How to debug session/login bugs in PHP?

Question

I tried to make a simple login system and I am seriously stuck. The problem is with the sessions. When I press login, I am redirected at the login page. Now as far as I could see, a session is started in the login page.session_id() gives some number.

But the protected page shows NULL. How to start the session on the protected page? I tried to implement some code of some examples - still redirects to login page. I tried with new empty page,just the form on the page but with the same db and still redirects to login page.

This is the login page

<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    require('dbcon.php');
    if (isset($_POST['email']) && ($_POST['password'])) {
        $e = mysqli_real_escape_string($dbcon, $_POST['email']);
        $p = mysqli_real_escape_string($dbcon, $_POST['password']);
        $q = "SELECT uid,mail,psword,unm FROM pics WHERE (mail='$e' AND psword=SHA1('$p'))";
        $result = mysqli_query($dbcon,$q);
            if(mysqli_num_rows($result) == 1){
                session_start();
                $uid = mysqli_fetch_array ($result, MYSQLI_ASSOC);
                $_SESSION['uid'] = $uid['uid'];
                header("location: members.php");
                exit();
                mysqli_free_result($result);
                mysqli_close($dbcon);
            }else{
                echo 'no match';
            }
    }else{
        echo 'Empty fields...';
    }
}
?>

And this is on top of the "protected" page

<?php
session_start();
if(!isset($_SESSION['uid'])){
    header("Location:index.php");
}
?>

session info

session
Session Support     enabled
Registered save handlers    files user
Registered serializer handlers  php_serialize php php_binary wddx
Directive   Local Value Master Value
session.auto_start  Off Off
session.cache_expire    180 180
session.cache_limiter   nocache nocache
session.cookie_domain   no value    no value
session.cookie_httponly Off Off
session.cookie_lifetime 0   0
session.cookie_path /   /
session.cookie_secure   Off Off
session.entropy_file    no value    no value
session.entropy_length  0   0
session.gc_divisor  1000    1000
session.gc_maxlifetime  1440    1440
session.gc_probability  1   1
session.hash_bits_per_character 5   5
session.hash_function   0   0
session.name    PHPSESSID   PHPSESSID
session.referer_check   no value    no value
session.save_handler    files   files
session.save_path   C:\xampp\tmp    C:\xampp\tmp
session.serialize_handler   php php
session.upload_progress.cleanup On  On
session.upload_progress.enabled On  On
session.upload_progress.freq    1%  1%
session.upload_progress.min_freq    1   1
session.upload_progress.name    PHP_SESSION_UPLOAD_PROGRESS PHP_SESSION_UPLOAD_PROGRESS
session.upload_progress.prefix  upload_progress_    upload_progress_
session.use_cookies On  On
session.use_only_cookies    On  On
session.use_strict_mode Off Off
session.use_trans_sid   0   0

Answer 1

Assumptions I made which are not stated by the Question:

• That form data is submitted with a POST type and with the correct character set (so a u is a u is a u)

• That all code shown in the question is in the files referenced in the headers and are not in includes and other "tucked away corners".

Some Code Improvements

<?php
session_start(); //at the start.
error_reporting(E_ALL); //as suggested by others add error logging
ini_set('display_errors',1); //and debugging to tell you info. 
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    require 'dbcon.php'; //no need for brackets here.
    if (!empty($_POST['email']) && !empty($_POST['password'])) {
        // you had a syntax error here. Also use empty() rather than
        // isset as POSTED forms will still send the data containers
        // even if it contains nothing.
        $e = mysqli_real_escape_string($dbcon, $_POST['email']);
        $p = mysqli_real_escape_string($dbcon, $_POST['password']);
        $q = "SELECT uid,mail,psword,unm FROM pics WHERE mail='$e' AND psword=SHA1('$p')"; //no need for brackets here.
        $result = mysqli_query($dbcon,$q);
            if(mysqli_num_rows($result) == 1){
                $uid = mysqli_fetch_array ($result, MYSQLI_ASSOC);
                if(is_array($uid) && count($uid) > 0){
                    //added a further debug qualifier here 
                    // to check that your SQL result is as expected.
                    $_SESSION['uid'] = $uid['uid'];
                    mysqli_free_result($result); //These occur AFTER the 
                    mysqli_close($dbcon); // exit statement which stops the script. 
                    //so put them before hand. but it's pretty worthless as
                    //mysqli will stop the connection anyway unless 
                    //specifically told otherwise.
                    header("location: members.php");
                     exit();
                      }
                 else {
                  die("your SQL returned an empty result");
                  }
             }else{
                echo 'no match';
            }
    }else{
        echo 'Empty fields...';
    }
}
// removed PHP closing marker.  Unneeded.  

As a note, why do you select 4 values from the table when you only use one value?

Destination Page

So now you have assured us that the values are being grabbed by the SQL ok and are being saved to the SESSION ok, so the issue is with finding the session on the destination page?

First, start the session:

Then, as others have stated - Error log and debugging:

then see what has been passed to the session handler:

session_start(); //always at the start!!!
error_reporting(E_ALL); //always use for error reporting in development
ini_set('display_errors',1); //always!!! 
print_r($_SESSION);

If no errors are shown up here then you need to go back to your login page and check sessions are being saved correctly, so:

           $uid = mysqli_fetch_array ($result, MYSQLI_ASSOC);
           $_SESSION['uid'] = $uid['uid'];
           $_SESSION['sausages'] = "roasted";
           ...
           header("location: members.php");
           exit();

And then go back and see if this static varible string appears on your members.php page,

• If it does, then that shows that your SQL query and not your session is invalid and failing, which I'm not going to go into here, but enough to say that the session is not the problem. A probable error here is you are not storing the hashed value (SHA1) correctly in your database. But we would need more info to provide specific assistance in the case it's an SQL error.

• If it does not appear then that does indicate either a session issue or a file handling issue, mainly you need to have a clear path to were the code is in the file structure, is the "protected" page code you have shown us actually in the page referenced in the header, and is this page in the same directory as the login page (rather than any mod_rewrite jibjag etc.)?

Tell me what light this shines on identifying exactly where your problem begins.

---

In other notes it's worth noting your password system is not up to production quality and a different approach should be used. Please research StackOverflow.

---

EDIT:

Session details:

• turn session.cookie_httponly to on.
• check that the folder sessions are stored in (C:\xampp\tmp) has all read write and execute settings (chmod 0777).
• change session.use_strict_mode to on.
• Set session.auto_start to on.

Although I must admit that aside from making absolutely sure that PHP has permisson to read and write to the specified session directory, nothing in your session info stands out to me as a possible cause.

Do you have any errors/warnings on your server logs (the program that runs PHP on your machine)?

You can find a good explanation of chmod here.

THIS POST might be a lot of help to you as well.

Answer 2

Is this line header("location: members.php"); working?

I don't really see the need of the following lines:

exit();
mysqli_free_result($result);
mysqli_close($dbcon);

Because your page is already been redirected.

Now, what exactly have you written in the members.php page? If my idea is correct, have you included this protected page on top of members.php?

Answer 3

I dl html5 boiler plate,opened a new project and i started adding the html files one by one.I had a backup of the site right before i started coding the login.Then i copied the php code.Then the css and js files.So far the login works as it should with the same code as long as i don't change the name of the folder.I hope it will stay that way.Thank you for your time and help.I appreciate it.