Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    New Coder
    Join Date
    Apr 2004
    Posts
    36
    Thanks
    0
    Thanked 0 Times in 0 Posts

    session and cookie problem

    grr, I am just so stumped with this one.
    I have a login form on my site and when you login, it records your username and password into a session and a cookie. Now, I also have an option that lets you log out, which deletes the cookie and the session, but for some reason when I log back in with a different username/password, it keeps bringing up the settings of my previous cookie and session, which was deleted. I tested many things, 1), the cookie and session ARE deleted when logout is pressed, i tested with an echo. 2). when i login with a new username, it DOES record the new username/password to cookie and session, once again i have tested this with echo. HOWEVER, once the page refreshes, it goes right back to the previous username login.
    I don't understand what is happening.
    ?? any suggestions?

    [edit]:
    after more testing, the session and cookie values seem to be different, this is weird because Iwould close the brower, start a new window and the session value would STILL be on the previous login username and password. ???
    that isn't right

    [edit]
    ok, i'm freaking out now, haha, this just isn't making sense.
    the first time i load my page it displays the correct information
    no session, but cookie is correct
    second time i load the page
    session = cookie which is correct
    THIRD time i load the page
    session CHANGES to previous login info, and i have not put that info in, so how is it getting this info, when all i am doing is refreshing the page?
    Last edited by o0katz0o; 05-19-2004 at 01:51 PM.

  • #2
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Why are you storing the username and pwd in a session and a cookie?

    They should not be stored in either of them. You should store a userID or something like that inthere (the primary key value of your usertable, you validate the login-data against). Or even better : use a table where you store the userID and the PHP-sessionID. You can then look up the details like
    $sql="SELECT usertable.username FROM usertable INNER JOIN sessiontable ON usertable.userID = sessiontable.userID WHERE sessiontable.PHP_SID ='". session_id() . "' and session.sessionstatus=1";

    the session.sessionstatus=1 then means that it's an active session.
    When the user logs out, you can change the sessionstatus to 2 or whatever.
    When, the user logs in, you can check against this table if he realy is logged out --> if he doesn't have a record with session.sessionstatus=1.

    Storing username and pwd in sessions and cookie is a rather big and unnescecary securityrisk.


    Since we don't see any code, i can only assume that you had more then one browser window open, which keeps the session alive. Or ythe code you used isn't right.
    To kill the session, try this

    session_start();
    setcookie( session_name() ,"",0,"/");
    unset($_COOKIE[session_name()]);
    session_unset();
    session_destroy();

    <edit>Since it seems to be related to the refreshing, i'd assume it's some sort of strange caching-problem, but my money would still be on some incorrect code. Display the timer() value or a datatime inside the page and then look if it get's updated each time you refresh + if it 'jumps back' on that third refresh.</edit>
    Last edited by raf; 05-19-2004 at 02:05 PM.
    Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

  • #3
    New Coder
    Join Date
    Apr 2004
    Posts
    36
    Thanks
    0
    Thanked 0 Times in 0 Posts
    i don't understand what you mean by making a session table
    is it like when a new session starts, insert a row into the table with sessionid and userid info?
    then do i delete it when the session ends?
    why would it be a security risk if i stored username/password in cookies and sessions?
    i used them because it made passing user data from the table easier from page to page without making a million calls to the db. it just seemed the easy thing to do.

    [edit]
    i don't have more than one browser open now and it is still screwed up. Actually, after putting in your suggested method to remove the cookie and session, when i log out, it didn't log out at all, it kept switching between two different usernames but with the same password
    I don't even know what error to look for?
    I tried searching for all $_SESSION['username']
    but there's nothing that looked out of place.
    Last edited by o0katz0o; 05-19-2004 at 02:39 PM.

  • #4
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    it's basically bad to store the username and pwd inside sessionvariables or cookies, because they can then be disclosed to others. Certainly if you use a shared computer (universitys, librarys etc), then your cookie can be read (after cracking if necessary) by the next users. cookies can also simply be stolen. The sessionvariables can be disclosed using sessionhijacking and cross site scripting. Certainly if you're on a server with register_globals=on
    And besides the danger that they can be disclosed : i can not think of a single situation where you'd need the username or pwd after the login.

    i've wrote a few apps where i do a login check + compaire the userprofile with the minimum required securityprofile for the requested page + selected parts of the page (menu, http-header details etc) from the db, and never noticed any problem with making selects for each requested page, so i don't understand your concern there. but feel free to do it your way.

    about your logout-problem. There is realy not much sensible we can say about it, without seeing any code. I am 100% sure that the code i posted will destroy the session, because
    - i've used it without any problem;
    - you'll find almost the exact same code in the manual;
    - i've posted it here before and other people told me it worked.
    so i can only recommend you make sure you're not getting cached pages (for intance by printing the date and time etc)
    Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

  • #5
    New Coder
    Join Date
    Apr 2004
    Posts
    36
    Thanks
    0
    Thanked 0 Times in 0 Posts
    well it's definitely NOT caching problems, time changed each time as expected.

    Do you suggest I NOT use sessions at all but get it from db each time?
    What i was been lazy about before, was writing out the whole "SELECT field1, field2 etc FROM tbl" thing over and over again for every little thing, whileas with the session i can just do it once and next time all i need to do to get any field i wanted is use $_SESSION[fieldname]
    but if that's not a good way, then I'll just do it the other way, maybe that will fix this problem as well.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •