PHP session variables....

[muitobom]

Hi there,
can anyone please explain me the following:

I have created a site in Contao, some pages contain php code, which I took over form the existing php based tailor made site.

For example: for the login page:
<iframe src="templates/ozdaanmeldeninloggen.php" width="100%" height="200" frameborder="0"></iframe>
a PHP session variable is set: $_SESSION['logged_in'] = 1


However when the user needs to logout, I use
Uitloggen!

This script is called and executed, it contains
$_SESSION['logged_in'] = 0

For some reason the logged_in variable is not set to zero. I have also tried:
$_SESSION['logged_in'] = false;
$_SESSION['logged_in'] = 0;
unset($_SESSION['logged_in']);
unset($GLOBALS['logged_in']);
session_unset();

the logged_in variable keeps the value '1'....

Can it be of any influence that the existing PHP scripts starts an new session...?

help !

thx
Frank

[Ruud]

If you were to change any _SESSION variables after the new session has started, then that might certainly be part of the problem. But I assume these scripts worked fine before. You could try modifying the logout script (after where it starts the session and) before it starts a new one and see what the value of logged_in is. If it is not 1, then the logout seems to terminate the wrong session.

But that's about it for me when it comes to custom scripts I cannot see!

However, is it a possibility that you use Contao's member login and logout instead of the pre-existing code that you need to run in iframes? If you can make the pre-existing code use the same session Contao does (see system/initialize.php) then you'd not need the extra login and logout. The only tricky thing is making sure the two systems do not use other session variables with the same name, but that's more of a coincidence then some regular scenario. I've abandoned my own login methods of a elaborate system I wrote just about in this way without any troubles. The advantage was a single login for both systems.

This is how Contao starts it's sessions (correct me if I'm wrong)

Code:

/**
 * Try to disable PHPSESSID
 */
@ini_set('session.use_trans_sid', 0);

// Some code in between I've removed

/**
 * Start the session
 */
@session_start();

Now you can either change all of the code that uses the old $_SESSION['logged_in'] into FE_USER_LOGGED_IN or you can use the postLogin and postLogout hooks (http://www.contao.org/hooks.html#postLogin) to set $_SESSION['logged_in'] to 1 and 0.

So plenty of choice depending on the code you have to work with. I'd go for changing to Contao login/logout and changing whatever session management the existing scripts have. Changing logged_in into FE_USER_LOGGED_IN or set it via hooks is probably dependant on how much you'd need to change.

Let us know how it turned out...

[Ruud]

Now if your Contao website already has members you obviously do not want them all to have access to that other system (or I assume that is not always a good thing). You can also check for member groups of the logged in user to see if they have access.

To do this you need to add a member group like "ozd". Members that should have access get assigned to this member group.

Secondly at some point in your code you need to check if the user is a member of that group. I've done that as follows, but I'm not sure the code is still current as it was written for a Contao version of about 18 months old.

Code:

function contaoLookup($memberGroup) {
	if ( isset($_COOKIE['FE_USER_AUTH']) ) {
		$storage = $this->getDbStorage();

		// Do Contao verification
		$query = "SELECT	`tl_member`.`groups` "
			. "FROM		(		`tl_session` "
			. "		LEFT JOIN	`tl_member` "
			. "		ON		`tl_session`.`pid` = `tl_member`.`id` ) "
			. "WHERE	`tl_session`.`hash` = '{$_COOKIE['FE_USER_AUTH']}' "
			. "AND		`tl_session`.`name` = 'FE_USER_AUTH' ";

		$storage->query_first($query);
		if ( $storage->has_rows() ) {
			$groups = unserialize($storage->f('groups'));
			$groups = "( `tl_member_group`.`id` = " . implode(" OR `tl_member_group`.`id` = ", $groups) . " ) ";
			$query = "SELECT	`id` "
				. "FROM		`tl_member_group` "
				. "WHERE	`tl_member_group`.`name` = '" . $memberGroup . "' "
				. "AND		{$groups} ";
				$storage->query($query);
			if ( $storage->has_rows() ) {
				return true;
			}
		}
	}

	return false;
}

You'd need to convert that to whatever framework or code the custom php code is using.

[muitobom]

Hi Ruud,
thx for the detailed help.
One thing is that the existing PHPsite uses it's own database for userlogin etc.
At this project phase I will not use the contao login mechanism due to lack of time/budget.
We will probably implement this in phase 2 of this project.

So... I'll have to stick with the current login pHP scripts.

[muitobom]

what just came up in my messy mind....

I now call the php logout link not in the same iframe as where I the php login session is called...
Tonight I'll try to include the logout script in the php login script and see what happens...

[muitobom]

YES
I found the solution: I added the 'session_start' statement in the php logout script.
this did the trick.
Ruud thanx again for extra info.


<?
session_start();

unset ($_SESSION['logged_in']);
unset ($_SESSION['klantid']);
?>