Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
  1. #1
    New Coder
    Join Date
    Aug 2002
    Posts
    66
    Thanks
    2
    Thanked 0 Times in 0 Posts

    Session Problems..

    Hey guys,

    Got a problem here thats really getting under my skin, i've had it for days!

    I'm basically working on a user authentication based site, so users need to login before being able to access it - the user data is stored in a mysql db..

    Here's the problem..

    User can login fine first time with username and password.. The sessions are working fine, however when the user logs out and tries to login with a different username and password, 3 of the session variables stay the same as the old user?!

    For example;
    The 4 vars i store in sessions are
    uid, username, password, emailaddress.

    So when the user logs out and then logs back in with a different username and password, the site all works but is using the old users details, the only thing that changes in the session is the email address... if you get me.

    Here's my login and logout scripts.

    PHP Code:
    session_start();
    header("Cache-control: private");  

    //CHECK IF THERE IS A COOKIE

    if (!isset($_COOKIE['info'])) {

    // NO COOKIE SO LETS LOGIN USING THE VARS PASSED FROM LOGIN

    $username1 $_POST['username'];
    $password1 $_POST['password'];

    // DB CONNECT HERE

    $query "SELECT * FROM users WHERE username='$username1' AND password='$password1'";
    $result mysql_query($query);
    $myrow mysql_fetch_array($result);
    $uidc $myrow["uid"];
    $usernamec $myrow["username"];
    $passwordc $myrow["password"];
    $emailaddressc $myrow["emailaddress"];
    //NOW WE CAN CHECK IF THE USER IS IN THE DB

    if (mysql_numrows($result) == 1) {
    $_SESSION['username'] = $usernamec;
    $_SESSION['uid'] = $uidc;
    $_SESSION['password'] = $passwordc;
    $_SESSION['emailaddress'] = $emailaddressc;

    echo 
    "<script language='JavaScript1.2' type='text/javascript'>
            top.parent.location = 'http://www.SITEHERE.com/main/?';
            </script>"
    ;
            
    }else{
    echo 
    "WRONG INFO";
    }


    The reason it looks so messy is because i've been trying to get it working..

    Here is the logout script..

    PHP Code:
    session_start();

    unset(
    $_SESSION[session_name()]);
        
    $_SESSION = array(); 
        if (isset(
    $_COOKIE[session_name()])) 
        { 
            
    setcookie(session_name(), ''time() - 42000'/'); 
        } 
        
    session_destroy(); 
        
    header("Location: http://www.xxxx.com/openindex.php"); 
    If anyone can help please that would be great.. if you dont understand what i mean and want to see it in action just email me jholz@iinet.net.au and i'll show u what its doing.

    Thanks heaps!!

  • #2
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    to destroy the session, just use

    PHP Code:
    session_start(); 
    setcookie(session_name(), ''time() - 420000);  
    session_unset();
    session_destroy(); 
    and add a print_r($_SESSION) at the top of yur loginpage to see if a session still exists + what it's content is
    Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

  • #3
    New Coder
    Join Date
    Aug 2002
    Posts
    66
    Thanks
    2
    Thanked 0 Times in 0 Posts
    OKay the print_r is simply outputting.... Array()

    Is that a good thing?

  • #4
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    yes. that means that there are no sessionvariables at that point (--> $_SESSION is just an empty array)
    Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

  • #5
    New Coder
    Join Date
    Aug 2002
    Posts
    66
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Okay then could you see any reason why after loggin in again with a different username and password, it is still coming up with the original username's details.?!

    Its so weird i've never seen it before.

    If you like i can show you exactly whats happening if you want to email jholz@iinet.net.au

  • #6
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    isn't it the
    if (!isset($_COOKIE['info'])) {
    ?

    once the cookie is set, the select based on the entered username and pwd wount be executed.

    try unsetting that cookie too on logout:
    PHP Code:
    session_start();  
    setcookie(session_name(), ''time() - 420000);   
    setcookie('info'''time() - 420000);
    session_unset(); 
    session_destroy(); 
    by the way, your loginprocedure isn't realy secure + you realy shouldn't store the username and pwd in sessionvariables...
    Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

  • #7
    New Coder
    Join Date
    Aug 2002
    Posts
    66
    Thanks
    2
    Thanked 0 Times in 0 Posts
    thanks for that.

    what would you suggest as being more secure.. this is only my first authentication site so any help would be appreciated

  • #8
    New Coder
    Join Date
    Aug 2002
    Posts
    66
    Thanks
    2
    Thanked 0 Times in 0 Posts
    any by the way, that cookie thing didn't resolve the problem

  • #9
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    for a more secure login --> do some searches here. There's plenty that you could add, but in any case, you'll need to do some searches for sql-injections and about hashing.

    for the current problem: change your code to
    PHP Code:
    session_start(); 
    echo 
    '<br />Session at top of script';
    print_r($_SESSION);
    header("Cache-control: private");   

    //CHECK IF THERE IS A COOKIE 

    if (!isset($_COOKIE['info'])) { 

    // NO COOKIE SO LETS LOGIN USING THE VARS PASSED FROM LOGIN 

    $username1 $_POST['username']; 
    $password1 $_POST['password']; 

    // DB CONNECT HERE 

    $query "SELECT * FROM users WHERE username='$username1' AND password='$password1'"
    $result mysql_query($query); 
    $myrow mysql_fetch_array($result); 
    echo 
    '<br />Userdetails';
    print_r($myrow);
    $uidc $myrow["uid"]; 
    $usernamec $myrow["username"]; 
    $passwordc $myrow["password"]; 
    $emailaddressc $myrow["emailaddress"]; 
    //NOW WE CAN CHECK IF THE USER IS IN THE DB 

    if (mysql_numrows($result) == 1) { 
    $_SESSION['username'] = $usernamec
    $_SESSION['uid'] = $uidc
    $_SESSION['password'] = $passwordc
    $_SESSION['emailaddress'] = $emailaddressc
    /*
    echo "<script language='JavaScript1.2' type='text/javascript'> 
            top.parent.location = 'http://www.SITEHERE.com/main/?'; 
            </script>"; 
       */      
    }else{ 
    echo 
    "WRONG INFO"


    }
    echo 
    '<br />Session at bottom of script';
    print_r($_SESSION); 
    and post the output
    Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

  • #10
    New Coder
    Join Date
    Aug 2002
    Posts
    66
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Session at top of scriptArray ( [username] => Aviator [uid] => 3 [password] => boeing [emailaddress] => *EMAIL HERE* )
    UserdetailsArray ( [0] => 3 [uid] => 3 [1] => Aviator [username] => Aviator [2] => David [fname] => David [3] => EMAIL HERE [emailaddress] => EMAIL HERE [4] => boeing [password] => boeing [5] => member [status] => member [6] => -20 [mpoints] => -20 [7] => + 10 [t_hour] => + 10 [8] => [country] => [9] => + 0 [t_min] => + 0 [10] => [enablememberpm] => [11] => [disablepm] => [12] => [enableemailpm] => [13] => [pminsight] => [14] => [pmallowance] => [15] => 200602081337 [lastactive] => 200602081337 [16] => [tcstarter] => [17] => 8587d16ebfb859fb492320134dde8b3f [sessid] => 8587d16ebfb859fb492320134dde8b3f [18] => /main/index.php? [lastpage] => /main/index.php? )
    Session at bottom of scriptArray ( [username] => Aviator [uid] => 3 [password] => boeing [emailaddress] => *EMAILHERE*)

  • #11
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    you first need to pass the logout page (so that the session is destroyed) before loging in.
    The output should then look like

    Session at top of scriptArray ()
    UserdetailsArray (...
    Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

  • #12
    New Coder
    Join Date
    Aug 2002
    Posts
    66
    Thanks
    2
    Thanked 0 Times in 0 Posts
    hahahaha obviously.. oops

    Session at top of scriptArray ( )
    UserdetailsArray ( [0] => 3 [uid] => 3 [1] => Aviator [username] => Aviator [2] => David [fname] => David [3] => addy [emailaddress] => addy [4] => boeing [password] => boeing [5] => member [status] => member [6] => -20 [mpoints] => -20 [7] => + 10 [t_hour] => + 10 [8] => [country] => [9] => + 0 [t_min] => + 0 [10] => [enablememberpm] => [11] => [disablepm] => [12] => [enableemailpm] => [13] => [pminsight] => [14] => [pmallowance] => [15] => 200602081337 [lastactive] => 200602081337 [16] => [tcstarter] => [17] => 8587d16ebfb859fb492320134dde8b3f [sessid] => 8587d16ebfb859fb492320134dde8b3f [18] => /main/index.php? [lastpage] => /main/index.php? )
    Session at bottom of scriptArray ( [username] => Aviator [uid] => 3 [password] => boeing [emailaddress] => addy )

  • #13
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    so, are
    [username] => Aviator
    [uid] => 3
    [password] => boeing
    [emailaddress] => addy

    the correct userdetails?
    Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

  • #14
    New Coder
    Join Date
    Aug 2002
    Posts
    66
    Thanks
    2
    Thanked 0 Times in 0 Posts
    thats correct... but just say i close the window then, open up a new one and load the session vars on the index page, this happens.

    bf7d644ced90cc994aa8710411faa144Array ( [username] => [uid] => [password] => [emailaddress] => emailhere )

    the email addy was the only thing thats there?

  • #15
    New Coder
    Join Date
    Aug 2002
    Posts
    66
    Thanks
    2
    Thanked 0 Times in 0 Posts
    oops just ignore the sesisonid before the array there


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •