session-based authentication code not working on shared host

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
My Auth code works locally but not on my host, and I'm debugging it to
find out, why not.

Except where noted, I'll be referring to my webhost's configuration.
I'm using a .htaccess "AddHandler" directive, to force php5
I notice with the help of phpinfo(), I'm locally using "Apache 2
Handler" but my host uses CGI.
session.auto_start Off Off
I'm actually hosting this alpha site, wholly contained in a
subdirectory, but use relative references and links, so this should not
be an issue.
I do have access to logs.

The authentication will be used, for a business site, to determine the
user and which office and data they should have access to.  Since my
host ruled out using "auto_prepend_file", I've come up with variation
that should be equally effective.

Structure is something like this:
Any file that has processing or reports that are office specific will
force authentication:
include('MyAccessControl.php");  //(MAC) which consists of alot of
mixed mode  php/html

The purpose of MAC is as follows:
- If you have a session and a user, use minimal processing and get
- If you don't provide an auth form ( with action, back to
    also, loop (restrict or exit) until user-password values match to
those in DB

MAC psuedo code
$user =    get from $_SESSION or from $_POST
if (!isset(user))   provide form, etc
  the key of course is action=$_SERVER['PHP_SELF']  which is not MAC
but the file that included MAC,  ie:  MyOfficeReport.php (MOR)

I'm not getting back to MOR, but I'm not getting any error either.
I'm getting a minimal html page, basically  empty  html-head-body

Pre test:  Noted when 1st seeing the auth form, source had
PHPSESSIONID=...  Looked good
One test:  print to a file the  basename($_SERVER['PHP_SELF'])   That
looked fine.
Two test:   set up a session and  user, then link to MOR, to see if it
would display correctly or show the Auth form  ( it showed the auth
form ).

sorry for this explanation being long.   Anyone have a suggestion on
this  ?   TIA

Re: session-based authentication code not working on shared host

I'm finding a few sources of problems in the CGI log ( of shared host )
Is this an Apache log, filtered by errors on my domain ?

Hoping to clean up and run error-free asap.
I had a few fatal errors, based on require("foo"), which I can fix,
but I'm concerned with this one at this point.  see below

PHP Warning:  Unknown: Failed to write session data (files). Please
verify that the current setting of session.save_path is correct
(/var/php_sessions) in Unknown on line 0
PHP Warning:  Unknown:
open(/var/php_sessions/sess_cf7ce45dd2a55dd3be34a1a666321330, O_RDWR)
failed: No such file or directory (2) in Unknown on line 0

seems pretty obvious, this is a hosting issue.

Re: session-based authentication code not working on shared host

awebguynow wrote:
Quoted text here. Click to load it

Well, a configuration issue:


Which should be a path outside of the webroot (or at least protected by an
.htaccess file) that has writing permissions.

Further information to be found at:

Rik Wasmus

Re: session-based authentication code not working on shared host

I'm making note of your comments, Rik

and also noticing some of the PHP user notes:

session_save_path()  required on every page that saves or accesses a

also security concerns, by webmaster at gardenchemicals

It looks like path should be FQ path from root of machine.
I'll check on write permissions and best place to store sessions.
Cookie path, I assume would be relative to htdocs/

session.cookie_path / /
session.save_path /var/php_sessions /var/php_sessions

Re: session-based authentication code not working on shared host

awebguynow wrote:
Quoted text here. Click to load it

Only if you use session_save_path() on any page.   If php is configured  
correctly it is not needed.

Quoted text here. Click to load it

I saw that also and completely dismissed it for too many reasons to go  
into here.

Remember - user notes are exactly that - USER NOTES.  They do not  
indicate the expertise level of whomever is posting the notes.  And they  
may or may not be accurate.

Quoted text here. Click to load it

Best place for session data IMHO is /tmp.  But others have different  
opinions, also.

Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.

Site Timeline