(little) login problem with a usersystem

[VenomLeon]

Hello! I'm currently adding a usersystem to my website, which i've build up from a tutorial. Everything is working well, except for one thing: logging in at once. After filling the Username and Password form, the area of which these 2 forms are in, changes into a menu for members, however this isnt always the case. Even after it says that the loggin in is complete (one which then the script will send you to another page), you'll keep on seeing the login form  .

 

But i've noticed that when I go to www.website.com/logout.php?logout without being logged in, and THEN try logging in, it works =S, al least untill i logged myself out and try to log in again. I hope you can understand what i'm trying to say. I've even let some of my friends try the system out on the website. Registering theirselfs goes perfectly, but logging in does not.. It is funny that the Who's Online feature does show the username(s), despite not being "fully" logged in.

 

I personally think that the problem lies somewhere in my config.php.. these are my codes (if usefull):

 

login.php

<?php 
session_start(); //allows session 
include "config.php"; 

if($logged[id]) { 
//welcomes the member 
echo "Welcome $logged[username]<br><br>"; 
//shows the user menu 
$new = mysql_query("select * from pmessages where unread = 'unread' and touser = '$logged[username]'"); 
$new = mysql_num_rows($new);
echo " 
- <a href='welcome.php'>Members Page</a><br>
- <a href='members.php'>View Members</a><br>
- <a href='editprofile.php'>Edit Profile</a><br>  
- <a href='messages.php'>Private Messages ($new New)</a><br>
- <a href='newfriends.php'>Friend Requests</a><br>
- <a href='changepassword.php'>Change Password</a><br>
- <a href='logout.php?logout'>Logout</a>"; 
}else 
//if there trying to login 
if(isset($_GET['login'])) { 
//removes sql injections from the data 
$username= htmlspecialchars(addslashes($_POST[username]));  
//encrypts the password 
$password = sha1(md5(md5(sha1(md5(sha1(sha1(md5($_POST[password])))))))); 
//gets the username data from the members database 
$uinfo = mysql_query("SELECT * FROM `members` WHERE `username` = '$username'") or die(mysql_error());  
//see if the user exists 
$checkuser = mysql_num_rows($uinfo); 
//if user name not found in database error 
if($checkuser == '0') 
{ 
echo "Username not found"; 
}else{ 
//fetch the sql 
$udata = mysql_fetch_array($uinfo); 
//checks see if the account is verified 
if($udata[userlevel] == 1) {  
echo "This account had not been verified."; 
} 
//if it is continue 
else 
//if the db password and the logged in password are the same login 
if($udata[password] == $password) { 
$query = mysql_query("SELECT * FROM `members` WHERE `username` = '$username'") or die(mysql_error());  
//fetchs the sql 
$user = mysql_fetch_array($query);
$last_date = date("l, F j, Y h:i A");
$update = mysql_query("UPDATE `members` SET `last_seen` = '$last_date' WHERE `username` = '$user[username]' AND `id` = '$user[id]';") or die(mysql_error()); 
//sets the logged session 
$_SESSION['id'] = "$user[id]"; 
$_SESSION['password'] = "$user[password]"; 

echo "You are now logged in, Please wait. . ."; 
//redirects them 
echo "<meta http-equiv='Refresh' content='2; URL=welcome.php'/>"; 
} 
//wrong password 
else{ 
echo "Incorrect username or password!";  
} 
} 
}else{ 
//If not the above show the login form 
echo "<form action='login.php?login' method='post'> 
<table width='200'> 
  <tr> 
    <td width='120'>Username:</td> 
    <td width='180'><input type='text' name='username' size='17' maxlength='50'></td> 
  </tr> 
  <tr> 
    <td>Password:</td> 
    <td><input type='password' name='password' size='17' maxlength='50'></td> 
  </tr> 
    <tr> 
    <td colspan='2'><input type='submit' value='Login'></td> 
  </tr> 
</table> 
</form>
<a href='register.php'>Register to DE!</a> <strong>::</strong> <a href='forgotpass.php'>Forgot Password</a> <strong>::</strong> <a href='members.php'>View Members</a>";
} 
?>

 

config.php

<?  
session_start(); //allows session 

$conn = mysql_connect("localhost","douglas7","140987");  
mysql_select_db(members) or die(mysql_error());  

$logged = MYSQL_QUERY("SELECT * FROM `members` WHERE `id` = '$_SESSION[id]' AND `password` = '$_SESSION[password]'");  
$logged = mysql_fetch_array($logged);  

//some server details, don't edit! 
$host = $_SERVER['HTTP_HOST']; 
$self = $_SERVER['PHP_SELF']; 

//change this to your site name 
$sitename = "Douglas Elemex"; 

//Send emails or not (email activation). 1 = true, 0 = false 
$semail = "1"; 

$logout_time = 200; //mili seconds to stay logged in 
$current = time(); //current time 
$offline = ($current - $logout_time); //do the math for the logout time 
if($logged[username]){ //if they are logged in 
    $update = mysql_query("UPDATE `members` SET `online` = '$current' WHERE `username` = '$logged[username]';"); //update their status 
} //end the check and such 
?>

 

I really dont know how to solve this, but I would love to hear how, so i hope to find my help here.

I got the usersystem from here: http://rmb-scripting.com/tutorials.php?tutorial&tid=58&page=1

 

Thanks in advance!

[nonexistentera]

Not that this would be the case, but your config.php file has the logged in time to 200 miliseconds.

 

$logout_time = 200; //mili seconds to stay logged in 
$current = time(); //current time 
$offline = ($current - $logout_time); //do the math for the logout time 

So it seems that your database knows that they are logged in, but the Session thinks they are only logged in for 200 miliseconds, so once they log in, they are automatically logged out once the script is done executing.

I would just experiment with changing it to something higher.

[VenomLeon]

Heey tried your suggestion, but with no luck. This part:

$logout_time = 200; //mili seconds to stay logged in 
$current = time(); //current time 
$offline = ($current - $logout_time); //do the math for the logout time 
if($logged[username]){ //if they are logged in 
    $update = mysql_query("UPDATE `members` SET `online` = '$current' WHERE `username` = '$logged[username]';"); //update their status 
} //end the check and such 

 

was ment for the users online add-on for the usersystem, but i've removed that one untill i've got the system working 100%, so the config.php page nog looks like this (original code):

<?php  
session_start(); //allows session 

$conn = mysql_connect("localhost","xxxxxx","xxxxxx");  
mysql_select_db(members) or die(mysql_error());  

$logged = MYSQL_QUERY("SELECT * FROM `members` WHERE `id` = '$_SESSION[id]' AND `password` = '$_SESSION[password]'");  
$logged = mysql_fetch_array($logged);  

//some server details, don't edit! 
$host = $_SERVER['HTTP_HOST']; 
$self = $_SERVER['PHP_SELF']; 

//change this to your site name 
$sitename = "Douglas Elemex"; 

//Send emails or not (email activation). 1 = true, 0 = false 
$semail = "1";
?> 

 

I think the problem lies within the sessions when someone's logged in or logged out (since logging in only works when first visiting logout.php (what should destroy the session), and then trying to log in, though this is only the case after you closed the browser after being logged in and then out (by yourself)).

 

session code in login.php:

//sets the logged session 
$_SESSION['id'] = "$user[id]"; 
$_SESSION['password'] = "$user[password]"; 

 

logout.php:

<?php 
session_start(); //allows session 
include "config.php"; 
//checks there trying to logout 
if(isset($_GET['logout'])) { 
//deletes the sessions 
unset($_SESSION['id']); 
unset($_SESSION['password']); 
//loggedout message 
echo "You are now logged out. Redirecting you to homepage.."; 
//redriects them to index
echo "<meta http-equiv='Refresh' content='2; URL=http://www.douglas-elemex.net'/>";
} 
?>

 

Maybe the logout doesnt destroy the session that well..? ???

[nonexistentera]

From what I know about sessions, you have to call

session_destroy(); 

which will remove all data registered to a session.

Try

 

<?php 
session_start(); //allows session 
include "config.php"; 
//checks there trying to logout 
if(isset($_GET['logout'])) { 
//deletes the sessions 
unset($_SESSION['id']); 
unset($_SESSION['password']); 
session_destroy(); //RIGHT HERE
//loggedout message 
echo "You are now logged out. Redirecting you to homepage.."; 
//redriects them to index
echo "<meta http-equiv='Refresh' content='2; URL=http://www.douglas-elemex.net'/>";
} 
?>

I see that it unsets it, but to my knowledge, session_destroy(); should remove anything else that may be lingering.

If not, we will try something else

[VenomLeon]

this does work, thanks! but after i log out & close the browser, and then try logging in it still wont log me in (i still would have to go to the "logout.php?logout" in order to log in first). If i log out and log in again while not closing the browser the logging in does work. Maybe the login contains some error of not completing the logging in of a member  :-\

[VenomLeon]

Heey the problem is fixed!

It seemed that i had the Head-part still hanging around in the login.php file, causing it to work weird, because its included to other pages who have their own Head. But i'll keep the session_destroy(); on the logout.php, just in case

 

Thanks for helping out, nonexistentera .. i'll post my website here in the forum when it's done ^^

[nonexistentera]

No problem.

I get helped, and I give help.

Glad to see you found the problem though. Good Job