...

View Full Version : Logging script not fully logging in a user first time



tomharto
10-18-2011, 04:28 PM
Heres my login script (feel free to suggest any changes if you see a problem with it)


<?php
session_start();

include('include/config.php');

$username = mysql_real_escape_string($_POST['username']);
$password = hash("sha256", $_POST['password']);
$password = hash("sha256", md5($password));


if (isset($_POST['remember']))
{
setcookie("cookremb", true, time()+60*60*24*100, "/");
setcookie("cookname", $_POST['username'], time()+60*60*24*100, "/");
setcookie("cookpass", $_POST['password'], time()+60*60*24*100, "/");
}


if (isset($_POST['username']) && isset($_POST['password']) ) {
$sql = "SELECT * FROM members WHERE username='$username' AND password='$password'";
$result = mysql_query($sql);
$count = mysql_num_rows($result);
if ($count == "1")
{
while($row = mysql_fetch_array($result))
{
setcookie("userID", $row['user_id'], time()+60*60*24*100, "/");
$_SESSION['userID'] = $row['user_id'];

$_SESSION['adminLevel'] = $row['member_level_int'];
$IP = $_SERVER['REMOTE_ADDR'];
$_SESSION['logged_in'] = 1;
}



$_SESSION['loggedIn'] = true;
$_SESSION['logged_in'] = 1;
$_SESSION['username'] = $username;

$todayDate = date("Y-m-d H:i:s");

$Sql = "UPDATE members SET `IP` = '$IP', `last_act` = '$todayDate' WHERE `user_id` = '".$_SESSION['userID']."'";
$Res = mysql_query($Sql);
if ($Res)
{
$_SESSION['logged_in'] = 1;
header("Location: ".$_POST['redirect']."");
}
else
{
die("Error".mysql_error());
}
}
else {
echo 'Sorry username or password not correct!';

}
}
?>

The profile page you need to be logged in to be able to view it. If you load up my site, login once (it logs in), you go to profile page and it says your not logged in, then i have to go back to the homepage, re-login then i can view the page, this only seems to happen the once, can anyone see why this could be?

I believe its the session 'logged_in' what ultimately defines if your logged in or not and its that what throws the "not logged in" error.

Fou-Lu
10-18-2011, 04:41 PM
A few things to note.



$username = mysql_real_escape_string($_POST['username']);
$password = hash("sha256", $_POST['password']);
$password = hash("sha256", md5($password));

This can't go here. $_POST may not be providing these values. You need to move that into the isset check.



setcookie("cookremb", true, time()+60*60*24*100, "/");
setcookie("cookname", $_POST['username'], time()+60*60*24*100, "/");
setcookie("cookpass", $_POST['password'], time()+60*60*24*100, "/");

Don't store passwords in cookies. These are much easier to intercept. If you must have a password stored, you will want to ensure that this has been encrypted in some way. I also suggest you do not store the username, rather an id associated with a session which is associated with a user. This takes a database to track, and will work especially well if you use a database derived salt or pepper for your passwords. Then you end up having an id which refers to a user, which can then be used to query a user's table to compare a partial password to the full password + salt/pepper. Nice.

The cookie should be moved into the rest of the isset check for the post fields.

Other than this, its minor things ($count is a number, not a string). So it looks to me like this should be setting your sessions just fine. One thing to note is that a header will never append a SID if a cookie failed to establish during a session.
Check the script handling the $_POST['redirect']. You'll need to dump the session information to see what's in it and compare it to what's expected.

tomharto
10-18-2011, 04:53 PM
The redirect just goes back to the homepage, ill do a dump there off all session values, and ill remove the cookie userID because ive changed some things and its no longer used, and thanks for the tips on the other bits too ill make those changes :)

tomharto
10-20-2011, 08:47 PM
Okay after outputting the session array it turns out when i first go to the profile page none of the values are there, i did it in this order

Loading the site -> No values (Okay)
Logged in -> Values all there and all correct (Okay)
Went to profile page -> No values again (?)
Homepage -> No values (Okay)
Log in -> Values all correct (Okay)
Profile page -> Values there (Okay)

I know its hard for you to say without me posting allll my script here but its there any known issues with sessions ending? Also i have session start at the top of every page but i think it might be on some included files too, could having 2 session_starts be stopping the session? Although i dont get why it works second time around.

Fou-Lu
10-20-2011, 09:09 PM
No, you can have as many session_start calls as you want, as long as they are not failing due to headers being sent prior.
Change your header call to this:


header("Location: ".$_POST['redirect']."?t=" . time() . "&" .SID);

Assuming that the redirect contains no querystring. Does that work?

tomharto
10-20-2011, 09:17 PM
Well once ive logged in twice its hard to rrecreate the error but ive added that in so next time i get this bug ill post the results

Fou-Lu
10-20-2011, 10:42 PM
Well once ive logged in twice its hard to rrecreate the error but ive added that in so next time i get this bug ill post the results

Clear the sessions by removing them from the session storage directory (or db), and delete your cookies. Also, you can you try to use . session_name() . "=" . session_id() . in place of the . SID . if the SID doesn't work?

tomharto
10-30-2011, 06:11 PM
Sorry about the late reply, the SID didnt work but i tried the other method and this is what i got in the URL

First time
n=PHPSESSID&i=3jg1qnlfg6d2m32034dbb2shv0

Second time
n=PHPSESSID&i=lma93vsnmb5j8r0afj8bi80rt7

And i still cant see why the session isnt setting first time but it is the second

Adee
10-30-2011, 06:16 PM
you dont need to use a while loop since you're only fetching one user.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum