redirect using header()

[Strangeplant]

I define it in the previous post, it's $where. I access it as in one of the first posts where it's used in the header() function. I also try to echo it to the screen, and that's where I find it's blank.

[Strangeplant]

It's $where in all the above posts.

[Twey]

Could you give all the code you use?

[Strangeplant]

Sure can. The code is in multiple pieces, so I'll show only the basics needed. I should say that the code works great, and is easy to configure to my website. The problem stems from my need to change it.

The calling page code, in part, is this:

Code:

<?php include_once("inc/auth.inc.php"); session_start(); session_register("where"); $where = "http://earth.engr.ccny.cuny.edu/noaa/wc/Lidar/chainedmenu2.php"; $user = _check_auth($_COOKIE); ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>

The line 'header("location: ".$where);' was originally 'header("location: index.php");', and assumed that you would be always wanting to go to this page. But in my case, I have password data files in several places, and so I want the redirect point to be back to the starting page, whatever it may be. The file auth.inc.php is this:

Code:

<?php

/* ===============================
== Basic PHP/MySQL Authentication 
== by x0x 
== Email: x0x@ukshells.co.uk
================================*/

include_once("config.inc.php");
include_once("layout.inc.php");

mysql_connect($CONFIG['HOST_NAME'], $CONFIG['DB_USERNAME'], $CONFIG['DB_PASSWORD'])
  or die(mysql_error());
mysql_select_db($CONFIG['DATABASE_NAME'])
  or die(mysql_error());

function _check_database($user, $pass)
{
  $Q = mysql_query(" SELECT user_id FROM users WHERE user_name = '$user' AND user_pass = '$pass' ");
  if(mysql_num_rows($Q) == 0) return 0;
  else return mysql_fetch_array($Q);
}

function _check_auth($cookie)
{
  $user = array();
  $session = $cookie['SESSION'];

  $q = mysql_query(" SELECT user_id, user_name FROM sessions WHERE session = '".$session."' ")
    or die(mysql_error());
  if(mysql_num_rows($q) == 0)
    header("Location: login.php");
  else {
    $r = mysql_fetch_array($q);
    $user['user_id']   = $r['user_id'];
    $user['user_name'] = $r['user_name'];
  }
  return $user;
}

function _set_cookie($user_data, $rem, $session, $username)
{
  if($rem == 1) setcookie('SESSION', $session, time() + 186400);
  else setcookie('SESSION', $session);

  $user_id = $user_data['user_id'];
  $C = mysql_query(" SELECT * FROM sessions WHERE user_id = '$user_id' AND user_name = '$username' ");
  if(mysql_num_rows($C) == 0)
    $Q = mysql_query(" INSERT INTO sessions (session, user_id, user_name) VALUES ('$session','$user_id','$username') ");
  else
    $Q = mysql_query(" UPDATE sessions SET session = '$session' WHERE user_id = '$user_id' AND user_name = '$username' ");
	header("Location: ".$where);
}

function _logout_user($cookie)
{
  $session = $cookie['SESSION'];
  $q = mysql_query(" DELETE FROM sessions WHERE session = '$session' ")
    or die(mysql_error());
  setcookie('SESSION', '', 0);
  header("location: login.php");
}

function _already_logged($cookie)
{
  if(isset($cookie['SESSION']))
	header("Location: ".$where);
}

function fm($String)
{
  return addslashes(strip_tags($String));
}
?>

Since the login.php page is called after the first page, I commented out the 'session_start()' to see if it was a problem and put it in the first page, but that's not the issue. The other included files are for database access and for html page formatting. Just to be more complete, the file login.php is this:

Code:

<?php

/* ===============================
== Basic PHP/MySQL Authentication 
== by x0x 
== Email: x0x@ukshells.co.uk
================================*/

/*session_start();*/
include_once("inc/auth.inc.php");
_already_logged($_COOKIE);

if(isset($_POST['submit']))
{
  $user_data = _check_database(fm($_POST['user']),fm($_POST['pass']));
  if($user_data == 0) login_page();
  else _set_cookie($user_data,fm($_POST['rem']),session_id(),fm($_POST['user']));
} else
  login_page();
?>

I did find a few references on the web about session variables being wiped out, but I haven't followed that yet because I think I'm doing something stupid.

[Twey]

You'll need to leave that session_start() there.
Can you add

Code:

error_reporting(E_ALL);

to the top of each page and see if you get any notices?

[Strangeplant]

Can I assume that successive 'session_start();' does not reset/clear the session array as it implies but does not directly state on the man pages? If it does, then it must be before the variable containing the redirect location is set in the first page, not the login.php page. Is this correct?

I'll add the error trapping lines and run the thing again.

I always am wondering if the server is running correctly. I set up a page so I could see the server properties: http://earth.engr.ccny.cuny.edu/noaa/wc/phpTest.php

[Twey]

If it does, then it must be before the variable containing the redirect location is set in the first page, not the login.php page. Is this correct?

It must be before you use any session variables. session_start() simply sends the appropriate headers for the page it's on to use sessions; it doesn't reset or clear anything.

[Strangeplant]

Ok, I clear the browser's cookies, cache & authenticated sessions. Then I run the page chainedmenu2.php. I get the following error messages:

Code:

Notice: Undefined index: SESSION in /webmail/apache/htdocs/noaa/wc/Lidar/inc/auth.inc.php on line 27

Warning: Cannot modify header information - headers already sent by (output started at /webmail/apache/htdocs/noaa/wc/Lidar/inc/auth.inc.php:27) in /webmail/apache/htdocs/noaa/wc/Lidar/inc/auth.inc.php on line 32

and it does not go as usual to login.php, but instead displays the chainedmenu2.php page. Why? Because errors are no longer ignored? Well, there is no cookie now (as though the user has never signed on before). But, what does this imply about 'SESSION'? The statement 'session_start();' is at the top of the chainedmenu2.php page, so how can 'SESSION' be undefined? Hummm. The problem is not what I had thought it was.

[Twey]

The session isn't undefined, the cookie is. Notice that it says undefined index, not undefined variable. It means that $_COOKIE['SESSION'] doesn't exist.
The second error can be safely ignored, since it's probably caused by the displaying of the first error.

[Strangeplant]

Well, the cookie should be undefined as I have erased it. This is a new entry, everything starting as though it is a new user. But, before I added the statement 'error_reporting(E_ALL);' to 'chainedmenu2.php', the execution would drop through to the 'header("Location: login.php");' line and ask to be logged in.

Does it seem that the program execution/flow is changed because of the error trapping? If so, I'm not getting to the problem area of the session variable that I declared, $where.....