HELP - Login Script Keeps Logging Me Out When I Click a Link

[Stebner55]

I've used a really simple login script that I found from doing a quick google search.

It worked fine for a month,

then started logging me out everytime I clicked on a link to another secured page.

I never changed anything and just checked my script with the one online and don't see anything different.

I'll post my script here and then maybe you guys can help...i contacted the host and they said nothing changed on the server end but I question that...

 

here's my login.php

 

<?php

 

$con = mysql_connect("db****.****.net","db******","pass***");

if (!$con)

  {

  die('Could not connect: ' . mysql_error());

  }

 

mysql_select_db("db********", $con);

 

$result = mysql_query("SELECT * FROM users");

while($row = mysql_fetch_array($result))

  {

$adminuser = $row['username'];

$adminpass = $row['password'];

}

mysql_close($con);

 

 

function loginpage($error) {

echo "<html>\n<head>\n<title>Admin panel - Please login</title>\n";

echo "</head>\n<body>\n";

echo "<table style='width:100%;height:100%;'>\n<tr>\n<td align='center'>\n";

echo "<form action='" . $_SERVER['REQUEST_URI'] . "' method='post'>\n";

echo "<table border='1' width='300' cellspacing='0' cellpadding='4'><tr>\n";

$formtitle = "Admin panel - Please login";

if($error) $formtitle = "Wrong credentials!";

echo "<th colspan='2'>" . $formtitle . "</th>\n";

echo "</tr><tr>\n";

echo "<td><p><b><label for='username'>Username:</label></b></p></td>\n";

echo "<td><input type='text' name='username' id='username' size='30'></td>\n";

echo "</tr><tr>\n";

echo "<td><p><b><label for='password'>Password:</label></b></p></td>\n";

echo "<td><input type='password' name='password' id='password' size='30'></td>\n";

echo "</tr><tr>\n";

echo "<td><b>Login:</b></td>\n";

echo "<td><input type='submit' value=' Login » ' name='login'></td></tr></table></form>\n";

echo "</td>\n</tr>\n</table>\n</body>\n</html>";

exit;

}

 

$username = $_POST['username'];

$password = $_POST['password'];

$login    = $_POST['login'];

 

session_start();

if($_SERVER['QUERY_STRING'] == "logout") {

unset($_SESSION['authuser']);

header('Location: index.php');

exit;

}

if($_SESSION['authuser'] != $adminuser) {

if(!$login) {

loginpage(false);

}

elseif(($username != $adminuser) || ($password != $adminpass)) {

loginpage(true);

}

else {

$_SESSION['authuser'] = $adminuser;

header("Location: " . $_SERVER['REQUEST_URI']);

}

}

// else we enter the restricted area

session_write_close();

?>

 

 

then on each page that needs authentification I put this code...

 

<?php require_once("login.php");

 

$authuser = $_SESSION['authuser'];

 

?>

 

 

so as you can see there is no time limit that automatically logs you out...i have no idea why this keeps occurring.

Any help?

[Pikachu2000]

Does anything about the domain name change when you click a link, such as changing from http://www.comain.com to http://domain.com, or any other differences?

[Stebner55]

I don't think anything changed since the time that it worked before but let me take a look...

ok so i looked and i don't think so...i'm gonna set up a temporary password and let you login and take a look at what happens...k?

www.plusultraradio.com/admin

username : admin

password: admin

[Pikachu2000]

I believe there's something not right about this block:

$result = mysql_query("SELECT * FROM users");
while($row = mysql_fetch_array($result)) {
$adminuser = $row['username'];
$adminpass = $row['password'];
}

 

All that does is store the username and password of the last record retrieved from the users table, then compare it to what's entered in the form. I almost want to say there is supposed to be another DB table that holds nothing but the admin username and password, and that would be what is queried above. Another possibility is that you're supposed to edit the query string, adding a WHERE clause to indicate the user id that belongs to the admin user. I can't be certain of either of those, but that's how it looks right now.

[Stebner55]

don't get to caught up on that part of the script. originally i just had it define the username and password right then and there and i had the problem at that time. for the sake of security i put the username and password in the database and there is only one record so it's ok to query the database for all records there...cuz like i said...there's only 1

the problem lies elsewhere..

[Pikachu2000]

1) Move session_start() to the first line after the opening <?php tag

2) turn on error reporting, either in your php.ini file, or if you can't do it that way, put this:

ini_set('display_errors' 1);
error_reporting(-1);

between the <?php tag and session_start() in this script, and at the head of the other scripts you need to test.

 

Then see what happens.

[Stebner55]

that ruined it. It stays logged in regardless without logging in.

[Stebner55]

I put it back and that fixed it...weird... lol i appreciate you trying to help!

[Pikachu2000]

I don't see how it could, but OK.

[Stebner55]

Exactly my confusion lol.

I put that part back in it's original spot, uploaded, and it fixed it.

I don't know why it was messed up, I don't know how that fixed it.

It doesn't make sense, but I guess I can't complain...it's good now lol.

[Stebner55]

WTF it's doing it again. It worked for a couple hours tho. Could it have to do with my partner logging in from another computer and not logging out?

[Stebner55]

now it's working. something is weird here. what could cause sessions to act up?