Already Sent Session Cookies?

[lonelym 0]

Er, this is the second topic I've posted about session problems. Here's the html file that keeps showing up:

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at C:\Program Files\xampp\htdocs\index2\loggingin.php:2) in C:\Program Files\xampp\htdocs\index2\loggingin.php on line 39Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at C:\Program Files\xampp\htdocs\index2\loggingin.php:2) in C:\Program Files\xampp\htdocs\index2\loggingin.php on line 39Fatal error: Call to undefined function makeform() in C:\Program Files\xampp\htdocs\index2\loggingin.php on line 75

And here's my PHP codes: (Don't worry, I am trying this out offline so there's really no problem)

<?PHP// retrieve the submitted values$username1 = @$HTTP_POST_VARS["username"];$password1 = @$HTTP_POST_VARS["password"];$rememberMe = @$HTTP_POST_VARS["rememberMe"];// make sure that rememberMe has a valueif ($rememberMe == "rememberMe"){	$rememberMe = "1";}else{	$rememberMe = "0";}// let the config.php file connect to the databaseinclude("config.php");// check it the username exist$query = "Select * from ".$DBprefix."signup where username='$username1'";$result = mysql_query($query); if ($row = mysql_fetch_array($result)){ 	// check if his account is activated, if not skip to this if's else case	if ($row["actnum"] == "0"){		// and check if his account is not loccked, if not skip to this if's else case		if ($row["numloginfail"] <= 5){			// finally we check the database to see if the password is correct, if not skip to this if's else case			if ($row["password"] == $password1){				// we determin the date for the lastlogin - field.////Custom//				if ($row["lastlogin"] == 0){				$datetime = date("m d, y");				// and we update that field				$query = "UPDATE ".$DBprefix."signup Set lastlogin = '$datetime' where username='$username1'";  				$result = mysql_query($query); 				// now that the correct password is used to log-in, reset the numloginfail-field to 0				$query = "UPDATE ".$DBprefix."signup Set numloginfail = '0' where username='$username1'";  				$result = mysql_query($query); 				session_start();				session_unset();				session_destroy();				// put the password in the session				@ session_register("pass");				$HTTP_SESSION_VARS["pass"] = $password1;				// put the username in the session				@ session_register("id");				$HTTP_SESSION_VARS["id"] = $username1;				// send the the cookie if needed				if($rememberMe=="1"){				setcookie("rememberCookieUname",$username1,(time()+604800));				setcookie("rememberCookiePassword",md5($password1),(time()+604800));				}				// go to the secured page.				header("Location: members/learn1.php");}else{				$datetime = date("M d,Y");				// and we update that field				$query = "UPDATE ".$DBprefix."signup Set lastlogin = '$datetime' where username='$username1'";  				$result = mysql_query($query); 				// now that the correct password is used to log-in, reset the numloginfail-field to 0				$query = "UPDATE ".$DBprefix."signup Set numloginfail = '0' where username='$username1'";  				$result = mysql_query($query); 				// tell we want to work with sessions				session_start();				// remove al the data from the session (auto logoff)				session_unset();				// remove the session itself				session_destroy();				// put the password in the session				@ session_register("pass");				$HTTP_SESSION_VARS["pass"] = $password1;				// put the username in the session				@ session_register("id");				$HTTP_SESSION_VARS["id"] = $username1;				// send the the cookie if needed				if($rememberMe=="1"){				setcookie("rememberCookieUname",$username1,(time()+604800));				setcookie("rememberCookiePassword",md5($password1),(time()+604800));				}				// go to the secured page.				header("Location: members/news.php");			}}			else{				// else the password is incorrect. Therofore we have to update the numloginfield and lastloginfail field				// first we set $datetime to the current time in a format that we can use to calculate with.				$datetime = date("d")*10000000000 + date("m")*100000000 + date("Y")*10000 + date("G")*100 + date("i");				// then we check if the last log-in fail was less than 5 minutes ago.				if ($row["lastloginfail"] >= ($datetime-5)){					// if it is  we update both the numloginfail & the lastloginfail fields.					$query = "UPDATE ".$DBprefix."signup Set numloginfail = numloginfail + 1 where username='$username1'";  					$result = mysql_query($query); 					$query = "UPDATE ".$DBprefix."signup Set lastloginfail = '$datetime' where username='$username1'";  					$result = mysql_query($query); 				}				else{					// if it is more than 5 minutes ago, just set the lastloginfail field.					$query = "UPDATE ".$DBprefix."signup Set lastloginfail = '$datetime' where username='$username1'";  					$result = mysql_query($query); 				}		// and ofcourse we tell the user that his log-in failed.		makeform($incorrectLogin);}		}		// if the numloginfail value is larger than 5 that means there someone tryed to break the password by brute force		// we will now check how long ago the lock was engaged. it is is more than half an hour ago is, then we will unlock the account		// and ask the user to login 1 more time to validate it is really him.		else {			$datetime = date("d")*10000000000 + date("m")*100000000 + date("Y")*10000 + date("G")*100 + date("i");			if ($row["lastloginfail"] <= ($datetime-30)){				// set the numloginfail value to 5 so the user has 1 change to enter his password.				$query = "UPDATE ".$DBprefix."signup Set numloginfail = '5' where username='$username1'";  				$result = mysql_query($query); 				// ask the user to enter his username/password once again. Also we set the username field				// to the name the username entered in the first login of this user. By doing this the makeform function				// disables the username-field.				makeform($underAttackReLogin, "$username1");			}			else{			// if it is less than 30 minutes ago ask the user to wait untill the lock is released again.				echo $underAttackPleaseWait;			}		}	}	// if the actnum is other than 0 that means the account has not been activated yet.	else{	makeform($accountNotActivated);	}}// if the username does not exist we check it is filled in.else{	// if it isn't filled we assum that this is the page load and we show the form without an error.	if ($username1 == ""){			makeform("");	}	else {	// if the form is filled it that means that the username does not exist. Therefore we show the form	// with an error. We can not change the numloginfail or lastloginfail fields for the brute forece attack	// because the attack isn't pointed at one user.		makeform($incorrectLogin);	}}// this function shows the form.// ....m($errormessage="", ... indicates an optionale argument for this function, same for $username.function makeform($errormessage="", $username2 = ""){// If you are planning to use A.L.S. for your website, enter the html for your login page below.// note that that the php codes shouls stay in the place they are now.// this means (example):// --your html--// the place for your errorcode: <?PHP ...(etc) ... ? > (without the space between ? and >)// -- more html --// form start, the form actions should be login.php// the username field (login.php only, other pages: same rules as for other fields): // <input name="username" type="text" id="username" value=<?PHP ... (etc) ... ? > (without the space between ? and >)// -- rest of form -- // -- rest of page --// end of example// ... (etc) ... indicates the php code between <?PHP and  ? > (without the space between ? and >)// note: your are allowed to change arguments of the formfields, exept for: // 'name', 'id', 'type'. al other arguments maybe changed.?>

This is the logging in PHP file. You are directed here after POSTing your data from the login.php page.

The config file has the DB connection and the username, server type, and password.

I just can't understand what's wrong. Can anyone help?

[mHelmy 0]

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at C:\Program Files\xampp\htdocs\index2\loggingin.php:2) in C:\Program Files\xampp\htdocs\index2\loggingin.php on line 39Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at C:\Program Files\xampp\htdocs\index2\loggingin.php:2) in C:\Program Files\xampp\htdocs\index2\loggingin.php on line 39Fatal error: Call to undefined function makeform() in C:\Program Files\xampp\htdocs\index2\loggingin.php on line 75

session_start();				session_unset();				session_destroy();								...				// send the the cookie if needed				if($rememberMe=="1"){				setcookie("rememberCookieUname",$username1,(time()+604800));				setcookie("rememberCookiePassword",md5($password1),(time()+604800));				}

choose one of them : session or cookies. you cannot use both at the same time because they always set headers.
Edited July 22, 2007 by mHelmy (see edit history)

[lonelym 0]

I have found out the source of my error. The PHP script should be placed before any text, or else the headers will be sent, and the session functions will not work.