$ _SESSION of PHP is not recognized in the same server in different URL

0

I have a verifica.php file that checks if the user session was started after login, what happens is this:

There are two URL's:

link

And inside it has a link that leads to another URL:

link

At the beginning of each page you even have the code:

<?php
if( !session_id() ) {
    @session_start();
}
?>

The file verify.php is the same for both environments, however when opening the link in a target="_ BLANK", the other URL passes through the file verify.php and $ _SESSION ['user'] is not recognized and forwards the user out of the environment, but the source tab does not lose the session:

<?php
if( !isset($_SESSION['usuario']) ) {

    @session_regenerate_id(true);
    unset($_SESSION['usuario']);
    @session_destroy();
    @session_start();
    echo "<script>window.alert('Acesso não autorizado [SECTION OFF]!');</script>";
    echo "<script>parent.location.href='home/';</script>";
    exit();

}
?>

Considering that the destination URL call is done both via tag and in Jquery .ajax ();

The login code is below:

<?php
include '../../_inc/db.conn.php';

define('IS_AJAX', isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest');
if(!IS_AJAX) {die('Acesso restrito');}

$pos = strpos($_SERVER['HTTP_REFERER'],getenv('HTTP_HOST'));
if($pos===false)
    die('Acesso restrito');

$emailuserlogin = $_POST['usuario_email'];
$emailuserlogin = strip_tags($emailuserlogin);
$emailuserlogin = addslashes($emailuserlogin);
$emailuserlogin = trim($emailuserlogin);
#
$passworduserlogin = $_POST['usuario_senha'];
$passworduserlogin = strip_tags($passworduserlogin);
$passworduserlogin = addslashes($passworduserlogin);
$passworduserlogin = trim($passworduserlogin);
$passworduserlogin = md5($passworduserlogin);

$usuarioSQL = "SELECT * FROM 'usuario' WHERE 'usuario_email' = '" . mysqli_real_escape_string($conn, $emailuserlogin) . "' AND 'usuario_senha' = '" . mysqli_real_escape_string($conn, $passworduserlogin) . "' LIMIT 1;";

$usuarioQuery = mysqli_query($conn, $usuarioSQL) or mysqli_error($conn);

$contaUsuario = mysqli_num_rows($usuarioQuery);

if ( $contaUsuario == 1 ) {

    $usuario = mysqli_fetch_array($usuarioQuery);

    $_SESSION['usuario'] = array();

    foreach($usuario as $campo => $valor) {
        $_SESSION['usuario'][$campo] = $valor;
    }

    echo "<h5 class='alert alert-success text-black font-bold'>Logado! Redirecionando...</h5>";
    echo "<script>setTimeout('parent.location.href=\"home\"', 1400);</script>";
    exit();

}

if( $conta == 0 ) {
    echo "<h5 class='alert alert-danger text-black font-bold'><span class='text-bold'>Erro!</span> Login/Senha inválida.</h5>";
    exit();
}
?>
    
asked by anonymous 29.05.2018 / 15:51

1 answer

1

The session_start must come before any use of the variable $_SESSION , you are using this wrong:

<?php
if( !isset($_SESSION['usuario']) ) {

    @session_regenerate_id(true);
    unset($_SESSION['usuario']);
    @session_destroy();
    @session_start();
    echo "<script>window.alert('Acesso não autorizado [SECTION OFF]!');</script>";
    echo "<script>parent.location.href='home/';</script>";
    exit();

}
?>

While this use of arrobas to suppress the errors are confusing to you all, it was probably to be exhibiting some errors by faults in the way that you configured, problems in your script:

  • The session_start should come in the beginning
  • unset is unnecessary if isset already states that $_SESSION['usuario'] does not exist
  • It is not necessary to use session_regenerate_id and session_destroy at the same time, it is the same as changing the ID of something and then deleting it, it is in vain.

Simply do this:

<?php
session_start();

if ( !isset($_SESSION['usuario']) ) {
    echo "<script>window.alert('Acesso não autorizado [SECTION OFF]!');</script>";
    echo "<script>parent.location.href='home/';</script>";
    exit;
}

And in the other script do this:

<?php
if( !session_id() ) {
    session_start();
}
?>

See if there is a header error.

Login code problems

These issues do not affect, but are run-down:

$emailuserlogin = $_POST['admin_email'];
$emailuserlogin = strip_tags($emailuserlogin);
$emailuserlogin = addslashes($emailuserlogin);
$emailuserlogin = trim($emailuserlogin);

$passworduserlogin = $_POST['admin_senha'];
$passworduserlogin = strip_tags($passworduserlogin);
$passworduserlogin = addslashes($passworduserlogin);
$passworduserlogin = trim($passworduserlogin);
$passworduserlogin = md5($passworduserlogin);

It is not necessary to use strip_tags and addslashes if already using mysqli_real_escape_string , you can reduce a lot.

Another tip, whenever possible use include_once , only use include if it is something that can be included more than once, if not then use include_once

The problem that is probably affecting everything is that you are saving the value of mysqli_fetch_array and a variable, that function is not equal to the fetchAll of the PDO, it is similar to the use of yield , so this does not will work:

$usuario = mysqli_fetch_array($usuarioQuery);

$_SESSION['usuario'] = array();

foreach($usuario as $campo => $valor) {
    $_SESSION['usuario'][$campo] = $valor;
}

In fact, as your code returns only one item, then you do not even need to foreach or while, for simplicity you could simply make use of mysqli_fetch_assoc that will pick up only the columns and their values.

Another problem in your script is that session_start is probably missing (unless you added it in db.conn.php), add session_start(); to start

Do exactly this, do not change anything:

<?php
session_start();

include_once '../../_inc/db.conn.php';

define('IS_AJAX', isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest');
if(!IS_AJAX) {die('Acesso restrito');}

$pos = strpos($_SERVER['HTTP_REFERER'],getenv('HTTP_HOST'));
if($pos===false)
    die('Acesso restrito');

$emailuserlogin = $_POST['admin_email'];
$emailuserlogin = trim($emailuserlogin);

$passworduserlogin = $_POST['admin_senha'];
$passworduserlogin = trim($passworduserlogin);
$passworduserlogin = md5($passworduserlogin);

$usuarioSQL = "SELECT * FROM 'usuario' WHERE 'usuario_email' = '" . mysqli_real_escape_string($conn, $emailuserlogin) . "' AND 'usuario_senha' = '" . mysqli_real_escape_string($conn, $passworduserlogin) . "' LIMIT 1;";

$usuarioQuery = mysqli_query($conn, $usuarioSQL) or mysqli_error($conn);

$contaUsuario = mysqli_num_rows($usuarioQuery);

if ( $contaUsuario == 1 ) {

    $_SESSION['usuario'] = mysqli_fetch_assoc($usuarioQuery);

    echo "<h5 class='alert alert-success text-black font-bold'>Logado! Redirecionando...</h5>";
    echo "<script>setTimeout('parent.location.href=\"home\"', 1400);</script>";
    exit;

} else {
    echo "<h5 class='alert alert-danger text-black font-bold'><span class='text-bold'>Erro!</span> Login/Senha inválida.</h5>";
    exit;
}
?>
    
29.05.2018 / 16:12