Cookies and Sessions

[DanielHardy]

HI,

I have succesfully set up my login and register elements in my site and it links to the database perfectly. However, I have a members area page where the users sign in. The user can log in fine. At the moment if a logged in user clicks back on the members area page, they are prompted to log in again. Therefore it forgets the user as I have no sessions in place. Here is the code for my Login.php and register.php pages.

 

 

Login.php:

 

 

<?php

 

 

 

$dbhost = "localhost";

$dbname = "wyrleyjuniors";

$dbuser = "root";

$dbpass = "";

 

 

 

mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());

mysql_select_db($dbname) or die(mysql_error());

 

session_start();

$username = $_POST['username'];

$password = md5($_POST['password']);

 

$query = "select * from users where username='$username' AND password='$password'";

 

$result = mysql_query($query);

 

if (mysql_num_rows($result) != 1) {

$error = "Bad Login";

include "WyrleyJuniorsDatabaseLogin.html";

 

} else {

$_SESSION['username'] = "$username";

include "memberspage.php";

}

 

setcookie("username", $row_user['username'], time()+36000);

setcookie("password", $row_user['password'], time()+36000);

 

?>

 

 

 

....And the Register.php page:

 

 

<?PHP

 

session_start();

 

 

//Database Information

 

$dbhost = "localhost";

$dbname = "wyrleyjuniors";

$dbuser = "root";

$dbpass = "";

 

//Connect to database

 

mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());

mysql_select_db($dbname) or die(mysql_error());

 

 

$name = $_POST['name'];

$email = $_POST['email'];

$username = $_POST['username'];

$password = md5($_POST['password']);

 

// lets check to see if the username already exists

 

$checkuser = mysql_query("SELECT username FROM users WHERE username='$username'");

 

$username_exist = mysql_num_rows($checkuser);

 

if($username_exist > 0){

echo "<b>I'm sorry but the username you specified has already been taken. Please pick another one.</b>";

unset($username);

include 'WyrleyJuniorsDatabaseRegister.html';

exit();

}

 

// lf no errors present with the username

// use a query to insert the data into the database.

 

$query = "INSERT INTO users (name, email, username, password)

VALUES('$name', '$email', '$username', '$password')";

mysql_query($query) or die(mysql_error());

mysql_close();

 

echo "<b>You have successfully Registered";

 

?>

 

 

As you can see I have tried to set cookies in the login script. Is this in the wrong place, wrong code altogether?

 

Any ideas on how I can reach my aim? I'm sure it's fairly simple to achieve but I'm new and learning

 

Thanks in advance

 

Dan

[flyhoney]

I dont see where you are checking to see if they are already logged in or not.  After you validate their username and password, you do this:

 

$_SESSION['username'] = "$username";

 

So you need to check at the top of your login script if they are already logged in:

 

Login.php

<?php
if (isset($_SESSION['username'])) {
    // user is logged in
} else {
    // do login stuff here
}
?>

 

Also, you may want to consider using header() to redirect to your 'memberspage.php' page instead of including it.

[NSW42]

something like below for cookie set

 

 

 

if($_COOKIE['username']=="" AND $_COOKIE['password']=="") 

 

 

 

setcookie("username","$_POST[username]",time()+3600);

setcookie("password","$md5_password",time()+3600);

[sKunKbad]

One thing worth mentioning, because I have been working on a login script lately, is that your login script does not address any of the common security vulnerabilities that are common to login scripts, and php/mysql for that matter. You've got a lot of work ahead of you if you really want something that is secure. If security isn't critical, you should at least protect your database by using mysql_real_escape_string on the variables that are in your queries.

 

You might take a look at my previous posts. Within the last week I have been posting regarding a login script that I made, and it might give you some ideas.

[DanielHardy]

Hi thanks to all for your help. The sessions is doing something in that it doesnt automatically return back and prompt the user to login. Here is my new code:

 

 

<?php

 

 

session_start();

if (!isset($_SESSION['username']))

{

header ("Location: WyrleyJuniorsDatabaseLogin.php");

 

}

else

{

header ("Location: memberspage.php");

setcookie("username","$_POST[username]",time()+3600);

setcookie("password","$md5_password",time()+3600);

 

}

 

 

$dbhost = "localhost";

$dbname = "wyrleyjuniors";

$dbuser = "root";

$dbpass = "";

 

 

 

mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());

mysql_select_db($dbname) or die(mysql_error());

 

 

 

$query = "select * from users where username='$username' AND password='$password'";

 

$result = mysql_query($query);

 

if (mysql_num_rows($result) != 1) {

$error = "Bad Login";

    include "WyrleyJuniorsDatabaseLogin.html";

 

} else {

    $_SESSION['username'] = "$username";

    include "memberspage.php";

 

}

 

 

 

 

 

 

?>

 

Anyone got any comments on what might or could be going wrong here?

 

 

[DanielHardy]

Just ran the script above again and I am now getting the following message:

 

 

Redirect Loop

 

Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

 

The browser has stopped trying to retrieve the requested item. The site is redirecting the request in a way that will never complete.

 

    * Have you disabled or blocked cookies required by this site?

    * NOTE: If accepting the site's cookies does not resolve the problem, it is likely a server configuration issue and not your computer.

 

 

Any ideas why people?

 

Thanks

[sKunKbad]

That error is telling you that you are redirecting to a page that is redirecting to itself, again and again infintely.