Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 9 of 9
  1. #1
    Regular Coder
    Join Date
    Jul 2010
    Location
    Sheffield
    Posts
    824
    Thanks
    93
    Thanked 18 Times in 18 Posts

    Logging script not fully logging in a user first time

    Heres my login script (feel free to suggest any changes if you see a problem with it)

    PHP Code:
    <?php
    session_start
    ();

    include(
    'include/config.php');

        
    $username mysql_real_escape_string($_POST['username']);
        
    $password hash("sha256"$_POST['password']);
        
    $password hash("sha256"md5($password));

          
    if (isset(
    $_POST['remember']))
    {
        
    setcookie("cookremb"true,               time()+60*60*24*100"/");
        
    setcookie("cookname"$_POST['username'], time()+60*60*24*100"/");
        
    setcookie("cookpass"$_POST['password'], time()+60*60*24*100"/");   
    }
       
          
    if (isset(
    $_POST['username']) && isset($_POST['password']) ) {
    $sql "SELECT * FROM members WHERE username='$username' AND password='$password'";
        
    $result mysql_query($sql);
        
    $count mysql_num_rows($result);
        if (
    $count == "1"
        {
            while(
    $row mysql_fetch_array($result))
            {
                
    setcookie("userID"$row['user_id'], time()+60*60*24*100"/"); 
                
    $_SESSION['userID'] = $row['user_id'];
                
                
    $_SESSION['adminLevel'] = $row['member_level_int'];
                
    $IP $_SERVER['REMOTE_ADDR'];
                
    $_SESSION['logged_in'] = 1;
            }
            
            
        
            
    $_SESSION['loggedIn'] = true;
            
    $_SESSION['logged_in'] = 1;
            
    $_SESSION['username'] = $username;
            
                
    $todayDate date("Y-m-d H:i:s");

                
    $Sql "UPDATE members SET `IP` = '$IP', `last_act` = '$todayDate' WHERE `user_id` = '".$_SESSION['userID']."'";
                
    $Res mysql_query($Sql);
                if (
    $Res)
                {
                    
    $_SESSION['logged_in'] = 1;
                    
    header("Location: ".$_POST['redirect']."");
                }
                else
                {
                    die(
    "Error".mysql_error());
                }
        }
        else {
        echo 
    'Sorry username or password not correct!';
        
        }
    }
    ?>
    The profile page you need to be logged in to be able to view it. If you load up my site, login once (it logs in), you go to profile page and it says your not logged in, then i have to go back to the homepage, re-login then i can view the page, this only seems to happen the once, can anyone see why this could be?

    I believe its the session 'logged_in' what ultimately defines if your logged in or not and its that what throws the "not logged in" error.

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    A few things to note.
    PHP Code:

        $username 
    mysql_real_escape_string($_POST['username']);
        
    $password hash("sha256"$_POST['password']);
        
    $password hash("sha256"md5($password)); 
    This can't go here. $_POST may not be providing these values. You need to move that into the isset check.

    PHP Code:
        setcookie("cookremb"true,               time()+60*60*24*100"/");
        
    setcookie("cookname"$_POST['username'], time()+60*60*24*100"/");
        
    setcookie("cookpass"$_POST['password'], time()+60*60*24*100"/"); 
    Don't store passwords in cookies. These are much easier to intercept. If you must have a password stored, you will want to ensure that this has been encrypted in some way. I also suggest you do not store the username, rather an id associated with a session which is associated with a user. This takes a database to track, and will work especially well if you use a database derived salt or pepper for your passwords. Then you end up having an id which refers to a user, which can then be used to query a user's table to compare a partial password to the full password + salt/pepper. Nice.

    The cookie should be moved into the rest of the isset check for the post fields.

    Other than this, its minor things ($count is a number, not a string). So it looks to me like this should be setting your sessions just fine. One thing to note is that a header will never append a SID if a cookie failed to establish during a session.
    Check the script handling the $_POST['redirect']. You'll need to dump the session information to see what's in it and compare it to what's expected.

  • Users who have thanked Fou-Lu for this post:

    tomharto (10-18-2011)

  • #3
    Regular Coder
    Join Date
    Jul 2010
    Location
    Sheffield
    Posts
    824
    Thanks
    93
    Thanked 18 Times in 18 Posts
    The redirect just goes back to the homepage, ill do a dump there off all session values, and ill remove the cookie userID because ive changed some things and its no longer used, and thanks for the tips on the other bits too ill make those changes

  • #4
    Regular Coder
    Join Date
    Jul 2010
    Location
    Sheffield
    Posts
    824
    Thanks
    93
    Thanked 18 Times in 18 Posts
    Okay after outputting the session array it turns out when i first go to the profile page none of the values are there, i did it in this order

    Loading the site -> No values (Okay)
    Logged in -> Values all there and all correct (Okay)
    Went to profile page -> No values again (?)
    Homepage -> No values (Okay)
    Log in -> Values all correct (Okay)
    Profile page -> Values there (Okay)

    I know its hard for you to say without me posting allll my script here but its there any known issues with sessions ending? Also i have session start at the top of every page but i think it might be on some included files too, could having 2 session_starts be stopping the session? Although i dont get why it works second time around.

  • #5
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    No, you can have as many session_start calls as you want, as long as they are not failing due to headers being sent prior.
    Change your header call to this:
    PHP Code:
    header("Location: ".$_POST['redirect']."?t=" time() . "&" .SID); 
    Assuming that the redirect contains no querystring. Does that work?

  • #6
    Regular Coder
    Join Date
    Jul 2010
    Location
    Sheffield
    Posts
    824
    Thanks
    93
    Thanked 18 Times in 18 Posts
    Well once ive logged in twice its hard to rrecreate the error but ive added that in so next time i get this bug ill post the results

  • #7
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Quote Originally Posted by tomharto View Post
    Well once ive logged in twice its hard to rrecreate the error but ive added that in so next time i get this bug ill post the results
    Clear the sessions by removing them from the session storage directory (or db), and delete your cookies. Also, you can you try to use . session_name() . "=" . session_id() . in place of the . SID . if the SID doesn't work?

  • #8
    Regular Coder
    Join Date
    Jul 2010
    Location
    Sheffield
    Posts
    824
    Thanks
    93
    Thanked 18 Times in 18 Posts
    Sorry about the late reply, the SID didnt work but i tried the other method and this is what i got in the URL

    First time
    n=PHPSESSID&i=3jg1qnlfg6d2m32034dbb2shv0

    Second time
    n=PHPSESSID&i=lma93vsnmb5j8r0afj8bi80rt7

    And i still cant see why the session isnt setting first time but it is the second

  • #9
    Regular Coder
    Join Date
    Jul 2010
    Location
    Oregon City
    Posts
    280
    Thanks
    5
    Thanked 50 Times in 49 Posts
    you dont need to use a while loop since you're only fetching one user.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •