Jump to content

Recommended Posts

Ok well I use session variables all the time, and for some reason i can't get one to work for my new login page.  If the login was incorrect, it sets a value to the session variable $_SESSION['invalid_login'] then uses header() to send the person back and that page displays "Invalid Login" then unset()'s that session variable if it's not null.

 

The problem is, I can't, for the life of me, get that variable over to that page.  Both pages have session_start(); as the second line.  The login script(s) on my site are fairly simple and straightforward and I don't see anywhere there might be a session destroy.  I've tried echo'ing that session variable then typing in a wrong login and it kicks me back to the login page but I'm not getting anything from echo'ing it, and it isn't saying invalid login.

 

Code for the page that checks and rejects bad logins:

 

<?php
if ( $password == $row['password'] )
{
	//stuff for correct login
}
else
{
	//_____( login was incorrect, set session var and send them back )_____\\

	include("badlog.php");         //updates 'last_visit' timestamp in ip log table\\
	$_SESSION['invalid_login'] = 'yes';
	header("Location: http://www.mysite.org");
}
?>

 

and this is the code for the login page:

 

<?php
if ( $_SESSION['invalid_login'] == 'yes' )
{
	echo 'Invalid Login';
	unset($_SESSION['invalid_login']);
}
?>

 

I double checked all of my include() function files to see that they don't have anything in them that would affect that variable.  Any ideas what I'm doing wrong?  Thanks ahead of time.

put this on both pages:

print session_id();

and see if they are different sessions

 

they were both the same: ead660ceccf21d660aea58975b1e6ad1

 

I went ahead and switched to $_GET for now, I just hate that I can't unset it so when I page refresh it still says invalid login.  Not a huge deal but it's definitely annoying.

what happens with this:

<?php
if ( $password == $row['password'] )
   {
      //stuff for correct login
   }
else
   {
      //_____( login was incorrect, set session var and send them back )_____\\

//      include("badlog.php");         //updates 'last_visit' timestamp in ip log table\\
      $_SESSION['invalid_login'] = 'yes';
      print "Session ID: ".session_id()."<br><pre>";
      print_r($_SESSION);
      print '</pre><a href="/">Continue</a>';
      exit;
//      header("Location: http://www.mysite.org");
   }
?>

and

<?php
print "Session ID: ".session_id()."<br><pre>";
print_r($_SESSION);
print '</pre>';
if ( $_SESSION['invalid_login'] == 'yes' )
   {
      echo 'Invalid Login';
      exit;
      unset($_SESSION['invalid_login']);
   }
?>

what happens with this:

<?php
if ( $password == $row['password'] )
   {
      //stuff for correct login
   }
else
   {
      //_____( login was incorrect, set session var and send them back )_____\\

//      include("badlog.php");         //updates 'last_visit' timestamp in ip log table\\
      $_SESSION['invalid_login'] = 'yes';
      print "Session ID: ".session_id()."<br><pre>";
      print_r($_SESSION);
      print '</pre><a href="/">Continue</a>';
      exit;
//      header("Location: http://www.mysite.org");
   }
?>

and

<?php
print "Session ID: ".session_id()."<br><pre>";
print_r($_SESSION);
print '</pre>';
if ( $_SESSION['invalid_login'] == 'yes' )
   {
      echo 'Invalid Login';
      exit;
      unset($_SESSION['invalid_login']);
   }
?>

 

heya, just plugged that stuff in and this is what I got:

 

when i first hit my site:

 

Session ID: 09e46b92f66f22c4a438606aadddeae8

 

Array

(

)

 

on the page that checks the login info:

 

Session ID: 09e46b92f66f22c4a438606aadddeae8

 

Array

(

    [invalid_login] => yes

)

 

Continue

 

and finally back to the login page:

 

Session ID: 09e46b92f66f22c4a438606aadddeae8

 

Array

(

)

 

update: and i made sure to click your 'continue' link to get back to the first page

 

i do need to add that my domain name is pointing to a subdomain on my webhost, i'm not sure if this screws anything up with session variables or not, i wouldn't think so because i can use the login and the rest of my pages recognize my $_SESSION['auth'] = 'yes'; session variable.

ok...then something before this code is messing with it...what is the code above it?

 

<?php
session_start();
echo '<html><head>.......html crap, mostly tables with the input forms but no php at all';

print "Session ID: ".session_id()."<br><pre>";
print_r($_SESSION);
print '</pre>';
if ( $_SESSION['invalid_login'] == 'yes' )
   {
      echo 'Invalid Login';
      exit;
      unset($_SESSION['invalid_login']);
   }
echo '
</center>
</body>
</html>';
?>

 

and code for the login page:

 

<?php
session_start();
include("../../l_i_f2.php");
$cxn = mysqli_connect($host, $user,$passwd,$dbname) or die ("Unable to establish a connection with the MySQL Server.");

//____________( includes my scrubber function to clean, detag, and escape the login data )___________\\
include("../filter.php");
$loginn = scrubber($_POST['name'], $cxn); 
$pword = scrubber($_POST['password'], $cxn);

include("../../saltine.php");
include("../../cracker.php");
$pass2 = md5($pword);
$password2 = sha1($saltine.$pass2.$cracker);

//____________( loads all data from the row that matches the username from Member table in the db )___________\\
$query = "SELECT password, permissions FROM Member WHERE loginname='$loginn'";
$result = mysqli_query($cxn, $query);
$row = mysqli_fetch_assoc($result);

//____________( if block that checks the user info vs what's in the database )___________\\
if ( $password2 == $row['password'] )
{

	//____________( if login check OK, it sets "logged in" variable ['auth'] to "yes", saves loginname and permissions to session variables for later use )___________\\
	$_SESSION['auth']="yes";
	$_SESSION['logname']= $loginn;
	$_SESSION['permissions']= $row['permissions'];
	$_SESSION['firstname'] = $row['firstname'];

	//____________( this sends the client to the "main" page )___________\\
	header("Location: display.php");
}
else
{
	//____________( login was incorrect, set session var and send them back )___________\\
	//include("badlog.php");         //updates 'last_visit' timestamp in ip log table//
	$_SESSION['invalid_login'] = 'yes';
	print "Session ID: ".session_id()."<br><pre>";
	print_r($_SESSION);
	print '</pre><a href="/">Continue</a>';
	exit;
}
?>

Run a phpinfo on your site.

 

Check this portion:

session

Session Support enabled

Registered save handlers files user

 

Directive Local Value Master Value

session.auto_start Off Off

session.bug_compat_42 On On

session.bug_compat_warn On On

session.cache_expire 180 180

session.cache_limiter nocache nocache

session.cookie_domain no value no value

session.cookie_lifetime 0 0

session.cookie_path / /

session.cookie_secure Off Off

session.entropy_file no value no value

session.entropy_length 0 0

session.gc_divisor 100 100

session.gc_maxlifetime 1440 1440

session.gc_probability 1 1

session.name PHPSESSID PHPSESSID

session.referer_check no value no value

session.save_handler files files

session.save_path /tmp /tmp

session.serialize_handler php php

session.use_cookies On On

session.use_only_cookies Off Off

session.use_trans_sid Off On

 

And report back what the values are.

Run a phpinfo on your site.

 

Check this portion:

session

Session Support enabled

Registered save handlers files user

 

Directive Local Value Master Value

session.auto_start Off Off

session.bug_compat_42 On On

session.bug_compat_warn On On

session.cache_expire 180 180

session.cache_limiter nocache nocache

session.cookie_domain no value no value

session.cookie_lifetime 0 0

session.cookie_path / /

session.cookie_secure Off Off

session.entropy_file no value no value

session.entropy_length 0 0

session.gc_divisor 100 100

session.gc_maxlifetime 1440 1440

session.gc_probability 1 1

session.name PHPSESSID PHPSESSID

session.referer_check no value no value

session.save_handler files files

session.save_path /tmp /tmp

session.serialize_handler php php

session.use_cookies On On

session.use_only_cookies Off Off

session.use_trans_sid Off On

 

And report back what the values are.

 

Session Support enabled

Registered save handlers files user sqlite

Registered serializer handlers php php_binary wddx

 

Directive Local Value Master Value

session.auto_start Off Off

session.bug_compat_42 On On

session.bug_compat_warn On On

session.cache_expire 180 180

session.cache_limiter nocache nocache

session.cookie_domain no value no value

session.cookie_httponly Off Off

session.cookie_lifetime 0 0

session.cookie_path / /

session.cookie_secure Off Off

session.entropy_file no value no value

session.entropy_length 0 0

session.gc_divisor 100 100

session.gc_maxlifetime 3600 3600

session.gc_probability 1 1

session.hash_bits_per_character 4 4

session.hash_function 0 0

session.name PHPSESSID PHPSESSID

session.referer_check no value no value

session.save_handler files files

session.save_path no value no value

session.serialize_handler php php

session.use_cookies On On

session.use_only_cookies Off Off

session.use_trans_sid 0 0

the only thing i can think of is one one those includes...on your login page...at the top....add some stuff so it looks like this:

<?php
session_start();
$_SESSION['invalid_login'] = 'yes';
print "Session ID: ".session_id()."<br><pre>";
print_r($_SESSION);
print '</pre><a href="/">Continue</a>';
exit;


include("../../l_i_f2.php");
$cxn = mysqli_connect($host, $user,$passwd,$dbname) or die ("Unable to establish a connection with the MySQL Server.");

//____________( includes my scrubber function to clean, detag, and escape the login data )___________\\
include("../filter.php");
$loginn = scrubber($_POST['name'], $cxn); 
$pword = scrubber($_POST['password'], $cxn);

include("../../saltine.php");
include("../../cracker.php");
$pass2 = md5($pword);
$password2 = sha1($saltine.$pass2.$cracker);

//____________( loads all data from the row that matches the username from Member table in the db )___________\\
$query = "SELECT password, permissions FROM Member WHERE loginname='$loginn'";
$result = mysqli_query($cxn, $query);
$row = mysqli_fetch_assoc($result);

//____________( if block that checks the user info vs what's in the database )___________\\
if ( $password2 == $row['password'] )
   {

      //____________( if login check OK, it sets "logged in" variable ['auth'] to "yes", saves loginname and permissions to session variables for later use )___________\\
      $_SESSION['auth']="yes";
      $_SESSION['logname']= $loginn;
      $_SESSION['permissions']= $row['permissions'];
      $_SESSION['firstname'] = $row['firstname'];
      
      //____________( this sends the client to the "main" page )___________\\
      header("Location: display.php");
   }
else
   {
      //____________( login was incorrect, set session var and send them back )___________\\
      //include("badlog.php");         //updates 'last_visit' timestamp in ip log table//
      $_SESSION['invalid_login'] = 'yes';
      print "Session ID: ".session_id()."<br><pre>";
      print_r($_SESSION);
      print '</pre><a href="/">Continue</a>';
      exit;
   }
?>

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.