strange session error when page refreshed 1

[max2474]

Hi. I started a thread in sql forum thinking this was my issue. please see it here.

I am starting to believe this is a "bug" of sorts... I have merged the two databases into one. I have also put all of the contents into one page (removing the need for "require") to help source the problem.

I originally ran the following script with the first line setting "exists" to 2 rather than 4. after changing it to 4 and saving, I ran the page again by hitting F5

<?php session_start(); ?>
<?php
	$_SESSION[exists] = "4";
	if(($_SESSION[exists] <> "1") && ($_SESSION[passes] == "0") && (!empty ($_SESSION[user])) && (!empty ($_SESSION[email])) && (!empty ($_SESSION[userpass])) 

&& (!empty ($_SESSION[squestion])) && (!empty ($_SESSION[sanswer])) && (!empty ($_SESSION[terms])))
	{
		$_SESSION[exists] = "4";			
		require("pwinfo.php");
		$con = mysql_connect($servername,$username,$password);
		if (!$con)
		{ die('Could not connect: ' . mysql_error()); }
		mysql_select_db("metcoldb", $con);
		$result = mysql_query("SELECT email FROM apply
		WHERE email = '$_SESSION[email]' LIMIT 1");
		while($row = mysql_fetch_array($result))
		{
			$_SESSION[exists] = "4";
		}
		mysql_close($con);
		if($_SESSION[exists] = "2")
		{	
			require("pwinfo.php");
			$con = mysql_connect($servername,$username,$password);
			if (!$con)
			{ die('Could not connect: ' . mysql_error()); }
			mysql_select_db("metcoldb", $con);
			$sql = "INSERT INTO members (email, password, squestion, sanswer, joindate, usertitle)
			VALUES
			('$_SESSION[email]','$_SESSION[userpass]','$_SESSION[squestion]','$_SESSION[sanswer]','$_SESSION[date]','$_SESSION[user]')";
			if (!mysql_query($sql,$con))
			{ die('Error: ' . mysql_error()); }
			mysql_close($con);
			require("pwinfo.php");
			$con = mysql_connect($servername,$username,$password);
			if (!$con)
			{ die('Could not connect: ' . mysql_error()); }
			mysql_select_db("metcoldb", $con);
			mysql_query("DELETE FROM apply WHERE email = '$_SESSION[email]' LIMIT 1");
			mysql_close($con);
/*			$_SESSION[exists] = "3"; */
			echo "added";
		}
	}
else 
{
echo"not added"; 
}
	?>


	<p>currently registered info is as follows:</p>
	<?php echo "registered email is ".$_SESSION[email];?><br/>
	<?php echo "registered exists is ".$_SESSION[exists]; ?><br/>

output is

added

currently registered info is as follows:
registered email is fgfg@sdds
registered exists is 2

if the

/*	$_SESSION[exists] = "3"; */

at the bottom runs, output is three. stop it, and back to 2.

why is session-exist coming up as 2???

 

[max2474]

forgot to mention...

the lines

while($row = mysql_fetch_array($result))
{ $_SESSION[exists] = "4"; }
mysql_close($con);

would normally be set to 2. in other words, if the user is found in the apply table, they are added to the members table and deleted from the apply table.
This was changed to 4 to try and help debug.

 

[jpadie]

a few things to consider

1. associative array elements must be enquoted

$_SESSION[[COLOR=red]'[/color]somvar[COLOR=red]'[/color]]

2. when using integer values don't enquote them

$_SESSION['somevar'] = 1; and NOT "1"

this will mean that things like <> won't give you weird results after type juggling.

3. sessions involve disk writes (normally). if you are testing on a local machine then refreshing the page can give you race conditions (when the disk write has not completed before the next disk read starts. try this as a test

error_reporting(E_ALL);
ini_set('display_errors', true);
session_name('testSession');
if(session_id() == '') session_start();
echo '<pre>';
var_dump($_SESSION);
var_dump($_COOKIE);
$_SESSION['myName'] = "Robert deNiro";
session_write_close();
var_dump($_SESSION);
var_dump($_COOKIE);

the first time you should get two blank arrays followed by an an array with Bob's name and a further blank array.

(in the blank cookie array it is possible that old cookies may be being transmitted. But they will be ignored.

then refresh the page.

this time the Bob array should be there twice, and there should be a new cookie value of testSession.

 

[max2474]

thanks for your help.

I did try
$_SESSION[exists] = "4";
$_SESSION['exists'] = "4";
$_SESSION['exists'] = 4 ;
$_SESSION[exists] = 4;

all repeating the db inserts.

your test gives:

array(0) {
}
array(0) {
}
array(1) {
["myName"]=>
string(13) "Robert deNiro"
}
array(0) {
}[/quote]
then on refresh :

array(1) {
["myName"]=>
string(13) "Robert deNiro"
}
array(1) {
["testSession"]=>
string(26) "rjd8m3nf8ctfi0pi6vp6vv2dm3"
}
array(1) {
["myName"]=>
string(13) "Robert deNiro"
}
array(1) {
["testSession"]=>
string(26) "rjd8m3nf8ctfi0pi6vp6vv2dm3"
}

which is as I believe as you would expect.

Being that this is on a local machine (using apache if that helps), would it be safe to assume that this would not occur on a true server?
It may be worth pointing out that a user would have to call this page specifically by typing it in the address bar to cause this error as it has no content and would normally just redirect. They would not even know the page existed and would have to guess the name. However, I am just trying to make the whole site invasion proof.

 

[max2474]

I have just worked it out... so daft really.

if($_SESSION[exists] = "2")

should have been

if($_SESSION[exists] == "2")

Thanks loads for your efforts though!

 

[jpadie]

Race Conditions can occur on any server (high load) but I have only ever come across the issue on dev machines. I must admit that the first time it happened I was debugging for hours before I went back to basics and thought about what sessions actually were.

Well done for solving it though.

 

[Olavxxx]

btw. I know the issue is fixed, but I can just tell you about one that puzzled me once

Redirect from

http://www to

http:// caused some cookies not working. I figured out that you can define the superdomain when setting the cookie dough, though ;-)

Olav Alexander Mjelde

 

[jpadie]

on a similar note, Olav, when using trans-ID (at least in some versions of php) the automatic url rewriting does not work for the Location header.

this is important for anyone planning to use trans-id as a workaround for the newly enforceable ePrivacy legislation in the EU. You need explicitly to add the SID to the Location header.