nvee Posted January 4, 2010 Share Posted January 4, 2010 Hey guys I am working on a very simple user login script for one of my applications. Judging from my code, you will see that I am still very new to PHP, so I will appreciate any help on fixing the problem, but also how to improve my code to make my application better/more secure: The code has a simple username and password form, the form processes the same page (index.php) and checks for empty username/password, afterwhich it then checks for the username and password in the database. If there is 1 field matching both the username and password (mysql_num_rows) it creates a session, and then redirects the user to admin.php Admin.php creates a session (session_start()) and then checks if $_SESSION["id] is not the same as session_id() - if not the same, it takes the user back to index.php I manage to get everything right, but once it directs to admin.php, it would appear that $_SESSION["id"] != session_id() everytime, which then goes back to index.php, which is incorrect. I have not used sessions that much in my life, so this is definately a id10t errror! Here is my code: <?php session_start(); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <?php include("includes/functions.php"); ?> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>login</title> <link rel="stylesheet" href="css/style.css" media="all" /> </head> <body> <div id="wrapper"> <div id="head"> <img src="images/logo.jpg" width="286" height="100" alt="opanel logo" /> </div> <div id="titlebar"> <p>WELCOME TO THE PANEL > PLEASE LOG IN</p> </div> <div id="content"> <?php if($_POST["login"] == "submit") { $username = $_POST["username"]; $password = $_POST["password"]; if(empty($username)) { $error .= "<li>You failed to enter a username</li>"; } if(empty($password)) { $error .= "<li>You failed to enter a password</li>"; } if(!empty($error)) { echo "<p><strong>ERRORS:</strong></p>"; echo "<ul>"; echo $error; echo "</ul>"; } connectdb("$server","$dbuser","$dbpass","$dbname"); $query = mysql_query("SELECT * FROM opanel_users WHERE username = '$username' AND password = '$password'"); if(!$query) die ("Could not run the mysql query, please contact your service provider for more information"); $result = mysql_num_rows($query); if($result == 1) { session_start(); $_SESSION["admin"] = "$username"; $_SESSION["pass"] = "$password"; $_SESSION["id"] = SID; echo session_id(); echo "<p>Username and Password accepted. Please <a href='admin.php'>click here</a> to access the control panel</p>"; } elseif($result !== 1) { echo "<p>Username and password incorrect, please try again by <a href='index.php'>clicking here</a>! If you cannot remember your username and password, please contact your service provider</p>"; } } else { echo "<p>Please submit your username and password below. For security reasons, please note that all log attempts and IP addresses are kept.</p>"; ?> <div id="loginform"> <form action="index.php" method="post"> <p>Username: <input name="username" type="text" /></p> <p>Password: <input name="password" type="password" /></p> <p><input name="login" id="login" value="submit" type="submit" /></p> </form> </div> <?php } ?> <p> </p> </div> </div> </body> </html> and here is admin.php: <?php session_start(); if($_SESSION["id"] !== session_id()) { header("location:index.php"); } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <?php include("includes/functions.php"); ?> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>Opanel: User Login</title> <link rel="stylesheet" href="css/style.css" media="all" /> </head> <body> <div id="wrapper"> <div id="head"> <img src="images/logo.jpg" width="286" height="100" alt="opanel logo" /> </div> <div id="titlebar"> <p>YOU ARE LOGGED IN!</p> </div> <div id="content"> <p>ADMIN PANEL!!!</p> </div> </body> </html> Link to comment https://forums.phpfreaks.com/topic/187113-session-not-directing-page-correctly/ Share on other sites More sharing options...
RaythMistwalker Posted January 4, 2010 Share Posted January 4, 2010 in your opanel table what fields do you have other than login and password? Link to comment https://forums.phpfreaks.com/topic/187113-session-not-directing-page-correctly/#findComment-988119 Share on other sites More sharing options...
nvee Posted January 4, 2010 Author Share Posted January 4, 2010 well i found the problem. In my index.php page is was setting $_SESSION["id" to SID and not session_id(); I only have username and password field for login. My idea was to not just check if the $_session["id"] was the same as session_id() but i also wanted to check if the username and password is correct on the other pages, but realised that its a lot of extra processing (first connect to the database, do a query) before it would actually check if the user is logged in correctly. Is there any other way of doing it, or doing it better atleast? Link to comment https://forums.phpfreaks.com/topic/187113-session-not-directing-page-correctly/#findComment-988124 Share on other sites More sharing options...
RaythMistwalker Posted January 4, 2010 Share Posted January 4, 2010 I actually have pages: login.php contains the login form itself and sends data to login-exec.php which then runs the database query etc. On successful login it will set a $_SESSION with the user's id (all my users have different ID) and if the ID is set then they remain logged in. Then they are directed to member-index.php where they can do things. Link to comment https://forums.phpfreaks.com/topic/187113-session-not-directing-page-correctly/#findComment-988127 Share on other sites More sharing options...
nvee Posted January 4, 2010 Author Share Posted January 4, 2010 I initially wanted to do something similiar, but was advised to rather not do it as it creates additional pages and unneccesary headaches. What happens with your validation? I mean, what happens when the user e.g. does not enter the correct username and password? does login-exec.php send validation back to login.php? And by setting a $_session, do you mean you're doing something like $session["id"] = $id; (with ID being the users id in the database?) I will then imagine that at the top of every page it starts a session, connects to the database, checks if the $_SESSION["id"] is the same session id as username under $_SESSION["username"] or something in that line? Link to comment https://forums.phpfreaks.com/topic/187113-session-not-directing-page-correctly/#findComment-988131 Share on other sites More sharing options...
RaythMistwalker Posted January 4, 2010 Share Posted January 4, 2010 Ok question at a time. What happens with your validation? I mean, what happens when the user e.g. does not enter the correct username and password? does login-exec.php send validation back to login.php? This sends them to Login-Failed.php which contains a link back to login.php And by setting a $_session, do you mean you're doing something like $session["id"] = $id; (with ID being the users id in the database?) Yes it is getting id from database. I will then imagine that at the top of every page it starts a session, connects to the database, checks if the $_SESSION["id"] is the same session id as username under $_SESSION["username"] or something in that line? Atm no since the website isn't well known atm and i monitor the ip's of those who login only i can make accounts so only those who have accounts know howto access it. once i have more stuff on it i will of course be checking user id's and such. Link to comment https://forums.phpfreaks.com/topic/187113-session-not-directing-page-correctly/#findComment-988136 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.