PHP Session Variables Not Being Set For Certain Browsers

Hello All,

I have been racking my head over a problem where a large percentage of users
are unable to log into my php site due to what seems to be a problem with
setting php session variables on certain end user browsers (certain versions
of AOL seem to be particularly problematic). Below are some snippets of code
that are used to do the authentication/ login.

Has anyone encountered the same problem and if so do you have a solution?
The only solution I can think of is to pass the session using PHPSESSION in
the URL however I would like to avoid this if at all possible as it involves
a major re-write of the code (as session variables are used elsewhere in the
session) and if I am not mistaken if a user accesses a non-php page then the
session is lost requiring them to log in again.

Currently the following code is used to check whether a user is logged in:

<?php

$notAuthenticated = !isset($HTTP_SESSION_VARS['authenticatedUser']);

$notLoginIp = isset($HTTP_SESSION_VARS['loginIpAddress']) &&
($HTTP_SESSION_VARS['loginIpAddress'] != $_SERVER["REMOTE_ADDR"]);

if ($notAuthenticated || $notLoginIp) {

if (!session_is_registered("targetURL"))
session_register("targetURL");

$HTTP_SESSION_VARS['targetURL'] = $_SERVER["REQUEST_URI"];

header("Location: /smartbid/php/Login.php");

}

?>

And in Login.php after doing a check on the username and password the
following session variables are set:

session_start();

session_register("authenticatedUser");
$HTTP_SESSION_VARS['authenticatedUser'] = $userId;

session_register("loginIpAddress");
$HTTP_SESSION_VARS['loginIpAddress'] = $_SERVER["REMOTE_ADDR"];

It is the setting of the above session variables in Login.php that appears
to be failing for some browsers resulting in users using these browsers
continually being redirected to the Login page when the above check to see
if they are logged in is done.

Any help that could be supplied would be greatly appreciated.

Thank you.

Regards,
Andy

-----Original Message-----
From: Andy Higgins [mailto:andy.higgins@telkomsa.net]
Sent: Saturday, December 27, 2003 6:04 AM
To: php-general@lists.php.net
Subject: [php] PHP Session Variables Not Being Set For Certain Browsers

Hello All,

I have been racking my head over a problem where a large percentage of users
are unable to log into my php site due to what seems to be a problem with
setting php session variables on certain end user browsers (certain versions
of AOL seem to be particularly problematic). Below are some snippets of code
that are used to do the authentication/ login.

Has anyone encountered the same problem and if so do you have a solution?
The only solution I can think of is to pass the session using PHPSESSION in
the URL however I would like to avoid this if at all possible as it involves
a major re-write of the code (as session variables are used elsewhere in the
session) and if I am not mistaken if a user accesses a non-php page then the
session is lost requiring them to log in again.

Currently the following code is used to check whether a user is logged in:

<?php

$notAuthenticated = !isset($HTTP_SESSION_VARS['authenticatedUser']);

$notLoginIp = isset($HTTP_SESSION_VARS['loginIpAddress']) &&
($HTTP_SESSION_VARS['loginIpAddress'] != $_SERVER["REMOTE_ADDR"]);

if ($notAuthenticated || $notLoginIp) {

if (!session_is_registered("targetURL"))
session_register("targetURL");

$HTTP_SESSION_VARS['targetURL'] = $_SERVER["REQUEST_URI"];

header("Location: /smartbid/php/Login.php");

}

?>

And in Login.php after doing a check on the username and password the
following session variables are set:

session_start();

session_register("authenticatedUser");
$HTTP_SESSION_VARS['authenticatedUser'] = $userId;

session_register("loginIpAddress");
$HTTP_SESSION_VARS['loginIpAddress'] = $_SERVER["REMOTE_ADDR"];

It is the setting of the above session variables in Login.php that appears
to be failing for some browsers resulting in users using these browsers
continually being redirected to the Login page when the above check to see
if they are logged in is done.

Any help that could be supplied would be greatly appreciated.

Thank you.

Regards,
Andy



-------------------------------------

Andy,

Not sure, but maybe AOL users on proxy and their ip address can change.....

Andras Kende
http://www.kende.com

-------------------------------------







--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Hi Andras,

Yes, good point Thank you. It could be that the IP address of the user is
changing on each HTTP request that is made, which would explain the problem
(although that does seem quite odd). Can anyone confirm whether AOL (or any
other ISPs for that matter) change a user's IP address as seen by the web
server (for eample through a proxy) within the same session?

Assuming that the above is the problem, does any one know whether by
removing the check in the authentication to see whether the user is using
the same IP address as they logged in with comprises the security of the
login i.e. will it be possible for some one to hijack the login if this
check is not there? Or does anyone have any other suggesstions for doing
authentication?

Thank you.

Regards,
Andy

"Andras Kende" <andras@kende.com> wrote in message
news:php.general-173365@news.php.net...
> -----Original Message-----
> From: Andy Higgins [mailto:andy.higgins@telkomsa.net]
> Sent: Saturday, December 27, 2003 6:04 AM
> To: php-general@lists.php.net
> Subject: [php] PHP Session Variables Not Being Set For Certain Browsers
>
> Hello All,
>
> I have been racking my head over a problem where a large percentage of
users
> are unable to log into my php site due to what seems to be a problem with
> setting php session variables on certain end user browsers (certain
versions
> of AOL seem to be particularly problematic). Below are some snippets of
code
> that are used to do the authentication/ login.
>
> Has anyone encountered the same problem and if so do you have a solution?
> The only solution I can think of is to pass the session using PHPSESSION
in
> the URL however I would like to avoid this if at all possible as it
involves
> a major re-write of the code (as session variables are used elsewhere in
the
> session) and if I am not mistaken if a user accesses a non-php page then
the
> session is lost requiring them to log in again.
>
> Currently the following code is used to check whether a user is logged in:
>
> <?php
>
> $notAuthenticated = !isset($HTTP_SESSION_VARS['authenticatedUser']);
>
> $notLoginIp = isset($HTTP_SESSION_VARS['loginIpAddress']) &&
> ($HTTP_SESSION_VARS['loginIpAddress'] != $_SERVER["REMOTE_ADDR"]);
>
> if ($notAuthenticated || $notLoginIp) {
>
> if (!session_is_registered("targetURL"))
> session_register("targetURL");
>
> $HTTP_SESSION_VARS['targetURL'] = $_SERVER["REQUEST_URI"];
>
> header("Location: /smartbid/php/Login.php");
>
> }
>
> ?>
>
> And in Login.php after doing a check on the username and password the
> following session variables are set:
>
> session_start();
>
> session_register("authenticatedUser");
> $HTTP_SESSION_VARS['authenticatedUser'] = $userId;
>
> session_register("loginIpAddress");
> $HTTP_SESSION_VARS['loginIpAddress'] = $_SERVER["REMOTE_ADDR"];
>
> It is the setting of the above session variables in Login.php that appears
> to be failing for some browsers resulting in users using these browsers
> continually being redirected to the Login page when the above check to see
> if they are logged in is done.
>
> Any help that could be supplied would be greatly appreciated.
>
> Thank you.
>
> Regards,
> Andy
>
>
>
> -------------------------------------
>
> Andy,
>
> Not sure, but maybe AOL users on proxy and their ip address can
change.....
>
> Andras Kende
> http://www.kende.com
>
> -------------------------------------
>
>
>
>
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

On Saturday 27 December 2003 07:03 am, Andy Higgins wrote:
> Hello All,
>
> I have been racking my head over a problem where a large percentage of
> users are unable to log into my php site due to what seems to be a problem
> with setting php session variables on certain end user browsers (certain
> versions of AOL seem to be particularly problematic). Below are some
> snippets of code that are used to do the authentication/ login.
>
> Has anyone encountered the same problem and if so do you have a solution?
> The only solution I can think of is to pass the session using PHPSESSION in
> the URL however I would like to avoid this if at all possible as it
> involves a major re-write of the code (as session variables are used
> elsewhere in the session) and if I am not mistaken if a user accesses a
> non-php page then the session is lost requiring them to log in again.
>

Im just putting the finishing touches to my code, that I had to rewrite for
similar reasons as you.
You're going to have to include the session id in the url for those users who
do not allow cookies.
Using this fact about the constant SID
a) If the user's browser accepts cookies, SID will be empty ""
b) If the user's browser does not accept cookies, SID will be "PHPSESSID=xxx"

So what I did, was append the constant SID to all urls/forms and php header()
(for redirection) functions that point to the site that is serving the
content (dont append SID to urls going to other sites).

So the final results will be
a) If the user's browser accepts cookies, urls/forms/php header() will be
normal
b) If the user's browser does not accept cookies, the session id is appended
to urls/forms/php header()

OR

you can take the easy way out, and turn on transparent ids with ->
http://us2.php.net/manual/en/
install.configure.php#install.configure.enable-trans-sid

Hi Gerard,

Thank you very much for the response. Please can you clarify the following:

1. At the time of login will the login code need to check if the clients
browser accepts cookies and if not then append the SID as described? If so,
do you perhaps have a sample piece of code that does this?
2. Am I correct in understanding that if the client has logged in (with no
cookies enabled i.e. the SID needs to be passed) and the site contains other
static pages (that cannot pass the SID) that if the client browses any of
these static pages and then returns to a page that required the client to be
logged that they will have to log in again?
3. For forms, where the SID need to be passed, do you pass this as a hidden
form variable or do you do it on the URL?

You help is greatly appreciated.

Thanks again.

Regards,
Andy


"Gerard Samuel" <php-general@trini0.org> wrote in message
news:200312271036.51085.php-general@trini0.org...
> On Saturday 27 December 2003 07:03 am, Andy Higgins wrote:
> > Hello All,
> >
> > I have been racking my head over a problem where a large percentage of
> > users are unable to log into my php site due to what seems to be a
problem
> > with setting php session variables on certain end user browsers (certain
> > versions of AOL seem to be particularly problematic). Below are some
> > snippets of code that are used to do the authentication/ login.
> >
> > Has anyone encountered the same problem and if so do you have a
solution?
> > The only solution I can think of is to pass the session using PHPSESSION
in
> > the URL however I would like to avoid this if at all possible as it
> > involves a major re-write of the code (as session variables are used
> > elsewhere in the session) and if I am not mistaken if a user accesses a
> > non-php page then the session is lost requiring them to log in again.
> >
>
> Im just putting the finishing touches to my code, that I had to rewrite
for
> similar reasons as you.
> You're going to have to include the session id in the url for those users
who
> do not allow cookies.
> Using this fact about the constant SID
> a) If the user's browser accepts cookies, SID will be empty ""
> b) If the user's browser does not accept cookies, SID will be
"PHPSESSID=xxx"
>
> So what I did, was append the constant SID to all urls/forms and php
header()
> (for redirection) functions that point to the site that is serving the
> content (dont append SID to urls going to other sites).
>
> So the final results will be
> a) If the user's browser accepts cookies, urls/forms/php header() will be
> normal
> b) If the user's browser does not accept cookies, the session id is
appended
> to urls/forms/php header()
>
> OR
>
> you can take the easy way out, and turn on transparent ids with ->
> http://us2.php.net/manual/en/
> install.configure.php#install.configure.enable-trans-sid

> -----Original Message-----
> From: Andy Higgins [mailto:andy.higgins@telkomsa.net]
> Can anyone confirm whether
> AOL (or any
> other ISPs for that matter) change a user's IP address as seen by the web
> server (for eample through a proxy) within the same session?

It's been pointed out and confirmed many, many times here. An IP is not
useful for authentication in the general case (you may have a specific case
on an intranet, but major players like AOL put everything through load
balancing proxies that change from request to request).

Hi Mark,

Thank you for confirming that for me. I am new to the list and did do a
search though past messages but did not find this point (obvioulsy I did not
look hard enough).

Thanks again.

Regards,
Andy


"Mark Charette" <charette@woodwind.org> wrote in message
news:ODEKKKOHBFKHBBNEGHMLIEDOCJAA.charette@woodwin d.org...
> > -----Original Message-----
> > From: Andy Higgins [mailto:andy.higgins@telkomsa.net]
> > Can anyone confirm whether
> > AOL (or any
> > other ISPs for that matter) change a user's IP address as seen by the
web
> > server (for eample through a proxy) within the same session?
>
> It's been pointed out and confirmed many, many times here. An IP is not
> useful for authentication in the general case (you may have a specific
case
> on an intranet, but major players like AOL put everything through load
> balancing proxies that change from request to request).

On Saturday 27 December 2003 10:54 am, Andy Higgins wrote:

> 1. At the time of login will the login code need to check if the clients
> browser accepts cookies and if not then append the SID as described? If so,
> do you perhaps have a sample piece of code that does this?

No, php does this for you. Thats why I gave the explanation of the value of
SID when browsers accept, or dont accept cookies.

Sample code
<?php

session_start();
if (SID === '')
{
echo 'Cookie Exists';
}
else
{
echo 'Cookie doesnt exist';
}

echo '<p><a href="' . $_SERVER['PHP_SELF'] . '?' . SID . '">CLICK ME</a></p>';

?>

If the browser does accept cookies, on the first page load, it will report
"Cookie doesn't exist" because the cookie wont become available till the next
page load. After the initial page load, it will report "Cookie Exists".
If the browser does not accept cookies, it will always say "Cookie doesnt
exists".

> 2. Am I correct in understanding that if the client has logged in (with no
> cookies enabled i.e. the SID needs to be passed) and the site contains
> other static pages (that cannot pass the SID) that if the client browses
> any of these static pages and then returns to a page that required the
> client to be logged that they will have to log in again?

Yes that is correct. The session id must stay in all urls within the site.
If you are able to direct them to a static page, you should still be able to
pass the SID in the url/form/iframe/etc they click.

> 3. For forms, where the SID need to be passed, do you pass this as a hidden
> form variable or do you do it on the URL?
>

I have it passing in the form's action attribute, so it stays in $_GET domain
like regular links.
echo '<form action="foo.php' . SID . '" method="post">

Hi Gerard,

Thank you for your assistance you have been of enormous help.

Regards,
Andy

"Gerard Samuel" <php-general@trini0.org> wrote in message
news:200312271203.50866.php-general@trini0.org...
> On Saturday 27 December 2003 10:54 am, Andy Higgins wrote:
>
> > 1. At the time of login will the login code need to check if the clients
> > browser accepts cookies and if not then append the SID as described? If
so,
> > do you perhaps have a sample piece of code that does this?
>
> No, php does this for you. Thats why I gave the explanation of the value
of
> SID when browsers accept, or dont accept cookies.
>
> Sample code
> <?php
>
> session_start();
> if (SID === '')
> {
> echo 'Cookie Exists';
> }
> else
> {
> echo 'Cookie doesnt exist';
> }
>
> echo '<p><a href="' . $_SERVER['PHP_SELF'] . '?' . SID . '">CLICK
ME</a></p>';
>
> ?>
>
> If the browser does accept cookies, on the first page load, it will report
> "Cookie doesn't exist" because the cookie wont become available till the
next
> page load. After the initial page load, it will report "Cookie Exists".
> If the browser does not accept cookies, it will always say "Cookie doesnt
> exists".
>
> > 2. Am I correct in understanding that if the client has logged in (with
no
> > cookies enabled i.e. the SID needs to be passed) and the site contains
> > other static pages (that cannot pass the SID) that if the client browses
> > any of these static pages and then returns to a page that required the
> > client to be logged that they will have to log in again?
>
> Yes that is correct. The session id must stay in all urls within the
site.
> If you are able to direct them to a static page, you should still be able
to
> pass the SID in the url/form/iframe/etc they click.
>
> > 3. For forms, where the SID need to be passed, do you pass this as a
hidden
> > form variable or do you do it on the URL?
> >
>
> I have it passing in the form's action attribute, so it stays in $_GET
domain
> like regular links.
> echo '<form action="foo.php' . SID . '" method="post">