Jump to content

sessions being emo ...

nvee

By nvee
in PHP Coding Help

 Share

Recommended Posts

nvee Member

nvee

Posted
Posted

Haha, hey guys

 

Well, I am busy with a project, and find myself stuck with the login script. I dont know sessions very well, and im pretty sure thats where the problem is. Here is my code, I will try to explain as I go:

 

 

1) This code goes at the top of each page, it connects to the db, checks if the username is the same as the username set at point number 2. If its false, it directs the user back to index.php:

 

<?php
if(isset($S_SESSION["id"])) {
session_start();
connectdb();
$username = $_SESSION["username"];
$query = mysql_query("SELECT * FROM ov_users WHERE email = '".$username."'");
$rows = mysql_num_rows($query);
if($rows = 0 || session_id() != $_session["id"]) {
session_destroy();
header("location:index.php");
}
				}

 

 

 

2) This code is the actual code which logs the user in. It includes the form and shows the login if the user is not logged in, otherwise it shows (or should show) the message with the news | profile | logout page.

 

		<?php
		if($_SESSION["active"] == "1") {
			echo "<p>Welcome back ".$result["name"]."! <a href='news.php'>News</a> |<a href='profile.php'>Profile</a> |<a href='logout.php'>Logout</a></p>";
		} else {
		if($_POST["userlogin"] == "submit") {
			$username = $_POST["email"];
			$password = substr(md5($_POST["password"]),0,16);
			connectdb();
			$query = mysql_query("SELECT name, email, password, account_type FROM ov_users WHERE email = '".$email."' AND password = '".$password."' AND account_type = '2'");
			if(!$query) {
				echo "<p>Oops, this is strange ... we cannot seem to log you in at the moment! Please try again in 5 minutes. If this problem occurs again, please contact our support department at <a href='mailto:support@outdoorvillage.co.za'>support@outdoorvillage.co.za</a></p>";
			} 
			$num = mysql_num_rows($query);
			if($num > 0) {
				while($result = mysql_fetch_array($query)) {
				$_SESSION["id"] = session_id();
				$_SESSION["active"] = "1";
				echo "<p>Welcome back ".$result["name"]."! Click <a href='profile.php'>here</a> to view your profile!</a></p>";
				}
			} else {
				echo "<p>The username and password you entered does not exist. Please check your details and try again. | <a href='forgotpass.php'>FORGOT MY PASSWORD</a> | <a href='register.php'>REGISTER A FREE ACCOUNT</a></p>";	
			}
		} else {
			?>
            <form action="<?php echo htmlentities($_SERVER['PHP_SELF']); ?>" method="post">
		<p>
		Email: <input type="text" name="email" />
		Password: <input type="text" name="password" />
		<input name="userlogin" type="submit" value="submit"></input> 
		| Forgot my password
		</p>
		</form>
            <?php
		}
		}
		?>

 

 

 

I get a feeling that my sessions is not registering properly. Once the user is logged in at number 2, it must create a session variable called active. The purpose of this is to use this to activate and de-activate menus which must only be displayed once a user is logged in.

 

The other reason I get this feeling is at point 2 it first checks if $_SESSION[active] == 1, and it should display a menu accordingly, but it doesnt work.

 

Any suggestions? AND can anyone give me some ideas on how to make this more secure?

 

Link to comment
Share on other sites
Wolphie Member

Wolphie

Posted
Posted

The code:

<?php
if(isset($S_SESSION["id"])) {
session_start();
connectdb();
$username = $_SESSION["username"];
$query = mysql_query("SELECT * FROM ov_users WHERE email = '".$username."'");
$rows = mysql_num_rows($query);
if($rows = 0 || session_id() != $_session["id"]) {
session_destroy();
header("location:index.php");
}
				}

 

The first line

$S_SESSION["id"]

 

should be

 

$_SESSION["id"]

 

Simple typo...

Link to comment
Share on other sites
Goafer Newbie

Goafer

Posted
Posted

The first that that i'd point out )not having read the FULL code) is that:

 

session_start();

 

should come before any use of sessions,

including if(isset($_SESSION["id"])),

 

As you can't check to see if sessions are open if the sessions haven't been started...

Link to comment
Share on other sites
nvee Member

nvee

Posted
  • Author
Posted

For what its worth:

 

I realised that the $_SESSION["username"] was never specified, so it would never get a value. I added it so that once logged in, it will create a new session variable called $_SESSION["username"] = $username.

 

When I click on profile.php - It redirects me back to index.php, which means atleast the session variable had to be set for session[id]. However, if I go directly to profile.php without logging in first, it just displays the page. So I think my sessions are a little stuffed. Any suggestions?

Link to comment
Share on other sites
Wolphie Member

Wolphie

Posted
Posted

That's because it should be 

if (!isset($_SESSION['id'])) { ... }

You want to check if the user hasn't logged in (i.e. the ID session variable hasn't been set) then re-direct to index.php otherwise display the page.

 

You've got it the opposite at the moment.

Link to comment
Share on other sites
nvee Member

nvee

Posted
  • Author
Posted

The problem is still looming ...

 

And Wolphie ... not entirely ... you see:

 

<?php
session_start();
if(isset($S_SESSION["id"]) {
connectdb();
$username = $_SESSION["username"];
$query = mysql_query("SELECT * FROM ov_users WHERE email = '".$username."'");
$rows = mysql_num_rows($query);
if($rows = 0 || session_id() != $_session["id"]) {
session_destroy();
header("location:index.php");
}
?>

 

It checks if the session ID has been set, then matches the username in the database with the username assigned to the session when the user logs in. The if statement then checks if the username rows does not match OR if the session ID is the same as the session_id() when the session was started. If THAT fails then it reverts back to index.php

 

Anyone else wanna shot at it? Im desperate :)

Link to comment
Share on other sites
nvee Member

nvee

Posted
  • Author
Posted

wait, the code posted above is faulty, here is the right ones:

 

<?php
session_start();
if(isset($_SESSION["id"])) {
connectdb();
$username = $_SESSION["username"];
$query = mysql_query("SELECT * FROM ov_users WHERE email = '".$username."'");
$rows = mysql_num_rows($query);
if($rows = 0 || session_id() != $_session["id"]) {
session_destroy();
header("location:index.php");
}
}
?>

Link to comment
Share on other sites
nvee Member

nvee

Posted
  • Author
Posted

FINALLY! I narrowed the problem down to:

 

if($rows = 0 || session_id() != $_session["id"]) {
session_destroy();
header("location:index.php");
}
}
?>

 

More specifically the

 

|| session_id() != $_session["id"]

 

part:

 

My idea was to check if session_id() was infact the sessionID used, to prevent someone from hijacking the id (have security with the username and the correct session. Now why would it not match? I mean they are suppose to be the same correct?

 

I know im doing something wrong, but what?

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.