$_SESSION problem

[tecmeister]

Hi guys,

 

I'm having a problem with setting a $_SESSION for login.  The script worked at first, but for some reason it stopped working.  I thought it was because of the ob_start() I entered.  so I removed it and fixed the header() problem I had.  But I was still having the same problem.

 

This is the script where I set the $_SESSION:

 

<?php
if((isset($_GET['signin'])) && ($_GET['signin'] == "check")){
   require_once("include/class.php");
   $database->dbConnect();
   //------------Collect $_POST---------\\
   $user = $_POST['user'];
   $pass = $_POST['pass'];
   
   //-------------disable account ----------------\\
   $sql = "SELECT * FROM disable";
   $result = $database->query($sql);
   $row = mysql_fetch_array($result);
   
   if(($user == $row['user']) && ($row['disabled'] != 0)){
      header("Location: [url]http://members.aerialfusion.co.uk/index.php?disabled=[/url]".$user."&by=".$_SERVER['REMOTE_ADDR']);   
   }
   //-------------Connect to personal ----------------\\
   $sql = "SELECT * FROM personal WHERE user='$user'";
   $result = $database->query($sql);
   $row = mysql_fetch_array($result);
   //-----------------------Log in Empty---------------------------\\
   if((empty($user) && empty($pass))){
      header("location: [url]http://www.aerialfusion.co.uk/index.php?signin=formEmpty[/url]");
   }
   //-----------------------Password Error---------------------------\\
   if(($user == $row['user']) && ($pass != $row['pass'])){
      header("location: [url]http://www.aerialfusion.co.uk/index.php?signin=passwordError[/url]");
   }
   //-----------------------Password Empty---------------------------\\
   if((!empty($user)) && (empty($pass))){
      header("location: [url]http://www.aerialfusion.co.uk/index.php?signin=passwordEmpty[/url]");
   }
   //-----------------------Not Activated---------------------------\\
   if(($user == $row['user']) && ($pass == $row['pass']) && ($row['active'] != 1)){
      header("location: [url]http://www.aerialfusion.co.uk/index.php?signin=notActivated[/url]");   
   }
   //-----------------------SESSION Log In---------------------------\\
  [color=#ff0000] if(($user == $row['user']) && ($pass == $row['pass']) && ($row['active'] == 1)){
      $_SESSION['user'] = $row['user'];
      header("location: [/color][url=http://members.aerialfusion.co.uk/index.php?session=][color=#ff0000]http://members.aerialfusion.co.uk/index.php?session=[/color][/url][color=#ff0000]".$_SESSION['user']);
   }[/color]
   //-----------------------COOKIE Log In---------------------------\\
   if(($user == $row['user']) && ($pass == $row['pass']) && ($row['active'] == 1) && ($_POST['stayIn'] == "on")){
      setcookie("user",$row['user'],time()+31536000,"/","aerialfusion.co.uk");   
      header("location: [url]http://members.aerialfusion.co.uk/index.php?user=[/url]".$row['user']);
   }
}else{
   header("location: [url]http://www.aerialfusion.co.uk/index.php[/url]");   
}
?>

 

Thanks for your help,

 

tecmeister.

[RussellReal]

idk about your problem but like.. I see two ISSUES right here

 

  $sql = "SELECT * FROM disable";

  $result = $database->query($sql);

  $row = mysql_fetch_array($result);

 

  if(($user == $row['user']) && ($row['disabled'] != 0)){

      header("Location: http://members.aerialfusion.co.uk/index.php?disabled=".$user."&by=".$_SERVER['REMOTE_ADDR']); 

  }

 

the query will pull ALL results from the database.. THEN pull the first result from the resultset then the if statement will check if the user is the FIRST result in the table.. which is not very secure if you disabled an account and he is the SECOND result.. you should use a WHERE clause in the query..

 

SELECT * FROM disable WHERE user = '$user'

 

the SECOND issue there is..  header("Location: http://members.aerialfusion.co.uk/index.php?disabled=".$user."&by=".$_SERVER['REMOTE_ADDR']);

 

the Location header needs a valid url.. ........ is not a valid url..

 

and your whole detirmination process is redundant.. you should do something like this:

 

<?php
$s = "SELECT * FROM personal WHERE user = '{$user}' AND password = '{$pass}'";
$r = $database->query($s);
if ($z = mysql_fetch_assoc($r)) {
	// if user and password were correct..
	if (!$z['active']) {
		// if user is not active
	} else {
		// log the user in..
	}
} else {
	if ((!strlen($user)) || (!$strlen($pass))) {
		// form was not filled out fully
	} else {
		// invalid username and password
	}
}
?>

[tecmeister]

Hi RussellReal,

 

How do I know what a valid URL is?

Could you please tell me what I have entered wrong with the URL.

 

Thanks,

 

tecmeister.

[RussellReal]

mybad.. I was trying to but it evaluated the bbcode lmao

 

[url]....[/url]

is not a valid url

[BloodyMind]

I agree with russel:

use fetch_assoc() and use WHERE clause because imagine this query on a million user....that would take alot of server overhead

 

I'd recommend that you use session_start() if you didn't already

 

also try to use any encryption function for passwords i.e. md5() or sha1()

 

Validate both inputs if its filled in or not using

e.g:

if (empty(trim($user)) || empty($pass)){

echo "please fill in your login and password";

}

 

I'd recommend also not to inform the user which of the fields is incorrect for security reasons. tell him invalid user/password

 

hope that helped

 

[tecmeister]

I have put start_session() at the beginning of the page and I'm still getting the same problem.

I put exit{}; after setting the $_SESSION['user'] = $user, and it is still not setting.

This is the code of the page:

 

<?php
if((isset($_GET['signin'])) && ($_GET['signin'] == "check")){
require_once("include/class.php");
$database->dbConnect();
//------------Collect $_POST---------\\
$user = $_POST['user'];
$pass = $_POST['pass'];
//-------------disable account ----------------\\
$sql1 = "SELECT * FROM disable WHERE user='$user'";
$result1 = $database->query($sql1);
$row1 = mysql_fetch_assoc($result1);
//-------------Connect to personal ----------------\\
$sql = "SELECT * FROM personal WHERE user='$user'";
$result = $database->query($sql);
$row = mysql_fetch_assoc($result);
//-----------------------Log in Empty---------------------------\\
if((empty($user) && empty($pass))){
	header("location: http://aerialfusion.co.uk/index.php?signin=formEmpty");
}
//-----------------------Password Error---------------------------\\
if($user == $row['user'] && $pass != $row['pass']){
	//-------------------Disable User--------------------------\\
	if($row1['disable_no'] > 0){
		$sub = $row1['disable_no'] -1;
		$sql2 = "UPDATE disable SET disable_no='$sub' WHERE user='$user'";
		$result2 = $database->query($sql2);
	}
	//---------------Sending mail---------------------------\\
	if(($row1['disable_no'] == 1) && ($row1['disabled'] == 0)){
			$hacker = $_SERVER['REMOTE_ADDR'];
			$random = md5(uniqid(rand(),true));
			$sql3 = "UPDATE disable SET disabled='$random', hacker_ip='$hacker'";
			$result3 = $database->query($sql3);
			//--------------Sending a Email---------------------\\
			$to = $row['email'];
			$subject = "Account Has Been Disabled";
			$message = "Dear ".$row['user'].",\n\n";
			$message .= "You account was disabled on ".date('d/m/Y')." at ".date('H:m:s a').".\n";
			$message .= "The persons IP address that entered you password wrong three times were ".$hacker."\n";
			$message .= "To re-activate your acount, please click on the link below.\n";
			$message .= "_______________________________________________________________\n\n";
			$message .= "http://www.aerialfusion.co.uk/index.php?reactivate_account=".$random."&id=".$row1['id']."\n\n";
			$message .= "Kind Reagrds,\n\n";
			$message .= "Johnny McCaffery,\n";
			$message .= "Founder of Aerial Fusion";
			$header = "MIME-Version: 1.0\n";
			$header .= "From: donotreplay@aerialfusion.co.uk";
			mail($to,$subject,$message,$header);
			header("Location: http://aerialfusion.co.uk/index.php?account_disabled_by=".$_SERVER['REMOTE_ADDR']);	
	}
	//--------------------Attemps left-----------------------------------\\
	if($row1['disable_no'] > 1){
			header("Location: http://aerialfusion.co.uk/index.php?signin=passwordWrong&attemps=".$sub);
		}
	//--------------------Account Disabled----------------------\\
	if(($row1['disable_no'] == 1) && ($row1['disabled'] != 0)){
		header("Location: http://aerialfusion.co.uk/index.php?already_disabled=".$row1['id']);
	}
}
//-----------------------Password Empty---------------------------\\
if((!empty($user)) && (empty($pass))){
	header("location: http://aerialfusion.co.uk/index.php?signin=passwordEmpty");
}
//-----------------------Not Activated---------------------------\\
if($row['active'] != 1){
	header("location: http://aerialfusion.co.uk/index.php?signin=notActivated");	
}
//----------------Username not used----------------\\
if($user != $row['user']){
	header("Location: http://aerialfusion.co.uk/index.php?signin=user&username=".$user);
}
//-----------------------SESSION Log In---------------------------\\
if(($pass == $row['pass']) && ($row['active'] == 1)){
	setcookie("user",$row['user'],time()+60*20,"/","aerialfusion.co.uk");
	header("location: http://members.aerialfusion.co.uk");
}
//-----------------------COOKIE Log In---------------------------\\
if(($pass == $row['pass']) && ($row['active'] == 1) && ($_POST['stayIn'] == "on")){
	setcookie("user",$row['user'],time()+31536000*10,"/","aerialfusion.co.uk");	
	header("location: http://members.aerialfusion.co.uk/index.php?user=".$row['user']);
}
}else{
header("location: http://www.aerialfusion.co.uk/index.php");	
}
?>

 

You have also said something about the headers not being valid URL.  Please could you show me a valid URL

 

Thanks,

 

tecmeister.

[grissom]

Instead of start_session(); try session_start();

[tecmeister]

That was just a typo on here, I did put session_start().

I have tried to start the session on every page but nothing is happening.  I have checked in the browsers cookies and all that is happening it PHPSESSID.

 

Have I disabled the session (If that is possible).  Please will some one be able to help me with this problem.

 

Thanks,

 

tecmeister.