Session Problems..

Hey guys,

Got a problem here thats really getting under my skin, i've had it for days!

I'm basically working on a user authentication based site, so users need to login before being able to access it - the user data is stored in a mysql db..

Here's the problem..

User can login fine first time with username and password.. The sessions are working fine, however when the user logs out and tries to login with a different username and password, 3 of the session variables stay the same as the old user?!

For example;
The 4 vars i store in sessions are
uid, username, password, emailaddress.

So when the user logs out and then logs back in with a different username and password, the site all works but is using the old users details, the only thing that changes in the session is the email address... if you get me.

Here's my login and logout scripts.

session_start();
header("Cache-control: private");

//CHECK IF THERE IS A COOKIE

if (!isset($_COOKIE['info'])) {

// NO COOKIE SO LETS LOGIN USING THE VARS PASSED FROM LOGIN

$username1 = $_POST['username'];
$password1 = $_POST['password'];

// DB CONNECT HERE

$query = "SELECT * FROM users WHERE username='$username1' AND password='$password1'";
$result = mysql_query($query);
$myrow = mysql_fetch_array($result);
$uidc = $myrow["uid"];
$usernamec = $myrow["username"];
$passwordc = $myrow["password"];
$emailaddressc = $myrow["emailaddress"];
//NOW WE CAN CHECK IF THE USER IS IN THE DB

if (mysql_numrows($result) == 1) {
$_SESSION['username'] = $usernamec;
$_SESSION['uid'] = $uidc;
$_SESSION['password'] = $passwordc;
$_SESSION['emailaddress'] = $emailaddressc;

echo "<script language='JavaScript1.2' type='text/javascript'>
top.parent.location = 'http://www.SITEHERE.com/main/?';
</script>";

}else{
echo "WRONG INFO";
}

}


The reason it looks so messy is because i've been trying to get it working..

Here is the logout script..

session_start();

unset($_SESSION[session_name()]);
$_SESSION = array();
if (isset($_COOKIE[session_name()]))
{
setcookie(session_name(), '', time() - 42000, '/');
}
session_destroy();

header("Location: http://www.xxxx.com/openindex.php");


If anyone can help please that would be great.. if you dont understand what i mean and want to see it in action just email me jholz@iinet.net.au and i'll show u what its doing.

Thanks heaps!!

to destroy the session, just use


session_start();
setcookie(session_name(), '', time() - 420000);
session_unset();
session_destroy();


and add a print_r($_SESSION) at the top of yur loginpage to see if a session still exists + what it's content is

OKay the print_r is simply outputting.... Array()

Is that a good thing?

yes. that means that there are no sessionvariables at that point (--> $_SESSION is just an empty array)

Okay then could you see any reason why after loggin in again with a different username and password, it is still coming up with the original username's details.?!

Its so weird i've never seen it before.

If you like i can show you exactly whats happening if you want to email jholz@iinet.net.au

isn't it the
if (!isset($_COOKIE['info'])) {
?

once the cookie is set, the select based on the entered username and pwd wount be executed.

try unsetting that cookie too on logout:

session_start();
setcookie(session_name(), '', time() - 420000);
setcookie('info', '', time() - 420000);
session_unset();
session_destroy();


by the way, your loginprocedure isn't realy secure + you realy shouldn't store the username and pwd in sessionvariables...

thanks for that.

what would you suggest as being more secure.. this is only my first authentication site so any help would be appreciated :)

any by the way, that cookie thing didn't resolve the problem :(

for a more secure login --> do some searches here. There's plenty that you could add, but in any case, you'll need to do some searches for sql-injections and about hashing.

for the current problem: change your code to

session_start();
echo '<br />Session at top of script';
print_r($_SESSION);
header("Cache-control: private");

//CHECK IF THERE IS A COOKIE

if (!isset($_COOKIE['info'])) {

// NO COOKIE SO LETS LOGIN USING THE VARS PASSED FROM LOGIN

$username1 = $_POST['username'];
$password1 = $_POST['password'];

// DB CONNECT HERE

$query = "SELECT * FROM users WHERE username='$username1' AND password='$password1'";
$result = mysql_query($query);
$myrow = mysql_fetch_array($result);
echo '<br />Userdetails';
print_r($myrow);
$uidc = $myrow["uid"];
$usernamec = $myrow["username"];
$passwordc = $myrow["password"];
$emailaddressc = $myrow["emailaddress"];
//NOW WE CAN CHECK IF THE USER IS IN THE DB

if (mysql_numrows($result) == 1) {
$_SESSION['username'] = $usernamec;
$_SESSION['uid'] = $uidc;
$_SESSION['password'] = $passwordc;
$_SESSION['emailaddress'] = $emailaddressc;
/*
echo "<script language='JavaScript1.2' type='text/javascript'>
top.parent.location = 'http://www.SITEHERE.com/main/?';
</script>";
*/
}else{
echo "WRONG INFO";
}

}
echo '<br />Session at bottom of script';
print_r($_SESSION);


and post the output

Session at top of scriptArray ( [username] => Aviator [uid] => 3 [password] => boeing [emailaddress] => *EMAIL HERE* )
UserdetailsArray ( [0] => 3 [uid] => 3 [1] => Aviator [username] => Aviator [2] => David [fname] => David [3] => EMAIL HERE [emailaddress] => EMAIL HERE [4] => boeing [password] => boeing [5] => member [status] => member [6] => -20 [mpoints] => -20 [7] => + 10 [t_hour] => + 10 [8] => [country] => [9] => + 0 [t_min] => + 0 [10] => [enablememberpm] => [11] => [disablepm] => [12] => [enableemailpm] => [13] => [pminsight] => [14] => [pmallowance] => [15] => 200602081337 [lastactive] => 200602081337 [16] => [tcstarter] => [17] => 8587d16ebfb859fb492320134dde8b3f [sessid] => 8587d16ebfb859fb492320134dde8b3f [18] => /main/index.php? [lastpage] => /main/index.php? )
Session at bottom of scriptArray ( [username] => Aviator [uid] => 3 [password] => boeing [emailaddress] => *EMAILHERE*)

you first need to pass the logout page (so that the session is destroyed) before loging in.
The output should then look like

Session at top of scriptArray ()
UserdetailsArray (...

hahahaha obviously.. oops

Session at top of scriptArray ( )
UserdetailsArray ( [0] => 3 [uid] => 3 [1] => Aviator [username] => Aviator [2] => David [fname] => David [3] => addy [emailaddress] => addy [4] => boeing [password] => boeing [5] => member [status] => member [6] => -20 [mpoints] => -20 [7] => + 10 [t_hour] => + 10 [8] => [country] => [9] => + 0 [t_min] => + 0 [10] => [enablememberpm] => [11] => [disablepm] => [12] => [enableemailpm] => [13] => [pminsight] => [14] => [pmallowance] => [15] => 200602081337 [lastactive] => 200602081337 [16] => [tcstarter] => [17] => 8587d16ebfb859fb492320134dde8b3f [sessid] => 8587d16ebfb859fb492320134dde8b3f [18] => /main/index.php? [lastpage] => /main/index.php? )
Session at bottom of scriptArray ( [username] => Aviator [uid] => 3 [password] => boeing [emailaddress] => addy )

so, are
[username] => Aviator
[uid] => 3
[password] => boeing
[emailaddress] => addy

the correct userdetails?

thats correct... but just say i close the window then, open up a new one and load the session vars on the index page, this happens.

bf7d644ced90cc994aa8710411faa144Array ( [username] => [uid] => [password] => [emailaddress] => emailhere )

the email addy was the only thing thats there?

oops just ignore the sesisonid before the array there

if the users don't use the logout-page, then there is no bulletproof way to destroy the sessions.

the only thing you need to take care of, is then destroying the session before processing the login, or to replace all sessionvalues after the login.
If [emailaddress] is set to the correct value after you processed the login, then i don't really see what problem this could cause...