Help needed in $_SESSION variables

Hi:

As you all know, I am a newbie and am picking a lot of PHP knowledge from this website! Thank you all for helping me learn!

However, now I have a serious problem. The web server where my databse management software system, developed in PHP/MySQL, is not allowing me to login, with 'LOGIN UNSUCCESSFUL' message. This message is occurring when username / password combination has been found in the database but the Welcome script is failing because the $_SESSION variables are not getting set properly. When I brought this to the notice of web server administrator, I got the following reply -

"Definitely looks like a Session setting…
I think you are using the default setting for session path and whenever our server gets rebooted this is giving you a problem.

The best recommended way to use sessions variable is to define your own path within your hosting and give write permission to it through control panel. So no external reboots will affect it.

I will go ahead and give the sessions path the write permission.. But you might want to implement the above procedure."

Now how to implement this solution? This has happened a second time. Earlier without anybody's interference, the problem got resolved on its own somehow. I don't understand how. What do I do now? In my authentication script, I am setting SESSION variables which are supposed to get set after finding valid username / password combination. If MySQL isn't affected and I should be able to see the data then why a simple PHP script that connects to the database and runs an SQL that is supposed to show the existing records, failing and giving me Internal Server Error (HTTP 500)? Shouldn't that PHP script at least work for me even if the scripts with the SESSION variables are somehow giving me problems? I don't understand. To prevent scrambling of SESSION variables, I had even prevented the users NOT to login from two different machines at the same time with the same username / password combo. Things were working pretty good only a few days back. What could have possibly gone wrong? Can you please help? I am trying to understand more on SESSION variables and also would like to understand the comment in bold and underlined. Please help

Use session_save_path().

Do I use this statement before session_start() wherever I am using? If I make this change in almost every script of my software, then after re-uploading the scripts on the web-server, will I be able to login?

Do I use session_save_path() before sessions_start() wherever it appears? If so, after making changes to all the concerned scripts and re-uploading them on the web server, will I be able to login now?

I don't know about that but it will fix the path problem after server restarts.

The manual for that function specifically says it must be called before session_start, so yes, call it before.

The problem is: The sessions are stored on the hard drive. You're using a session path that doesn't belong to you (it belongs to another user or to the server owner). You should change the path to something which DOES belong to you, then make sure that path is readable and writable by PHP using your control panel.

You can change that path in two ways:
1) Through PHP.ini, if you have access to it.
2) Through the function call you've been given, called just before session_start().

Do I use session_save_path as follows?

session_save_path('http://www.mysite.com/test_dir/session')

before session_start() in EVERY PHP script of my software? Is the above syntax correct? I did try this but the system is still logging in. What do I tell the web server administrator? Should he re-start the server?

No, the session path is not a URL, it is a directory path for which you give apache R/W permissions.

No, the session save path is a hard drive path to where you want the session files to be stored. Just like it says in the manual

You should really be centralizing things like your session_start calls so you can make changes like this only once instead of once for every page on your site, but that's a whole other discussion.

Thanks!

Now, what does the following statement do?

ini_set('session.gc_probability', 1);

should i use it along with session_save_path()? is it necessary to re-start the server after making changes?

Read the manual.






No, do not touch the session configuration at all. The only thing that's concerning you is the save path.





Yes.

THANK YOU ALL OF YOU!!!! All your suggestions worked!!!! The server didn't need to be re-started though, because probably, the drive on the hard disk that I mentioned in the session_save_path was different than the original path and so the whole process of starting the software system started all over again in the newly mentioned directory, thus avoiding the server start!! This is just my experience and my logical answer! I will still request the remote server administrator to re-start the server if possible or needed but as of now, my system in php could be successfully logged in and I can see the data!!!

THANK YOU!!!

Hi!

Another quick question related to $_SESSION variables. I have observed that in the directory (physical path) where the session data is stored for a session, is growing with each day's session files for each user. I used session_unset() just before using session_destroy() in my log out script, the session files are just piling up in that directory and sizes of these files are not too small. When I opened one session file in Notepad, I found out all the session variables ($_SESSION) related to a session were still showing the values (of the $_SESSION array) in that session file. Didn't session_unset() or session_destroy() destroy the data and the session file? How do I get rid of the session file itself after the log out so that they don't keep piling up?

Another thing, I had used another $_SESSION variable down the line in one of the scripts (a menu option) to set a parameter value for a complex SQL query for data extraction from the database. I am unable to see that Session variable value now. The directory where all my PHP scripts on the web server are is '/abc' and the session_save_path() 'pqr' is outside '/abc' and hence I have written session_save_path('../pqr') above session_start(). But the session value that is not being set is for a report script which appears in the directory under '/abc', e.g. '/abc/xyz'. Now with the same session_save_path('../pqr') even for the reports under '/abc/xyz', obviously the session file is not being accessible to the report script and hence I get Server error, but then what should be that path? I have put in just one include file all the session_save_path() and session_start() for all the scripts universally. But for reports it isn't working. Can you please help me with the path? (Sorry, since my software in PHP is being hosted on Linux and my development platform being Windows, I think I am confused with the way in which directories are accessed.... sorry about that)

Hi,

about deleting sessions: Do you have a session_start() on top of the script? If you don't, session_unset() and session_destroy() have no effect.

It's normal to have a lot of unused session files. Many people don't log out explicitly, so the session file remains until the garbage collector deletes it. PHP also creates a lot of unnecessary sessions, because it doesn't distinguish between resuming and starting a session.

But a few bytes for each session shouldn't be a problem -- I don't expect you to run a big site with thousands of visits per second.

Yes, I do have session_start() in my log out script. It is as follows.



Will I need anything else in my log out script?