Double logins

[TapeGun007]

I have a strange issue that I cannot duplicate, so I'm wondering if someone here will see what's going on.

 

When I login to the website, I have no issues.  My wife has no issues.  But two people across the country are having issues.  So far, they are the only ones that I know of.

 

The code checks the database to see if they are an active account and sets a session.  It also checks to see if they are admin and sets a session id for that as well.  Assuming they are both set correctly this is how I set the Sessions:

 

$_SESSION['Active'] = "yes";
$_SESSION['Admin'] = $row['Admin']; // Assume that they are an admin and this is correct

 

My menu is setup so that it expands if a person is set in the db as an admin.  So the code obviously sees her as an admin when she logs in because she sees the admin options.  I have this code at the top of the admin pages for security purposes:

 

<?php if ($_SESSION['Admin']!=="yes"){header('Location:../login.php'); } ?>

 

The result is that she logs in once, sees the admin options, and clicks one of them.  It then redirects her back to the main login page.  Then she logs in a 2nd time, sees the admin menus, and clicks one of them and everything works fine.

 

Could it be something that I have done above, or something more browser specific?

 

 

[ocpaul20]

I may be wrong, but shouldn't it be only one equals sign in your test for Admin ?

 

!= rather than !==

 

?

 

What I always do when something strange happens, is to make a mickey-mouse program to test what is going on.....

 

something like

if $_SESSION['Admin'] == 'Admin' {echo '<br> you are admin'; }

[cs.punk]

Is cookies turned on her side?

 

Show the code for login.php.

[TapeGun007]

Yes, she does have cookies enabled, but that's useless since I'm not using cookies.  She tried the website in Safari, Mozilla, which have this double login issue, but MSIE does not.

 

I was able to duplicate the problem on my computer using the latest version of Chrome (this doesn't happen in MSIE for me either).  I can log in as a regular member, only logged in members can see the calendar from the menu.  But once I click on the calendar, it goes back to the login screen.  A 2nd login allows me to click on Calendar again, and it works fine.

 

It's not an operater error such as != or whatever, because even this causes it to trigger a 2nd login:

 

<?php if (!isset($_SESSION['Active'])) header('Location:login.php'); ?>

 

I have an include file that creates the top of the website, then a menu that detects if you are "Active" or not after reading the database.  This code is included on every single webpage.

<?php
		if ($_SESSION['Active']<>"yes") {
	?>
            	<li><a href="login.php"><span>Login</span></a></li>
	<?php
		}
		else {
	?>
		<li><a href="download_search.php" title="Downloads" rel="dropmenu1_c"><span>Downloads</span></a></li>
		<li><a href="calendar.php" title="Calendar"><span>Calendar</span></a></li>	
		<li><a href="#" title="My Account" rel="dropmenu2_c"><span>My Account</span></a></li>
.
.
.
}

 

So as you can see, the code ONLY shows the Calendar menu option if and only if you are logged in.  When I log in, I can see and click on the Calendar href link.  But apparently, when I click on the calendar option the first line of code in calendar.php causes me to re-login:

 

<?php if (!isset($_SESSION['Active'])) header('Location:login.php'); ?>

 

Here is the first several lines of code for my login.php:

 

<?php session_start(); ?>
<?php
include("components/dbconnection.php");
 /* Just check to see if the email field on the form is set */
 if (isset($_POST["User_Email"])){
    $UserEmail = $_POST["User_Email"];
	$Password = $_POST["User_Password"];
    $result = mysql_query("SELECT * FROM Members WHERE Email='$UserEmail' AND Pword='$Password'");
	while($row = @mysql_fetch_array($result))
    {
       if ($row['Active']=="yes" || $row['Active']=="guest")
       {
   	     /* Set the User_ID for later use to check and see if they are in leadership */
   	     $UserID=$row['MemberID'];
	     /* Set cookies to identify the user without accessing the database again */
		 $_SESSION['MemberID'] = $row['MemberID'];
		 $_SESSION['Active'] = "yes";
		 $_SESSION['FirstName'] = $row['FirstName'];
		 $_SESSION['LastName'] = $row['LastName'];
.
.
.
}
Else
   	   {
   	      $Error="<span class='error'>Your login is correct, however, your account is currently not activated.  Please contact an administrator.</span>";
   	   }   

 

I sure hope someone can help me figure this out.  I have no clue where to begin!

[meltingpoint]

While I will not be of much help---- I had the very same issue abut 2 months ago.  In both firefox and IE it was recognizing the session after login, but then dropping it as the user went to the next page and making the person sign in again.  Once signed in again, there was not a problem until the browser was closed.  Then it would repeat itself.  Complained to my server host and the put a php.ini file in my public_html but did not tell me the changes they made.  Solved the problem for a while and now it is back.

 

I believe it has something to do with the server's cache and random dumps triggered by an unknown process.

 

I have tried everything and searched and searched for an answer.  Looking on the net- we are not alone in this problem.

[Pikachu2000]

The domain isn't changing at all is it? Like http://domain.com versus http://www.domain.com

[TapeGun007]

The domain isn't changing at all is it? Like http://domain.com versus http://www.domain.com

 

What do you mean exactly?  ... the only time something changes... well for example, in my include file, all images and html links are the full domain http://www.mydomain.com, but in the main code, it's just a direct HREF link like login.php instead of http://www.mydomain.com/login.php.  But I don't see how that affects anything.

[Pikachu2000]

A session variable established when the site is accessed with the www prefix will not be accessible if the site is accessed without the www prefix unless a setting is toggled in the php.ini file. Keep an eye on the address bar to make sure it remains constant during the login process.

[meltingpoint]

In my case- no.  It is a random occurrence.  Some times it will happen all day long and sometimes you'll go a week or more and everything is fine.

[TapeGun007]

A session variable established when the site is accessed with the www prefix will not be accessible if the site is accessed without the www prefix unless a setting is toggled in the php.ini file. Keep an eye on the address bar to make sure it remains constant during the login process.

 

Why would this work fine in MSIE and not Chrome?  The sessions are all set and read the same.

[AMcHarg]

As a side-note to the above, why are you not storing encrypted passwords on your database? 

[TapeGun007]

As a side-note to the above, why are you not storing encrypted passwords on your database? 

 

More than likely because I don't know how.  I fairly new to php and MySQL. 

 

Back to the main point here, I see lots of issues people getting double logins and such on Google.  Unfortunately, nothing they have suggested is working so far.

[AMcHarg]

I am not sure what is causing the issue, have not seen it happen before.

 

In all the user login systems I have created I have used cookies.  Without the use of cookies your users can't 'remain logged in', as when they close their browser their logged in session in your system will be terminated.  This might not actually solve your problem, but it is an alternative if you wanted to explore it? 

[meltingpoint]

In all the user login systems I have created I have used cookies.  Without the use of cookies your users can't 'remain logged in', as when they close their browser their logged in session in your system will be terminated.

 

In most instances, as a security issue, I prefer that the session or login be terminated when the user closes the browser and walks way from the computer.  Just another way of doing something.

[aeroswat]

Just curious... what is the point of the Session active variable? You are familiar with session cleanup and session cookie lifetimes correct?

[TapeGun007]

Pikachu2000 was correct.  I set the redirect in the header to have the full domain name and the issue went away.  I thought I had caught everything prior, but missed one header. 

 

I now have rid myself of double log ins.  The interesting thing is, however, once that session is started, and the page redirects the person, I never need to worry about whether that link has the full domain name in it again.  Every other page works just fine.  Not sure why php is so inconsistent like that, but, at least it's fixed.

 

Hope this helps someone in the future.

 

So... the fix was, after a user logged in (email and password verified), I changed the header.  This is the code that did NOT work:

header('Location:index.php');  

 

Changed to:

 

header('Location:http://www.mydomain.com/index.php');  

[jaco]

Thanks. Someone on another forum has recommend looking into SERVER variables which I will do.