Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

PHP - Session doesnt work on mobile

For login im using a session_start(), for desktop its works fine, but on mobile, it doesnt work. When I make a session_id() with variable, for example, session_id('login') its works on mobile, but break other sessions on other computers. But when session_id() is generated automatically, it doesn't work on mobile. What should I do?

My session_start code on index.php

session_start();
if (isset($_SESSION['username'])){
    session_id();
}

Whole code for login.php file

<?php
require('config.php');
$usernameOK = false; $passwordOK = false;
if (isset($_POST['username']) and isset($_POST['password'])){

        $username = $_POST['username'];
        $password = $_POST['password'];

        $UserQuery = "SELECT username FROM `members` WHERE username='$username'";
        $userTestResult = mysqli_query($connection, $UserQuery);
        $usernameTEST = mysqli_num_rows($userTestResult);
        if($usernameTEST == 1){$usernameOK = true;}

        $PasswordQuery = "SELECT password FROM `members` WHERE username='$username'";
        $result = mysqli_query($connection,$PasswordQuery);
        $row = mysqli_fetch_row($result);

        if (password_verify($password, $row[0])){$passwordOK = true;}

        if($usernameOK == true && $passwordOK == true){
            $_SESSION['username'] = $username;
        }else{
            $error_message = "Incorrect login data";
        }
    }

    if (isset($_SESSION['username'])){
        header("Location: ../");
        exit;
    }else{?>
    <form class="login-form" method="POST">
        <?php if(isset($error_message)){ ?><div class="mini-mes error"> <?php echo $error_message; ?> </div><?php } ?>

        <span class="placeholder">username</span>
        <input type="text" name="username" placeholder="username" required>

        <span class="placeholder">password</span>
        <input type="password" name="password" id="inputPassword" placeholder="password" required>

        <button type="submit">Login</button>
        <a class="form-link" href="register.php">Register</a>
    </form>

<?php } ?>
like image 560
Daniels Jirgensons Avatar asked May 27 '17 17:05

Daniels Jirgensons


3 Answers

Not really sure what your code does, because I dont see anything regarding setting the username or anything of that sort. What your code does is, it starts the session and checks if username variable in session is set, and if YES, it calls session_id.

Can you use this to check if the session is created properly?

session_start();
if (session_status() !== PHP_SESSION_NONE)
{
echo session_id();
}

Starts a session and shows you the session ID if the session_status is not PHP_SESSION_NONE

like image 54
Kishor Avatar answered Nov 20 '22 21:11

Kishor


You don't need to do a session_id() to start a session, session_start() is enough.

I've tested the following on Safari on iPhone 6 (just add the db query part back if you want):

testa.php

<?php
//require('config.php');

session_start();
echo "Session ID: ".session_id()." <br>\n";

$usernameOK = false;
$passwordOK = false;

if (isset($_POST['username']) and isset($_POST['password'])) {

    $username = $_POST['username'];
    $password = $_POST['password'];

    $usernameOK = true;
    $passwordOK = true;

    if ($usernameOK == true && $passwordOK == true) {
        $_SESSION['username'] = $username;
    } else {
        $error_message = "Incorrect login data";
    }
}

if (isset($_SESSION['username'])) {
    header("Location: ../");
    exit;
} else {
?>
    <form class="login-form" method="POST">
        <?php if (isset($error_message)) { ?>
            <div class="mini-mes error"> <?php echo $error_message; ?> </div><?php } ?>

        <span class="placeholder">username</span>
        <input type="text" name="username" placeholder="username" required>

        <span class="placeholder">password</span>
        <input type="password" name="password" id="inputPassword" placeholder="password" required>

        <button type="submit">Login</button>
        <a class="form-link" href="register.php">Register</a>
    </form>
<?php } ?>

testb.php

<?php

session_start();
echo "Session ID: ".session_id()." <br>\n";
echo "Data stored in session: {$_SESSION['username']}<br>\n";
  1. Clear data/cookies on your mobile browser (or just go into incognito mode). This will make sure you "start from scratch".

  2. Open testa.php on your mobile browser. Take note of the session id shown. Enter your login details and tap Submit. The next page may show blank.

  3. Open testb.php. Again, take note of the session id shown. It should be equal to the session id shown in test1.php. If they are different then it is possible your mobile browser is configured not to accept cookies.

I've personally tested this on Safari on iPhone 6 and I was able to get the username data from session.

PS. A friendly reminder: don't forget to escape the data you use in queries (i.e. $username and $password). Use mysqli_real_escape_string, or use prepared statements. For security.

like image 33
aljo f Avatar answered Nov 20 '22 20:11

aljo f


Maybe you are experiencing some conflict issues:

My session_start code

if (isset($_SESSION['username'])){
    session_id();
} else if (!isset($_SESSION)){
   session_start();
}

Whole code for login.php file

<?php
require('config.php');
$usernameOK = false; $passwordOK = false;
if (isset($_POST['username']) and isset($_POST['password'])){

        $username = $_POST['username'];
        $password = $_POST['password'];

        $UserQuery = "SELECT username FROM `members` WHERE username='$username'";
        $userTestResult = mysqli_query($connection, $UserQuery);
        $usernameTEST = mysqli_num_rows($userTestResult);
        if($usernameTEST == 1){$usernameOK = true;}

        $PasswordQuery = "SELECT password FROM `members` WHERE username='$username'";
        $result = mysqli_query($connection,$PasswordQuery);
        $row = mysqli_fetch_row($result);

        if($usernameOK == true && password_verify($password, $row[0])){
            if (isset($_SESSION)){
               $_SESSION['username'] = $username;
            } else{
               session_start();
               $_SESSION['username'] = $username;
            }
        }else{
            $error_message = "Incorrect login data";
        }
    }

    if (isset($_SESSION['username'])){
        header("Location: ../");
        exit;
    }else{?>
    <form class="login-form" method="POST">
        <?php if(isset($error_message)){ ?><div class="mini-mes error"> <?php echo $error_message; ?> </div><?php } ?>

        <span class="placeholder">username</span>
        <input type="text" name="username" placeholder="username" required>

        <span class="placeholder">password</span>
        <input type="password" name="password" id="inputPassword" placeholder="password" required>

        <button type="submit">Login</button>
        <a class="form-link" href="register.php">Register</a>
    </form>

<?php } ?>

In the index.php on the first line I have -> REMOVE THAT, PUT FIRST ROUTINE OF SESSION CHECKING

if (!isset($_SESSION)){
   session_start();
}

EDIT: I noted that you're using header function to redirect to the index page. It's important avoid such redirects unless you're sending user out of your system, because some environments doesn't work well with them. I suggest to change your routine to user POST/GET http routines instead:

Inside validateSession.php

outside validateSession, NOTHING about sessions rules, concentrate everything there

index.php/head.php/some code that always starting in every page start only that:

<?php 
include_once('validateSessions.php'); 
?>

Your form:

<form class="login-form" action="index.php" method="POST"> 
<?php if(isset($error_message)){ ?><div class="mini-mes error"> <?php echo $error_message; ?> </div><?php } ?> 

<span class="placeholder">username</span> 
<input type="text" name="username" placeholder="username" required> 

<span class="placeholder">password</span> 
<input type="password" name="password" id="inputPassword" placeholder="password" required> 

<button type="submit">Login</button> 
<a class="form-link" href="register.php">Register</a> 
</form>

EDIT: I reviewed your routine, pay attention on validateSessions.php, I was forgetting to load session_start() in every routine that called the file. Put validateSessions inside your include directory.

UPDATE: Even my code helping the OP, the main problem was the SESSION configuration into php.ini file with session.save_path, causing issues about session routines. The php.ini fix solved the problem, the code I expect that helped OP to think about some routines towards Session stuff.

like image 3
capcj Avatar answered Nov 20 '22 22:11

capcj