session problem - login screen continually reloads after pressing the login button

[Chip]

I am trying to get sessions to work on a log in screen to give certain
users access to certain pages/directories. The problem is that when
the login button is pushed (or the enter key pressed) the login screen
redraws, never loading the next page. I don't get any error messages.
I am using FreeBSD-5.1/Apache-2.0.46/MySQL-4.1.0.1/PHP-4.4.3.4

Thanks,
Chip

I have pasted the code below -

This is at the top of the page login.php -
-------------
<?
session_start();
session_register("userid","password");
if ($submit)
{
$db=mysql_connect("localhost","user","") or die ("Error in this query

>>$sql<< : " .mysql_error());

mysql_select_db("simradusa",$db) or die ("Error in this query >>$sql<<
: " .mysql_error());
$result=mysql_query("select * from user where userid = '$userid'",$db)
or die ("Error in this query >>$sql<< : " .mysql_error());
while ($row=mysql_fetch_array($result))
{
if ($row["userpassword"]==$password)
{

header('Location:
[url]http://xxx.xxx.xxx.xx/auth_dealers/dealers_page.php');[/url]
}
}
}
?>
------------

This is at the top of all pages, before any html tags -
-------------
<?
session_start();
if(!isset($userid)) {
header('Location: [url]http://xxx.xxx.xxx.xx/auth_dealers/login2.php');[/url]
exit;
}
?>

[Matthias Esken]

Chip <carvin5string@yahoo.com> schrieb:

> I am trying to get sessions to work on a log in screen to give certain
> users access to certain pages/directories. The problem is that when
> the login button is pushed (or the enter key pressed) the login screen
> redraws, never loading the next page. I don't get any error messages.
> I am using FreeBSD-5.1/Apache-2.0.46/MySQL-4.1.0.1/PHP-4.4.3.4

And you're using code from the times of PHP 4.0.x.

> <?

Don't use short tags. The are not portable. Use <?php.

> session_start();

Seems OK. :-)

> session_register("userid","password");

That's not good. In fact it is bad style. Read the documentation at
[url]http://www.php.net/manual/en/function.session-register.php[/url].

> if ($submit)

You rely on register_globals=on. Since PHP 4.2.0, the default value for
register_globals is off.

> This is at the top of all pages, before any html tags -
> -------------
> <?
> session_start();
> if(!isset($userid)) {
> header('Location: [url]http://xxx.xxx.xxx.xx/auth_dealers/login2.php');[/url]
> exit;
> }
> ?>

Ouch. What is $userid? You might believe that it contains a variable
from your session. If register_globals is off, then it doesn't and PHP
will always send you back to login2.php. You'll find the value in
$_SESSION['userid'] instead. If register_globals is on, then it _might_
contain the id from the session. On the other hand it could be a clever
intruder who just calls your page with page.php?userid=42. So, don't
work with activated register_globals.

This leaves you with some work to do. Check the setting of
register_globals in the php.ini. If it's on, then switch it off. With
activated register_globals you have to work hard to make your code
secure. With deactivated register_globals you have to work to make it
insecure.

To find errors from uninitialized variables set the error_reporting to
E_ALL, so that you get all notices and warnings during the development
of your code.

Write data to a session with:
$_SESSION['example'] = $value;

Access data in a session with:
echo ($_SESSION['example']);

Access data from a form with:
$_POST['username']
or
$_GET['username']
according to your posting method.

Check [url]http://www.php.net/manual/en/language.variables.predefined.php[/url] for
details about these "superglobals".

Regards,
Matthias