = "Kevin";

PHP Sessions
How do I find out the number of active sessions from so that I can use $HTTP_STATE_VARS[] to list the users logged onto a forum.

Sessions That Do Not End?
Does anyone know of anything that would make a session constant even after a user ends the session by closing the browser?

I am using sessions to assign users unique id's and when the user comes back to the site, they are being assigned the same session id, therefore making the entire concept useless.

Php Sessions
I start a session in my php page using the user supplied data. then i destroyed the session in next page. But when i use the back button of my web browser it asks to repost the data.If I click yes it will repost the data and start the session again even if i have logged out. Please tell me how to avoid this problem in the web pages that i create.

PHP Sessions
I am building a members section for my site and I was curious what the best way to go about remember users would be. The site I'm working on is mainly an information site which will have the ability for people to login and view reviews on products and also allow manufacturers to login and upload information about their products.

I was curious how I should remember a user is on my site. Currently, I have a $_SESSION[''] variable that remembers them but when they open a new browser it forgets them. Also this posses problems if they are still viewing my site but want to have 2 browsers open while on my site.

Is this the best method? Also considering they login - they will have to relogin everytime they come back to my site. This makes me wonder if I should use cookies. I have never used them before. Would they be the best solution? Are they secure?

Any information would be great.

Sessions And IE5 Or 6?
I had sessions working just fine and then all of a sudden they stopped working.

I'm wondering if IE5 or 6 handles sessions differently. Anyone had a similiar experience?

If not I guess I'm back to the drawing board. If anyone can help me get started with the proper way to start a session I would appreciate it. What I have is a session id and 2 variables. It seems that I can log in and the session is started but when I click on a link on the username page it forgets about the session that was created and I'm back on the login page again with no tracce of the session.

<?php
session_start();
session_register('username');
session_register('isloggedin');

if (!isloggedin)
{
loginmenu();
}
else
{
usermenu($username);
}
?>

Now You See It, Now You Don't Sessions
This one has me completely stumped. I have a simple site where I'm
using sessions to keep track of some information across multiple
pages. The trouble is, when I go to a page that displays the
information, sometimes I can see the information and sometimes I
can't. If I refresh the same page, the information may appear or not
in a completely random manner. And nothing is writing to the session
variable anywhere in the page.

I have displayed the information and it is definitely not there when
the information does not appear. I have checked the session id and it
remains the same regardless of whether the info appears or not. The
code runs fine on my local server (PHP 4.3.2) but not the ISP's server
(PHP 4.1.2).

My question is
- What on earth is going on here?
- And if the info is wiped out of the session array on a particular
page request, how does it reappear at some random page refresh?

Any ideas or thoughts from anyone would be greatly appreciated.

PHP Sessions
I have an all-in-one form that contains a 'login' form and the regular form. Each time you press submit, it basically goes back to the same script. Except, when the user hits submit after filling out the form, it gets caught on one of the first conditions and re-displays the login form.

I just need somehow to include a session variable in that part of the script that says, the user has already been here, it's okay - move on to the next part of the script.

My questions are: Do I put the session_start(); and session_register variables just once at the top of the page? Will those variables be available even after I press submit on either the login form or the regular form? Do I have to include session_start(); in more than one place, even though it is all one big script?

Sessions
I am trying to write an sql statement that reads all orderlines with the current session ID into the web page using php... I have the following SQL statement:
$sql = "SELECT sel_item, sel_item_qty, sel_item_price, sel_item_totalprice, date_added, phpsessid from user_track where phpsessid = "$phpsessid""; This doesn't work. Has anyone got any suggestions... this is pretty urgent.

Sessions
I am creating a join up form for a membership site and want the user to enter name, address, etc which I want to store in Session variables - I can do this ok.

The problem is that after all the data has been entered I pass the user to another site for payment processing, after this the user returns back to my site. ie

www.mysite.com/user_details.php -> www.payment.com -> www.mysite.com/payment_verified.php

What I want to do is somehow store the Session before the user leaves my site for payment processing and then restore the Session on the users return to my site.

Is there an easy and error free way of doing this? I would usually save user data to a mySQL database but I don't think creating a db just for this is worth while.

Sessions And CLI
Im currently working on a collection of scripts that will work in command line only. Im using the latest version of PHP.

Ive got problems figuring out how to start a session with a specific session_id. Maybe im doing something wrong here, but ive got no idea what. It seams that if I call session_start($id), where $id is a sessionid that i know for sure was already registered earlier, that specific session does not get initialized. See this simple test script PHP Code:

Sessions?
I want to login in a user, and then pass the username and session_id from page to page until the leave the admin area of the site. Here's a simplified function: PHP Code:

Sessions
I noticed that the windows xp has sessions disabled by default, as your regular user wont be aware of sessions does anyone have any novel ideas to work around this?

Sessions
Any pitfalls or stuff I need to worry about when working with sessions? I
want to write a log file and hit counter along with a login interface and
I'm trying to learn this stuff.

http://us.php.net/session

Just wondering if theres anything that I need to keep in mind while I work
on it?

IE6 And Sessions
is anyone experiencing problems with IE6 and session cookies? any pointers
to forums where it's being discussed would be....

Sessions+ssl
we are using apache OpenSa, with php on a win2k machine, we are having problems with sessions, the sessions are working under the normal apache server,, however when we use the OpenSa ssl component it wont work properly,,,we get the following errors,,,any ideas?

Warning: open(/tmpsess_50ca39a0d25cd9d3b98290de9a5379d5, O_RDWR) failed: No such file or directory (2) in Unknown on line 0

Warning: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0

i have created the session file in the php folder and put its path into the php.ini file,

Sessions / PHP 4.3.1
I have a website, to which members must "log on" to gain access.

The sequence of pages is as follows:

1. index.php
Contains form for username/password

2. login.php
starts session
<?
session_start();
session_register("user_id");
session_register("logged_in");
?>
validates authentication
A - if "ok"
i. sets $user_id and $logged_id
ii. goes to membersArea_frameset.php
B - if fails - goes to an error page

This setup normally works fine, for 99% of visitors.

However, every day i get a few emails from people who receive an error
message saying that the session has expired, rather than a successful login.
Each page (including the above frameset page) has an include of
'session_check.php'.

The contents of the file is:

<?
if ($logged_in != session_id())
{
echo "<script>self.location='error.php?error=2'</script>";
exit();
}
?>

For nearly all visitors, the above setup works fine.

Any ideas why some people are told straight after successfully logging in
that their session has expired? This is really worrying. I can't figure it
out.

Have I not set up the sessions correctly?

PHP - Version: 4.3.1

What Are Sessions?
I've always been puzzled on this one. What exactly are they and should I learn how to impliment them?

Sessions
I would like to do a session and get all of the information from a table that the user name and password is stored in and use it on a different page to be printed out. The books I have read are very vauge on this subject.

PHP Sessions And IE6
I have a website (e.g. www.mainsite.com) with a MySQL database and I use PHP for members to login, adddel records. Their UserID is recorded in a session variable.

I have a second website where the files are located at www.mainsite.com/subdirectory/ and I use framed web forwarding from my ISP which makes it look like www.secondsite.com is actually the contents of this sub directory.

I do this because www.secondsite.com is a customised website for that company but accesses the same database. With IE5 when you login to the database via www.secondsite.com it works fine but since i've upgraded to IE6 it gives me a login error. And I remember there is some new Cookie security thing from Microsoft.

Sessions
Warning: Cannot send session cache limiter - headers already sent (output started at /usr/local/apache_ssl/htdocs/mb/admin/author_menu.php:12) in /usr/local/apache_ssl/htdocs/mb/admin/author_menu.php on line 12

authorized is True Session is registered I added session_start(); on my pages and it displayed a warning message, what does it mean? i already tried the to add a session_cache_limiter to public but still didn't worked. need help ; ).

Sessions
I'm going insane with these sessions. I just can't get them to "stick" Here is what I have at the top of each page:

<?session_start();
if ($xauth!="YES") {header("location: login.php");}

I have a page that calls itself: href="$PHP_SELF" clicking on that link will work about 5 times - then ZAP - back to login.php I have cookies enabled on my own browser - so it is not a cookie problem. It is happening to me - and to everybody.

Sessions
So I have finnaly got around to playing with sessions and all seems to work, I had a few problems but i've fixed them. However i have a problem. PHP Code:

Sessions
I have had this session issue for months now and I just can't crack
it. I have the following 2 scripts...

aoltest.php
*************
<?php
session_start();
$_SESSION[s_check1] = "4";
?>
<a href="aoltest3.php">click me</a>

aoltest3.php
**************

<?php
session_start();
?>
<body>
The session is <?php echo $_SESSION[s_check1];?><br>
</body>

As you can see, what is supposed to happen is you open aoltest.php and
click the link and in aoltest3.php the session variable is visable.

Yes, this works fine, except on users on AOL. Not just an AOL browser
but the AOL ISP.

I am using PHP version 5.0.4 and from my phpinfo below are the
settings of the sessions section..

session
Session Support enabled
Registered save handlers files user
Registered serializer handlers php php_binary wddx

Directive Local Value Master Value
session.auto_start Off Off
session.bug_compat_42 Off Off
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 1000 1000
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.hash_bits_per_character 5 5
session.hash_function 0 0
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path /tmp /tmp
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid 0 0

I've tried changing the session.use_trans_sid and the
session.use_cookies using int_set() but to no luck. I can't changed
the php.ini as I'm on a shared server.

I can't beleive I am the only person with this issue. Has anyone seen
this problem before and has a solution?

Sessions
I am trying to implement a login system and have been told sessions are the way to go...only i cant make head or tail of them. i was using a cookie authentication system but had lots of probs. i need sessions to log a user in my website and also pass the variable "user_name" throughout every page that user visits!

Sessions
Im trying to use sessions to authenticate my pages - usernames/password being stored in a database, here's my code:

Sessions
As far as i know there are two types of sessions..

1)cookie based sessions
2)sessions stored in DB

now if cookies are disabled, will the cookie based session work? if no then why people prefer sessions over cookie?

Php Sessions
i have a web page on which i put some radio buttons and when i click it, its value is displayed in textbox.when i click 2 radio,the 2 values will be addded and displayed in textbox[like shopping cart].

next if i click submit button it print's those values in second page and i want to take some user input on second page and then all the data will be stored in db.i did all this using sessions.it's working but when iam in second page,and when i click the browsers back button,to go to the radio buttons page and select some other options it is showing session has expired.how to solve this problem.

Sessions
I'm just learning about sessions. The problem is when user can't recive cookies. What are the solutions?

Sessions!
i need to create something that will keep the username in 'store' so that it is available to any page on my site that has the members area

2) i need to have code that checks if the 'store' is there, and if the username is in the MySQL db if its there, i need it to display the page content if not...i need it to display a "You are not a member or bad password"

Sessions
Session does not work on my win xp machine.

I am using PHP Version 4.3.8
Apache Version Apache/1.3.31 (Win32) PHP/4.3.8
any help is appriciated

my session variable are:
session
Session Support enabled
Registered save handlers files user

Directive Local Value Master Value
session.auto_start Off Off
session.bug_compat_42 Off Off
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 1000 1000
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path C:AppServphpsession C:AppServphpsession
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid Off Off

Sessions
I'm using sessions to pass vars from my form.php->verify.php->paypal->finish.php->mailer.php. I think I'm mixing versions of php sessions...dunno. The host I'm using has v4.2.2 with sessions enabled and the $HTTP_POST_VARS works well posted directly from form.php...but I think is messing me up in the mailer.php. I've tracked the session_id() all the way thru but the vars are not being passed into the final mailer.php. Fix? Code: