Understanding $_SESSION

I think $_SESSION is a dictionary, (at least that’s what I’d call it in Python). The key is in [‘key’], the value is assigned, like:

$_SESSION[‘loginerror’] = ‘No account associated with this email’;

I think I can make up my own keys. I have for example:

$_SESSION[‘email’] = $email;
$_SESSION[‘password’] = $password;

Question: Is $_SESSION[‘success’] a fixed key??

When I changed this to $_SESSION[‘loginsuccess’], the user was verified, I see the message ‘User verification successful’ on the login page, but I did not proceed to the target webpage. Change it back to $_SESSION[‘success’] = “something” and I go to the target webpage

if(password_verify($password, $user['password'])){
					//action after a successful login
					//for now just message a successful login
					$_SESSION['success'] = 'User verification successful';
					// include statement works, location statement does not work WHY??
					//header('location: 19BEsW13.html.php');
					include 'NE_EAP2_IRexam.html.php';    					
					exit();
				}

I would never put a password in $_SESSION as that would be very insecure.

Telling us that things don’t working is pointless, since we don’t know what you actually saw in front of you that leads you to believe that it didn’t work.

The key you use is whatever name that makes sense, but you would need to use the same key everywhere in the code for any particular purpose.

Changing the key name of a session variable won’t affect the actual operation of a header() redirect, it simply cannot. If it ‘appears’ like it did, you are probably redirecting to the target page, then redirecting back to the original page. It would take having all the relevant code to actually help you with the cause of the problem. A snippet at one point in the process doesn’t tell us what your full code is capable of doing.

BTW - best design practice is to not redirect all over your site. The only place you should have a redirect is upon successful completion of post method from processing code and you would redirect to the exact same URL of that page to cause a GET request for that page. Any navigation to other pages from that page should be handled by providing links for the user to decide where he wants to go.

Oh, the WHY was a question for myself to delve into at some point in time, not the question here. If include works, I’m happy!

My problem was, when I changed $_SESSION[‘success’] to $_SESSION[‘loginsuccess’], I saw my success message echoed in the index.php login page, but I was not lead to the target page. As soon as I changed it back, I was taken straight to the target page on login.

Can’t explain that, probably a mistake on my part somewhere, which is why I asked if $_SESSION[‘success’] was a fixed, unalterable entity!

$_SESSION[‘password’] was just to echo it in case of a login error. I could see all the input, email, password, confirm password, name, number to help me find the problem!

‘If it ain’t broke, don’t fix it’ seems appropriate here!

Outputting anything on a web page before a header() statement will prevent the header() statement from working. There would be a php error about cannot sent header() output already started at … Do you have php’s error_reporting set to E_ALL and display_errors set to ON, so that php would help you by reporting and displaying all the errors it detects? You will save a ton of time.

You mean this in /home/pedro/etc/php/7.2/php.ini ?? I hope I have set it correctly to On!

display_errors
Default Value: On
; Development Value: On
; Production Value: Off

; display_startup_errors
; Default Value: Off
; Development Value: On
; Production Value: Off

error_reporting
Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED
; Development Value: E_ALL
; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT

Click the button ‘login’ in my index.php and it calls login.php, the first part of which is:

<?php
	//start PHP session
	session_start();

	//check if login form is submitted
	if(isset($_POST['login'])){
		//assign variables to post values
		$email = $_POST['email'];
		//echo 'name is ' .$email . '<br>';
		$password = $_POST['password'];
		//echo 'password is ' . $password . '<br>';

		//include our database connection
		include 'conn.php';

		//get the user with email
		$stmt = $pdo->prepare('SELECT * FROM NeilSY_Exams WHERE email = :email');
		
		try{
			$stmt->execute(['email' => $email]);
			//echo 'name is ' . $email. '<br>';

			//check if email / name in this case exists
			if($stmt->rowCount() > 0){
				//get the row
				$user = $stmt->fetch();
				//echo 'encrypted password is ' . $user['password'] . '<br>';

				//validate the password with $user password
				if(password_verify($password, $user['password'])){
					//action after a successful login
					//for now just message a successful login
					$_SESSION['success'] = 'User verification successful';
					// include statement works, location statement does not work WHY??
					//header('location: 19BEsW13.html.php');
					include 'NE_EAP2_IRexam.html.php';
					//header('location: NE_EAP2_IRexam.html.php');
					exit();
				}

$_SESSION[‘success’] is assigned a value. Does that count as an output before “header(‘location: 19BEsW13.html.php’);” ？？

those lines in the php.ini are COMMENTS that list suggested values. those are not the assignments statements that set the values. the assignment statements that set the values look like display_errors = ON and error_reporting = E_ALL

This is not a comment on your logic or use of $_SESSION variables in your code. When you are learning a new language, there is a tendency to build analogies in your head that correlate an element of the new language to an element in a language you already know. This is a very useful technique, but has some flaws.

In PHP, the $_SESSION variable is actually an associative array (not a directory) that is globally available to the user that has started that session. There are several of these kinds of associative arrays like $_REQUEST, $_SERVER and $GET. To familiarize yourself with what is in those "$" variables you can use the print_r function to display the contents of that variable.

For example, you could use “print_r($_SESSION);” to find out what is in your $_SESSION variable.

Another useful device to help better understand things that may (or may not) be available to your scripts is a function called phpinfo(). One of the first things that I do when building an app in php is create a script called phpinfo.php. It only contains the phpinfo() function.

Running that gives you oodles of information about your working environment.

By the way, someone please correct me if I’m wrong. But, passing variables between modules in $_SESSION variables is a pretty secure way to do it because the $_SESSION variables are encrypted using the session id as the encryption key.

There’s no encryption of the data. The default session data storage, stores the session data in a file on the server, using a modified version of serialize()/unserialize(), and using the session id as part of the filename.

Calgeorge,
I think you may be confused about $_SESSION data still. Think of it just as another ARRAY. It is an array like any others. But, when you move to another page, all PHP arrays are erased. They do not carry over to the next page. The $_SESSION array is stored on the server with the current web session-ID and therefore it does not get erased. It is removed from the server after a set time once you leave the site.

This makes it very secure because the user can not see the data on the server. But as others have said, you normally would never store a password in it.

Also, since it is an array, you can store just about anything inside it. For instance, you can store another array like a shopping cart. If you create a shopping cart array with all the items, quantities and prices, you can save it in the $_SESSION array and pass it on to the make payment page. It is very handy. Each entry uses a name or KEY and the data or VALUE just like any other array does. It is simple enough.
Hope this extra info helps…