Jump to content

need help with a session varible.

funkyapache

By funkyapache
in PHP Coding Help

 Share

Recommended Posts

funkyapache Newbie

funkyapache

Posted
Posted

Hi,

 

I have a login page which works perfectly. I am trying to create a change password page. As part of my validation on my page I what to check the the current hashed password and logged in user is correct. My problem seems to be with my session varible that store my username.

 

On my login page I have the following which sets it

 

$_SESSION['username'] = $found_user['username']

 

I tried echoing the $_SESSION['username'] on the login page and it returns the expected result though on my change password page it does not echo any value. The change password does seem to be using my other session variables as I check to see if the user has admin rights by checking my $_SESSION['is_admin'] and it does work it just seems to not find the username variable.

 

 

Any ideas?

Link to comment
https://forums.phpfreaks.com/topic/154025-need-help-with-a-session-varible/
Share on other sites
funkyapache Newbie

funkyapache

Posted
  • Author
Posted

is session_start(); at the top of the change password page?

 

I do have it on the top of my page but it is in a separate php file called sessions.php.  I am requiring the file once at the top of my change password php file.This session file has other functions that check that the user is admin rights etc which is working as I do a check to see if the user has admin rights before they can access it. this function is based on $_SESSION['is_admin'].

 

 

funkyapache Newbie

funkyapache

Posted
  • Author
Posted

Not sure how to enable error reporting but this is my code

This is my session.php code

<?php
session_start();

function logged_in() {
	return isset($_SESSION['user_id']);
}

function admin_user(){
//Checks if the user is an admin user.
  return (isset($_SESSION['admin']) && $_SESSION['admin'] =="Y");
}

function confirm_logged_in() {
	if (!logged_in()) {
		redirect_to("login.php");
	}
}

function confirm_admin(){
  if (!admin_user()){
    logout(true);                        
    //redirect_to("login.php");
  }
}
?>

 

change_pwd.php

<?php require_once("includes/session.php"); ?>
<?php require_once("includes/connection.php"); ?>
<?php require_once("includes/functions.php"); ?>
<?php confirm_logged_in(); confirm_admin(); ?>
<?php

//if (logged_in()) {
//	redirect_to("staff.php");
//}

include_once("includes/form_functions.php");

// START FORM PROCESSING
if (isset($_POST['submit'])) { // Form has been submitted.
	$errors = array();

	// perform validations on the form data
	$required_fields = array('current_password', 'new_password', 'repeat_password');
	$errors = array_merge($errors, check_required_fields($required_fields, $_POST));

	$fields_with_lengths = array('current_password' => 30, 'new_password' => 30,  'repeat_password' => 30);
	$errors = array_merge($errors, check_max_field_lengths($fields_with_lengths, $_POST));

	$current_password = trim(mysql_prep($_POST['current_password']));
	$new_password = trim(mysql_prep($_POST['new_password']));
	$repeat_password = trim(mysql_prep($_POST['repeat_password']));
	$hashed_current_password = sha1($current_password);
	$hashed_new_password = sha1($new_password);
	$username = $_SESSION['username'];
	// Check the two new password fields match
	if ($new_password != $repeat_password){
	  $errors[] = "Your new password does not match your confirmed password.";
	}
	//Check if Current password match existing password
  $query = "SELECT count(*) ";
	$query .= "FROM dudes ";
	$query .= "WHERE username = '{$username}' ";
	$query .= "AND hashed_password = '{$hashed_current_password}' ";
	$query .= "AND in_use=1 ";
	$query .= "LIMIT 1";
	$result_set = mysql_query($query);
	confirm_query($result_set);
	if (mysql_num_rows($result_set) != 1){
	  $errors[] = "Your entered in an incorrect current password that does not match your current password.";
	} 

	if ( empty($errors) ) {
	  //if not errors then update password
		// Check database to see if username and the hashed password exist there.
		$query = "UPDATE dudes ";
		$query .= "set hashed_password =  '{$hashed_new_password}', last_password_changed = sysdate() ";
		$query .= "WHERE username = '{$username}' ";
		$query .= "AND hashed_password = '{$hashed_current_password}' ";
		$query .= "AND in_use=1 ";
		$result_set = mysql_query($query);
		//confirm_query($result_set);
		if (mysql_affected_rows() == 1) {
			$message = "Password Changed";
			//redirect_to("login.php");
		} else {
			// username/password combo was not found in the database
			$message = "Username/password combination incorrect.<br />
				Please make sure your caps lock key is off and try again." . $username . $hashed_current_password.$_SESSION['username'];
		}
	} else {
		if (count($errors) == 1) {
			$message = "There was 1 error in the form.";
		} else {
			$message = "There were " . count($errors) . " errors in the form.";
		}
	}

} else { // Form has not been submitted.
	if (isset($_GET['logout']) && $_GET['logout'] == 1) {
		$message = "You are now logged out.";
	}
	if (isset($_GET['restricted']) && $_GET['restricted'] == 1) {
		$message = "You have tried to access a restricted area and have been logged out. <br />Please login again.";
	} 
	$username = "";
	$password = "";

}
?>
<?php include("includes/header.php"); ?>
<table id="structure">
<tr>
	<td id="navigation">
		<a href="index.php">Return to public site</a>
		<?php echo "Logged in as ". $_SESSION['username']; ?>
	</td>
	<td id="page">
		<h2>Staff Login</h2>
		<?php if (!empty($message)) {echo "<p class=\"message\">" . $message . "</p>";} ?>
		<?php if (!empty($errors)) { display_errors($errors); } ?>
		<form action="change_pwd.php" method="post">
		<table>
			<tr>
				<td>Current Password:</td>
				<td><input type="password" name="current_password" maxlength="30" value="<?php echo htmlentities($current_password); ?>" /></td>
			</tr>
			<tr>
				<td>New Password:</td>
				<td><input type="password" name="new_password" maxlength="30" value="<?php echo htmlentities($new_password); ?>" /></td>
			</tr>
			<tr>
				<td>Confirm New Password:</td>
				<td><input type="password" name="repeat_password" maxlength="30" value="<?php echo htmlentities($repeat_password); ?>" /></td>
			</tr>
			<tr>
				<td colspan="2"><input type="submit" name="submit" value="Change Password" /></td>
			</tr>
		</table>
		</form>
	</td>
</tr>
</table>
<?php include("includes/footer.php"); ?>

funkyapache Newbie

funkyapache

Posted
  • Author
Posted

This is my login page

 

<?php require_once("includes/session.php"); ?>
<?php require_once("includes/connection.php"); ?>
<?php require_once("includes/functions.php"); ?>
<?php

//if (logged_in()) {
//	redirect_to("staff.php");
//}

include_once("includes/form_functions.php");

// START FORM PROCESSING
if (isset($_POST['submit'])) { // Form has been submitted.
	$errors = array();

	// perform validations on the form data
	$required_fields = array('username', 'password');
	$errors = array_merge($errors, check_required_fields($required_fields, $_POST));

	$fields_with_lengths = array('username' => 30, 'password' => 30);
	$errors = array_merge($errors, check_max_field_lengths($fields_with_lengths, $_POST));

	$username = trim(mysql_prep($_POST['username']));
	$password = trim(mysql_prep($_POST['password']));
	$hashed_password = sha1($password);

	if ( empty($errors) ) {
		// Check database to see if username and the hashed password exist there.
		$query = "SELECT user_id, username, name,is_admin ";
		$query .= "FROM dudes ";
		$query .= "WHERE username = '{$username}' ";
		$query .= "AND hashed_password = '{$hashed_password}' ";
		$query .= "AND in_use=1 ";
		$query .= "LIMIT 1";
		$result_set = mysql_query($query);
		confirm_query($result_set);
		if (mysql_num_rows($result_set) == 1) {
			// username/password authenticated
			// and only 1 match
			$found_user = mysql_fetch_array($result_set);
			$_SESSION['user_id'] = $found_user['user_id'];
			$_SESSION['username'] = $found_user['username'];
        $_SESSION['name'] = $found_user['name'];
        if ($found_user['is_admin'] == 'Y') {
			  $_SESSION['admin'] = $found_user['is_admin'];
			}
			$query = "UPDATE dudes set last_login_date = sysdate() ";
		  $query .= "WHERE username = '{$username}' ";
		  $query .= "AND hashed_password = '{$hashed_password}' ";
		  $query .= "AND in_use=1 ";
		  $query .= "LIMIT 1";
		  $result_set = mysql_query($query);
		  redirect_to("change_pwd.php");
		} else {
			// username/password combo was not found in the database
			$message = "Username/password combination incorrect.<br />
				Please make sure your caps lock key is off and try again.";
		}
	} else {
		if (count($errors) == 1) {
			$message = "There was 1 error in the form.";
		} else {
			$message = "There were " . count($errors) . " errors in the form.";
		}
	}

} else { // Form has not been submitted.
	if (isset($_GET['logout']) && $_GET['logout'] == 1) {
		$message = "You are now logged out.";
	}
	if (isset($_GET['restricted']) && $_GET['restricted'] == 1) {
		$message = "You have tried to access a restricted area and have been logged out. <br />Please login again.";
	} 
	$username = "";
	$password = "";

}
?>
<?php include("includes/header.php"); ?>
<table id="structure">
<tr>
	<td id="navigation">
		<a href="index.php">Return to public site</a>
	</td>
	<td id="page">
		<h2>Staff Login</h2>
		<?php if (!empty($message)) {echo "<p class=\"message\">" . $message . "</p>";} ?>
		<?php if (!empty($errors)) { display_errors($errors); } ?>
		<form action="login.php" method="post">
		<table>
			<tr>
				<td>Username:</td>
				<td><input type="text" name="username" maxlength="30" value="<?php echo htmlentities($username); ?>" /></td>
			</tr>
			<tr>
				<td>Password:</td>
				<td><input type="password" name="password" maxlength="30" value="<?php echo htmlentities($password); ?>" /></td>
			</tr>
			<tr>
				<td colspan="2"><input type="submit" name="submit" value="Login" /></td>
			</tr>
		</table>
		</form>
	</td>
</tr>
</table>
<?php include("includes/footer.php"); ?>

 

 

This is my redirect_to function

function redirect_to( $location = NULL ) {
	if ($location != NULL) {
		header("Location: {$location}");
		exit;
	}
}

 

I have also tried by directly changing the address in the address bar after logging in.

 

funkyapache Newbie

funkyapache

Posted
  • Author
Posted

I thought maybe I should try $_SESSION['user_id'] instead of $_SESSION['username'] I set both at the same time  and strangely that seemed to work on the change password page. However if I typed in an incorrect current password it does not return any of the session values.

 

Any ideas?

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.