login problems

[sudsy1970]

hi couple of issues with my logon script that could do with some expert help

 

1) i want to put a script on my members page so that you have to be logged in to see it. i came up with the following. which is great but it doesn't change even when i am logged on.

<?php
   ob_start();
   session_start();

// if (!isset($_SESSION["logged_in"]))
  // {
   //  include "template.php";
   //  echo "<h2>You are required to Log in to view this page</h2><br><br>";
   //  echo "<h2>Please use the Links at the top right hand corner of the image</h2><br><br>";
    // exit;
  // }
include "template.php" ;

?>

 

2) i created a member area that i thought would show a login, logout and forgot password link if i wasn't logged in and echo the name of the member would was logged in.  however i never get the logged on name part.

         <div class="member-area">
         
<?php

  if ($_SESSION['logged_in']) {
    
?>
          <!--- start 'member-area' --->
    <ul>
    <li style="font-weight:bold"><?php echo $_SESSION['fullname']?></li>
    <li><a href="customer_logout.php" rel="nofollow">Logout</a> »</li>
    </ul>

<?php

  }
  else {

?>
          <!--- start 'member-area' --->
    <ul>
    <li><a href="customer_login.php" rel="nofollow">Log in</a> »</li>
    <li><a href="customer_create.php" rel="nofollow">Register</a> »</li>
    <li><a href="password_get.php" rel="nofollow">Forgotten password?</a> »</li>
    </ul>

<?php
  }

?>

         </div> <!--- end 'member-area' --->

 

Any one got any suggestions on where i am going wrong?

 

Thanks for looking (full files are in attachments)

 

[attachment deleted by admin]

[coupe-r]

Try single quotes

 

if (!isset($_SESSION['logged_in']))

[sudsy1970]

still got the same problems, but thanks for the suggestions

 

[fred12ned]

Try making a new page and outputting the whole session variables, check if $_SESSION['logged_in'] is set.

<?php
session_start();
echo "<pre>";
var_dump($_SESSION);
echo "</pre>";
?>

 

[sudsy1970]

ok tried that and it returned the magical result of

array(0) {}

.

 

this leads me to think that the login script does not work, would that be correct ?

[sudsy1970]

however thinking about it more, i have included a check to see if the username and password match those stored in a table,see code below

 

# If a username and password has been provided, attempt to log the user into the site

   if (isset($_POST['Username']) && isset($_POST['Password'])) {

       $username = $_POST['Username'];
       $password = $_POST['Password'];
   
   # Query the database to see if the username and password supplied match

       $sql = "SELECT CONCAT(FirstName, ' ',LastName) AS Name
               FROM user
               WHERE UserName = '$username' AND Password = PASSWORD('$password')";

       $result = mysql_query($sql) or die('Query failed. ' . mysql_error());

 

so surely it would fail at this point and not proceed to the header relocation part

[Pikachu2000]

 

so surely it would fail at this point and not proceed to the header relocation part

 

Only if the query actually failed to execute. Otherwise, the query will return a result regardless of whether the username and password match a record. You need to check what that result is before proceeding. You should also be sanitizing all user-supplied values before placing them in a query string, BTW. Also, make sure there is a session_start(); at the head of the script somewhere . . .

 

<?php
# If a username and password has been provided, attempt to log the user into the site

if (isset($_POST['Username']) && isset($_POST['Password'])) {
   $username = $_POST['Username'];
   $password = $_POST['Password'];
   # Query the database to see if the username and password supplied match
   $sql = "SELECT CONCAT(FirstName, ' ',LastName) AS Name FROM user WHERE UserName = '$username' AND Password = PASSWORD('$password')";
   $result = mysql_query($sql) or die('Query failed. ' . mysql_error());
   if( mysql_num_rows($result) == 1 ) {
      // query returned exactly one row; OK to proceed, and set the $_SESSION vars.
   } else {
      // if result is anything other than exactly one row, username doesn't exist, 
      // or results are ambiguous, so login can't proceed.
   }
}
?>

[sudsy1970]

Can you believe it, no session start, wot a plonker, cheers matey.

 

So now my logout does not work, it does redirect me but if i click on the members page it still shows me as being logged in, it's very simple but have a feeling i should have a session destroy in there somewhere, it's just i know the header function won't work then.

 

any help gratefully accepted.

 

<?php

// Set the session variable to show the user is NOT logged in
  
  $_SESSION['logged_in'] = false;

  $_SESSION['username'] = "";

  $_SESSION['fullname'] = "";

// Redirect the user to the home page

  header( 'Location: index.php' ) ;

?>

[sudsy1970]

Ok i think that it has something to do with not clearing the Cache, although i am not really sure how to test that.

 

Answers on a postcard to.......

[Pikachu2000]

Generally, this will do it; might need to reset a cookie too, depending if one was set. And remember to include a session_start(); in *all* scripts that will access any type of $_SESSION data.

 

session_start();
$_SESSION = array();
session_destroy();
header('Location: index.php'); // can be whatever you want. logged_out.php, etc.
exit();