Altec Posted November 11, 2009 Share Posted November 11, 2009 I'm having a bit of bad luck with sessions. In the past they have worked fine for me, but this time around I'm having terrible luck. Basically, I made the crappiest login system ever. I'm using sessions to store three bits of information: 1) metadata which consists of the username, password, and salt; 2) database row id; 3) username. Here is my code to login/out the user: <?php /** * Copyright 2009 Steven */ session_start(); session_regenerate_id(); define('IN_VOCAB',true); require('init.php'); // Get POST values foreach( $_POST as $key => $value ) { $$key = clean($value,true); } switch( $_SERVER['QUERY_STRING'] ) { case 'login': // MD5 password $password = md5($password); // Validate user exists $user_val_query = $db->query("SELECT * FROM `users` WHERE `username`='{$username}' AND `password`='{$password}' LIMIT 1"); if( mysql_num_rows($user_val_query) > 0 ) { // User exists; set sessions $salt = substr(md5(date('F')),; $user = mysql_fetch_assoc($user_val_query); $_SESSION['steven_vocab.user.meta'] = $username.$password.$salt; $_SESSION['steven_vocab.user.id'] = $user['id']; $_SESSION['steven_vocab.user.name'] = $user['username']; // Logged in echo message('You have been successfully logged in as '.$username.'!','success'); echo '<a href="',$site_url,'">Go to main site</a>.'; show('footer.php'); } else { fatal_error('Incorrect username and/or password. <a href="'.$site_url.'">Please try again</a>.'); } break; case 'logout': // Make sure user is logged in require($sys_inc_path.'user_check.php'); // Unset session vars unset($_SESSION['steven_vocab.user.meta'],$_SESSION['steven_vocab.user.id'],$_SESSION['steven_vocab.user.name']); echo message('You have been successfully logged out.','success'); echo '<a href="',$site_url,'">Go to main site</a>.'; show('footer.php'); break; default: fatal_error('Invalid request.'); } ?> And here is my code to check and validate the user: <?php /** * Copyright 2009 Steven */ if( !defined('IN_VOCAB') ) { echo 'Direct access to this file is not allowed.'; exit; } // Check for session if( !isset($_SESSION['steven_vocab.user.meta']) || !isset($_SESSION['steven_vocab.user.id']) || !isset($_SESSION['steven_vocab.user.name']) ) { show('login_form.html',null,true); } // Session exists; validate $salt = substr(md5(date('F')),; $id = $_SESSION['steven_vocab.user.id']; $meta = $_SESSION['steven_vocab.user.meta']; $user_info_query = $db->query("SELECT * FROM `users` WHERE `id`='{$id}' LIMIT 1"); if( mysql_num_rows($user_info_query) > 0 ) { // User exists, check username and password $user = mysql_fetch_assoc($user_info_query); if( ($user['username'].$user['password'].$salt) != $meta ) { // User invalid; unset session and exit unset($_SESSION['steven_vocab.user.meta'],$_SESSION['steven_vocab.user.id'],$_SESSION['steven_vocab.user.name']); fatal_error('Invalid session metadata. <a href="'.$site_url.'">Please login again</a>.'); } } else { // User invalid; unset session and exit unset($_SESSION['steven_vocab.user.meta'],$_SESSION['steven_vocab.user.id'],$_SESSION['steven_vocab.user.name']); fatal_error('User cannot be found. <a href="'.$site_url.'">Please login again</a>.'); } // The user is logged in and validated; check IP address $user_ip = $_SERVER['REMOTE_ADDR']; $check_ip_query = $db->query("SELECT `ip` FROM `users` WHERE `id`='{$user['id']}' LIMIT 1"); if( mysql_num_rows($check_ip_query) > 0 ) { $stored_ip = mysql_result($check_ip_query,0,'ip'); // Check if empty if( empty($stored_ip) ) { // Update IP $ip_update_query = $db->query("UPDATE `users` SET `ip`='{$user_ip}' WHERE `id`='{$user['id']}' LIMIT 1"); } else { // Check if current IP is same if( $stored_ip != $user_ip ) { // Send me a text and log it $ip_log_data = time().' - Username "'.$user['username'].'" accessed site from IP "'.$user_ip.'" while stored IP is "'.$stored_ip.'" : ID'.$user['id']; file_put_contents($sys_inc_path_admin.'ip_log.txt',$ip_log_data."\n\n",FILE_APPEND); @mail('5555555555@vtext.com','IP Confliction: Vocab',$ip_log_data); } } } // Output info $username = $_SESSION['steven_vocab.user.name']; echo '<div id="user_meta">Welcome back, ',$username,'!<br />» <a href="',$site_url,'user.php?logout">Logout</a> «</div>'; ?> When I log in, everything runs smoothly and it works perfectly. I can log in as anyone and I always have the proper access level, etc. However, when anyone else tries to log in, he or she gets the Invalid metadata message (check code). I've been swapping code in and out all day and nothing seems to fix their problems, except it works fine for me. Can anyone see anything blatantly obvious in the above code? Quote Link to comment https://forums.phpfreaks.com/topic/181065-sessions-work-for-me-and-not-others/ Share on other sites More sharing options...
sKunKbad Posted November 11, 2009 Share Posted November 11, 2009 You might try getting rid of the session_regenerate(). It's basically worthless unless you use session_regenerate(TRUE), and that could make things even worse for you. Also, remember that if a user doesn't allow cookies, sessions wont work unless you have the session_use_trans_sid set to true. Quote Link to comment https://forums.phpfreaks.com/topic/181065-sessions-work-for-me-and-not-others/#findComment-955473 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.