View Full Version : session and cookie problem

05-19-2004, 02:23 PM
grr, I am just so stumped with this one.
I have a login form on my site and when you login, it records your username and password into a session and a cookie. Now, I also have an option that lets you log out, which deletes the cookie and the session, but for some reason when I log back in with a different username/password, it keeps bringing up the settings of my previous cookie and session, which was deleted. I tested many things, 1), the cookie and session ARE deleted when logout is pressed, i tested with an echo. 2). when i login with a new username, it DOES record the new username/password to cookie and session, once again i have tested this with echo. HOWEVER, once the page refreshes, it goes right back to the previous username login.
I don't understand what is happening.
?? any suggestions?

after more testing, the session and cookie values seem to be different, this is weird because Iwould close the brower, start a new window and the session value would STILL be on the previous login username and password. ???
that isn't right :mad:

ok, i'm freaking out now, haha, this just isn't making sense.
the first time i load my page it displays the correct information
no session, but cookie is correct
second time i load the page
session = cookie which is correct
THIRD time i load the page
session CHANGES to previous login info, and i have not put that info in, so how is it getting this info, when all i am doing is refreshing the page?

05-19-2004, 03:00 PM
Why are you storing the username and pwd in a session and a cookie?

They should not be stored in either of them. You should store a userID or something like that inthere (the primary key value of your usertable, you validate the login-data against). Or even better : use a table where you store the userID and the PHP-sessionID. You can then look up the details like
$sql="SELECT usertable.username FROM usertable INNER JOIN sessiontable ON usertable.userID = sessiontable.userID WHERE sessiontable.PHP_SID ='". session_id() . "' and session.sessionstatus=1";

the session.sessionstatus=1 then means that it's an active session.
When the user logs out, you can change the sessionstatus to 2 or whatever.
When, the user logs in, you can check against this table if he realy is logged out --> if he doesn't have a record with session.sessionstatus=1.

Storing username and pwd in sessions and cookie is a rather big and unnescecary securityrisk.

Since we don't see any code, i can only assume that you had more then one browser window open, which keeps the session alive. Or ythe code you used isn't right.
To kill the session, try this

setcookie( session_name() ,"",0,"/");

<edit>Since it seems to be related to the refreshing, i'd assume it's some sort of strange caching-problem, but my money would still be on some incorrect code. Display the timer() value or a datatime inside the page and then look if it get's updated each time you refresh + if it 'jumps back' on that third refresh.</edit>

05-19-2004, 03:26 PM
i don't understand what you mean by making a session table
is it like when a new session starts, insert a row into the table with sessionid and userid info?
then do i delete it when the session ends?
why would it be a security risk if i stored username/password in cookies and sessions?
i used them because it made passing user data from the table easier from page to page without making a million calls to the db. it just seemed the easy thing to do.

i don't have more than one browser open now and it is still screwed up. Actually, after putting in your suggested method to remove the cookie and session, when i log out, it didn't log out at all, it kept switching between two different usernames but with the same password
I don't even know what error to look for?
I tried searching for all $_SESSION['username']
but there's nothing that looked out of place.

05-19-2004, 04:00 PM
it's basically bad to store the username and pwd inside sessionvariables or cookies, because they can then be disclosed to others. Certainly if you use a shared computer (universitys, librarys etc), then your cookie can be read (after cracking if necessary) by the next users. cookies can also simply be stolen. The sessionvariables can be disclosed using sessionhijacking and cross site scripting. Certainly if you're on a server with register_globals=on
And besides the danger that they can be disclosed : i can not think of a single situation where you'd need the username or pwd after the login.

i've wrote a few apps where i do a login check + compaire the userprofile with the minimum required securityprofile for the requested page + selected parts of the page (menu, http-header details etc) from the db, and never noticed any problem with making selects for each requested page, so i don't understand your concern there. but feel free to do it your way.

about your logout-problem. There is realy not much sensible we can say about it, without seeing any code. I am 100% sure that the code i posted will destroy the session, because
- i've used it without any problem;
- you'll find almost the exact same code in the manual;
- i've posted it here before and other people told me it worked.
so i can only recommend you make sure you're not getting cached pages (for intance by printing the date and time etc)

05-19-2004, 04:07 PM
well it's definitely NOT caching problems, time changed each time as expected.
Do you suggest I NOT use sessions at all but get it from db each time?
What i was been lazy about before, was writing out the whole "SELECT field1, field2 etc FROM tbl" thing over and over again for every little thing, whileas with the session i can just do it once and next time all i need to do to get any field i wanted is use $_SESSION[fieldname]
but if that's not a good way, then I'll just do it the other way, maybe that will fix this problem as well.