runnerjp Posted July 19, 2008 Share Posted July 19, 2008 i have recently found a problem with my login... thing is if a user does not log out and exits the browser and trys to revisit it... for some reason the user cant enter the website with there correct usernames and passwords. the only way to stop it from working if the go through the logout page... is there anyway i can some how fix this Quote Link to comment Share on other sites More sharing options...
teynon Posted July 19, 2008 Share Posted July 19, 2008 Yes. Quote Link to comment Share on other sites More sharing options...
teynon Posted July 19, 2008 Share Posted July 19, 2008 Point being, you need to post your code and elaborate more on your problem than saying: this doesn't work, can i fix it? Quote Link to comment Share on other sites More sharing options...
runnerjp Posted July 19, 2008 Author Share Posted July 19, 2008 ok sorry i thought i did... ok so here is my logout script <?php /** * logout * * Handles logouts * * @param none * @access public */ function logout() { //session must be started before anything //if we have a valid session if ($_SESSION['logged_in'] == true) { //unset the sessions (all of them - array given) unset($_SESSION); //destroy what's left session_destroy(); } //It is safest to set the cookies with a date that has already expired. if (isset($_COOKIE['cookie_id']) && isset($_COOKIE['authenticate'])) { /** * uncomment the following line if you wish to remove all cookies * (don't forget to comment ore delete the following 2 lines if you decide to use clear_cookies) */ //clear_cookies (); setcookie("cookie_id", '', time() - KEEP_LOGGED_IN_FOR, COOKIE_PATH); setcookie("authenticate", '', time() - KEEP_LOGGED_IN_FOR, COOKIE_PATH); } //redirect the user to the default "logout" page header("Location: " . REDIRECT_ON_LOGOUT); }?> and my login script <?php ini_set('session.cookie_lifetime', 0); ini_set('session.cache_expire', 0); session_start(); header("Cache-control: private"); ?><?php require_once ( 'settings.php' ); if ( array_key_exists ( '_submit_check', $_POST ) ) { if ( $_POST['username'] != '' && $_POST['password'] != '' ) { $query = 'SELECT ID, Username, Active, Password FROM ' . DBPREFIX . 'users WHERE Username = ' . $db->qstr ( $_POST['username'] ) . ' AND Password = ' . $db->qstr ( md5 ( $_POST['password'] ) ); $ip = $_SERVER['REMOTE_ADDR']; $user = $_POST['username']; $date = date("m/d/Y g:i:s"); mysql_query("UPDATE users SET ip = '$ip' WHERE username = '$user'"); mysql_query("UPDATE users SET lastlog = '$date' WHERE username = '$user'"); if ( $db->RecordCount ( $query ) == 1 ) { $row = $db->getRow ( $query ); if ( $row->Active == 1 ) { set_login_sessions ( $row->ID, $row->Password, ( $_POST['remember'] ) ? TRUE : FALSE ); header ( "Location: " . REDIRECT_AFTER_LOGIN ); } elseif ( $row->Active == 0 ) { $error = 'Your membership was not activated. Please open the email that we sent and click on the activation link.'; } elseif ( $row->Active == 2 ) { $error = 'You are suspended!'; } } else { $error = 'Login failed!'; } } else { $error = 'Please use both your username and password to access your account'; } } ?> and /** * checkLogin * * Applies restrictions to visitors based on membership and level access * Also handles cookie based "remember me" feature * * @access public * @param string * @return bool TRUE/FALSE */ function checkLogin($levels) { global $db; $kt = split(' ', $levels); if (!$_SESSION['logged_in']) { $access = false; if (isset($_COOKIE['cookie_id'])) { //if we have a cookie $query = 'SELECT * FROM ' . DBPREFIX . 'users WHERE ID = ' . $db->qstr($_COOKIE['cookie_id']); if ($db->RecordCount($query) == 1) { //only one user can match that query $row = $db->getRow($query); //let's see if we pass the validation, no monkey business if ($_COOKIE['authenticate'] == md5(getIP() . $row->Password . $_SERVER['USER_AGENT'])) { //we set the sessions so we don't repeat this step over and over again $_SESSION['user_id'] = $row->ID; $_SESSION['logged_in'] = true; //now we check the level access, we might not have the permission if (in_array(get_level_access($_SESSION['user_id']), $kt)) { //we do?! horray! $access = true; } } } } } else { $access = false; if (in_array(get_level_access($_SESSION['user_id']), $kt)) { $access = true; } } if ($access == false) { header('Location: http://www.runningprofiles.com/members/error.php'); } }?> so basicly i will try explain again.. if a user logs out or uses clear private data in firefox settings they can log back onto the account... but if they leave the page without logging out then on occasion when trying to logg onto there account it will send them to the error page if ($access == false) { header('Location: http://www.runningprofiles.com/members/error.php'); } untill they visit the logout.php page... does this help? Quote Link to comment Share on other sites More sharing options...
runnerjp Posted July 20, 2008 Author Share Posted July 20, 2008 bmp Quote Link to comment Share on other sites More sharing options...
unkwntech Posted July 20, 2008 Share Posted July 20, 2008 First thing in the logout script you have: //session must be started before anything but i dont see you actualy start the session. secondly unset($_SESSION); is unnecessary. Quote Link to comment Share on other sites More sharing options...
runnerjp Posted July 20, 2008 Author Share Posted July 20, 2008 sorry must explain the session start is included on the login main page i have set this all works apart from the fact of sometime users not been able to log in. Quote Link to comment Share on other sites More sharing options...
mga_ka_php Posted July 20, 2008 Share Posted July 20, 2008 debug your if statement in your function checkLogin if your $access value is change to true. Quote Link to comment Share on other sites More sharing options...
runnerjp Posted July 20, 2008 Author Share Posted July 20, 2008 sorry confused Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.