Sessions and login work up to the point of detecting a logged in user...

[ShadeSlayer]

I've recently attempted to work with a user DB/sessions/etc, and it seems like everything works until you click login and see the confirmation page.

 

So, when you click Log In, the script goes ahead and enters the session information into the database, then adds a cookie to your computer, then redirects you to a page that detects if you're logged in or not. And once at that page, the script stops working (because it says I'm not logged in).

 

I'm not getting any errors with this, either.

 

config.php (ignore the top half, all the sessions are managed after // Manage Sessions):

<?php
include("settings.php");
error_reporting("E_ALL");

// Define Table Names
define("table_achievements", $global['prefix']."_achievements");
define("table_cheats", $global['prefix']."_cheats");
define("table_comments", $global['prefix']."_comments");
define("table_glitches", $global['prefix']."_glitches");
define("table_proreviews", $global['prefix']."_proreviews");
define("table_reviews", $global['prefix']."_reviews");
define("table_sessions", $global['prefix']."_sessions");
define("table_unlockables", $global['prefix']."_unlockables");
define("table_users", $global['prefix']."_users");
define("table_walkthroughs", $global['prefix']."_walkthroughs");


// Connect to the database
if($mysql['conn'] = mysql_connect($global['host'], $global['username'], $global['password']))
{
$mysql['select'] = mysql_select_db($global['database'], $mysql['conn']);

if(!$mysql['select'])
{
echo "<b>Error:</b> Failed connection to database.<br /><br />".mysql_error();
}
}
else
{
echo "<b>Error:</b> Failed connection to server.<br /><br />".mysql_error();
}

// Manage Sessions
$user = array();
$session = array();
$loggedin = 0;

if(isset($_COOKIE['sessionid']))
{
$token = mysql_real_escape_string($_COOKIE['sessionid']);
$sql = "SELECT * FROM ".table_sessions." WHERE token = '".$token."' LIMIT 1;";

if($exe = mysql_query($sql))
{
$session = mysql_fetch_array($exe);
mysql_free_result($exe);

  if($session['expire'] < time())
  {
  setcookie("sessionid", "", $_SERVER['REQUEST_TIME']-60);
  mysql_query("DELETE FROM ".table_sessions." WHERE ID = ".$session['ID']);
  header("Location: index.php");
  exit;
  }	
$sql = "SELECT * FROM ".table_users." WHERE ID = ".intval($session['userid'])." LIMIT 1;";
$exe = mysql_query($sql);
  if($exe)
  {
  $user = mysql_fetch_array($exe);
  mysql_free_result($exe);

   if($user['ID'])
   {
   $loggedin = 1;
   }
  }
  else
  {
  die("Cannot load user data!");
  }
}
else
{
die("Cannot load session data!");
}
}
?>

 

login.php:

<?php
include("config.php");
$pagetitle = "Login";
if($loggedin)
{
header("Location: test.php");
exit;
}
function generateSessionID()
{
$sessionid = md5($_SERVER['REQUEST_TIME']);
$sessionid .= md5(rand(1, 9999999));
$sessionid .= md5(rand(1, 9999999));
$sessionid .= md5(mt_rand(0,strlen(32)));
return md5($sessionid);
}
function startSession($userid)
{
$sessionid = generateSessionID();
$sql = "INSERT INTO ".table_sessions." VALUES (NULL , '".intval($userid)."', '".$sessionid."', '".($_SERVER['REQUEST_TIME']+86400)."');";
if($exe = mysql_query($sql))
{
setcookie("sessionid", $sessionid, $_SERVER['REQUEST_TIME']+86400);
header("Location: test.php");
exit;
}
else
{
return "Could not start session! Try again.";
}
}
if(isset($_POST['username']) && isset($_POST['password']))
{
$username = "";
$username = mysql_real_escape_string($_POST['username']);
$sql = "SELECT username, password_salt FROM ".table_users." WHERE username = '".$username."' LIMIT 1;";
$exe = mysql_query($sql);

$error = array();
if($exe)
{
$row = mysql_fetch_array($exe);
mysql_free_result($exe);
$password = "";
$password = sha1($_POST['password'] . $row['password_salt']);
$sql = "SELECT * FROM ".table_users." WHERE username = '".$username."' AND password = '".$password."' LIMIT 1;";
$exe = mysql_query($sql);
  if($exe)
  {
  // Everything is correct, initiate session.
  $row = mysql_fetch_array($exe);
  mysql_free_result($exe);
  $error[] = startSession($row['ID']);
  }
  else
  {
  $error[] = "Username does not exist";
  }
}
}
if($_GET['q'] === "logout")
{
setcookie("sessionid", "", $_SERVER['REQUEST_TIME']-60);
mysql_query("DELETE FROM ".table_sessions." WHERE ID = ".$session['ID']);
header("Location: login.php");
exit;
}
$output = "<form action=\"\" method=\"post\">\n"
         .implode('<br />', $error)
         ."<br /><b>Username:</b> <input type=\"text\" name=\"username\" value=\"\" /><br />\n"
         ."<b>Password:</b> <input type=\"password\" name=\"password\" value=\"\" /><br />\n"
         ."<input type=\"hidden\" name=\"action\" value=\"output\" />\n"
         ."<input type=\"submit\" name=\"submit\" value=\"Login\" />\n"
         ."</form>\n";

$pagecontents = $output;
include("layout.php");
?>

 

test.php:

<?php
include("config.php");
$pagetitle = "Test";

if($loggedin)
{
$output = "You ARE logged in!<br /><br /><strong>User array:</strong><br />";
print_r($user);
$output = "<br /><br /><strong>Session array:</strong><br />";
print_r($session);
if($user['class'] === "Admin")
{
$output = "You're an admin, too.";
}
elseif($user['class'] === "Editor")
{
$output = "You're an editor, too.";
}
else
{
$output = "You're just a regular member.";
}
}
else
{
$output = "You ARE NOT logged in! <a href=\"login.php\">log in</a>";
}

$pagecontents = $output;
include("layout.php");
?>

 

Again, as I stated in an earlier topic: I'm a total failure with session control and the like, and am a total noob when it comes to using them.

 

Thanks a bunch.

[patrickmvi]

I'm not sure exactly where your bug is but I am curious as to why you're not using PHP's built-in session handling functions (http://www.php.net/manual/en/book.session.php).  It seems that it would make things much simpler for you.  In regards to the code you posted, it looks like it would be fine, what you can do is try to output your query that pulls the session info from the DB and check to make sure that if you run it directly in MySQL that it would return something.