Jump to content

Problem with login & cookies...


thurmanmurman

Recommended Posts

Hello All,

 

I am having a bit of a problem. Here is whats going on:

 

I have a php client login site which uses a check login page to authenticate the user and then redirects the user to their own site based on directory information stored in the mySQL db.

 

I am able to login and all is well on that front, but the issue i'm having comes when I try to login as another user on the same machine. After I've logged in once and I try to login as another user, it takes me to the first user's page UNLESS i clear/delete cookies from my browser.

 

I think this is probably a simple fix somewhere, i just don't know where to start. Any help would be appreciated.

 

Here is the code:

 

CHECK LOGIN PAGE

 

<?php

ob_start();

 

$host=""; // Host name

$username=""; // Mysql username

$password=""; // Mysql password

$db_name=""; // Database name

$tbl_name=""; // Table name

 

 

// Connect to server and select database.

mysql_connect("$host", "$username", "$password")or die("cannot connect");

mysql_select_db("$db_name")or die("cannot select DB");

 

#####

function mysql_evaluate($query, $default_value="undefined") {

    $result = mysql_query($query);

    if (mysql_num_rows($result)==0)

        return $default_value;

    else

        return mysql_result($result,0);

}

#####

 

// Define $myusername and $mypassword

$myusername=$_POST['myusername'];

$mypassword=$_POST['mypassword'];

$mydirectory = mysql_evaluate("SELECT directory FROM $tbl_name WHERE 'username='$myusername'");

 

// encrypt password

$encrypted_mypassword=md5($mypassword);

 

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_mypassword'";

$result=mysql_query($sql);

 

// To protect MySQL injection (more detail about MySQL injection)

$myusername = stripslashes($myusername);

$mypassword = stripslashes($mypassword);

$myusername = mysql_real_escape_string($myusername);

$mypassword = mysql_real_escape_string($mypassword);

 

// Mysql_num_row is counting table row

$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row

 

if($count==1){

 

// Register $myusername, $mypassword, $mydirecory and redirect to file "login_success.php"

session_register("myusername");

session_register("mypassword");

session_register("mydirectory");

 

$host          = $_SERVER['HTTP_HOST'];

$uri            = rtrim(dirname($_SERVER['PHP_SELF']), '/\\');

$directory      = mysql_evaluate("SELECT directory FROM $tbl_name WHERE username='$myusername'");

$extra          = 'index.php';

header("Location: http://$host$uri/$directory/$extra");

}

else {

echo "Wrong Username or Password";

}

 

ob_end_flush();

?>

 

USER PAGE

 

<?

// Check if session is not registered , redirect back to main page.

// Put this code in first line of web page.

 

session_start();

if(!session_is_registered(myusername)){

header("location:main_login.php");

}

?>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<title>Untitled Document</title>

<style type="text/css">

<!--

.style1 {

font-size: 100px;

font-weight: bold;

}

-->

</style>

</head>

 

<body>

<span class="style1">JOHN</span>

</body>

</html>

 

 

Link to comment
https://forums.phpfreaks.com/topic/165965-problem-with-login-cookies/
Share on other sites

That reply meant to use those tags when you post your code in the forum.

 

session_register() and session_is_registered() were turned off by default 7 years ago and have been completely removed in php6. You need to use the $_SESSION array for setting and referencing session variables.

Hello,

 

I have changed the code to reflect the $_SESSION array and i seem to be getting to the right location. I seem to be having one final problem.

 

I can change the address bar to another user's directory and I can see their private page. I would like for it to throw a 403 page if on any other page the the logged-in user.

 

Any Ideas?

 

UPDATED CODE

 

CHECK LOGIN

 

ob_start();
session_start();

$host=""; // Host name
$username=""; 	// Mysql username
$password=""; 		// Mysql password
$db_name=""; 	// Database name
$tbl_name=""; 		// Table name


// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

#####
function mysql_evaluate($query, $default_value="undefined") {
    $result=mysql_query($query);
    if (mysql_num_rows($result)==0)
        return $default_value;
    else
        return mysql_result($result,0);
}
#####

// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
$mydirectory=mysql_evaluate("SELECT directory FROM $tbl_name WHERE 'username='$myusername'");

// encrypt password
$encrypted_mypassword=md5($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_mypassword'";
$result=mysql_query($sql);

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){

// Register $myusername, $mypassword, $mydirecory and redirect to file "login_success.php"
$_SESSION['myusername'];
$_SESSION['mypassword'];
$_SESSION['mydirectory'];

$host           = $_SERVER['HTTP_HOST'];
$uri            = rtrim(dirname($_SERVER['PHP_SELF']), '/\\');
$directory       = mysql_evaluate("SELECT directory FROM $tbl_name WHERE username='$myusername'");
$extra          = 'index.php';
header("Location: http://$host$uri/$directory/$extra");
}
else {
echo "Wrong Username or Password";
}

ob_end_flush();

 

USER PAGE

 

// Check if session is not registered , redirect back to main page.

session_start();
if($_SESSION['myusername']):
header("location:main_login.php");
endif;

 

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<title>Untitled Document</title>

<style type="text/css">

<!--

.style1 {

font-size: 100px;

font-weight: bold;

}

-->

</style>

</head>

 

<body>

<span class="style1">GRETCHEN</span>

</body>

</html>

 

 


// Register $myusername, $mypassword, $mydirecory and redirect to file "login_success.php"
$_SESSION['myusername'];
$_SESSION['mypassword'];
$_SESSION['mydirectory'];

 

should be something like this

 




$_SESSION['myusername']=$USERNAMEVAR;
$_SESSION['mypassword']=$PASSWORDVAR;
$_SESSION['mydirectory']=$MYDIRVAR;

 

you have to put something into the session vars not just define them.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.