Login session code not working

[coolcam262]

Hello, for some reason I am unable to get the following code to work:

 

<?php
echo "<h1>Login</h1>";

if ($_SESSION['uid']) {
    echo "    You are already logged in, if you wish to log out, please <a href=\"./logout.php\">click here</a>!\n";
} else {

if (!$_POST['submit']) {	
	echo "<table border=\"0\" cellspacing=\"3\" cellpadding=\"3\">\n";
	echo "<form method=\"post\" action=\"./login.php\">\n";
	echo "<tr><td>Username</td><td><input type=\"text\" name=\"username\"></td></tr>\n";
	echo "<tr><td>Password</td><td><input type=\"password\" name=\"password\"></td></tr>\n";
	echo "<tr><td colspan=\"2\" align=\"right\"><input type=\"submit\" name=\"submit\" value=\"Login\"></td></tr>\n";
	echo "</form></table>\n";
}else {
	$user = addslashes(strip_tags(($_POST['username'])));
	$pass = addslashes(strip_tags($_POST['password']));
        
            if($user && $pass){
                $sql = "SELECT id FROM `users` WHERE `username`='".$user."'";
                $res = mysql_query($sql) or die(mysql_error());
                if(mysql_num_rows($res) > 0){
                    $sql2 = "SELECT id FROM `users` WHERE `username`='".$user."' AND `password`='".md5($pass)."'";
                    $res2 = mysql_query($sql2) or die(mysql_error());
                    if(mysql_num_rows($res2) > 0){

					$query = mysql_query("SELECT locked FROM `users` WHERE `username`='".$user."'");
					$row2 = mysql_fetch_assoc($query);
					$locked = $row2['locked'];

					$query = mysql_query("SELECT active FROM `users` WHERE `username`='".$user."'");
					$row3 = mysql_fetch_assoc($query);
					$active = $row3['active'];

					$query = mysql_query("SELECT email FROM `users` WHERE `username`='".$user."'");
					$row3 = mysql_fetch_assoc($query);
					$email = $row3['email'];


					if ($active ==1){

						if ($locked == 0){

						$date = date("j")."<sup>".date("S")."</sup> ".date("F, Y");

						mysql_query("UPDATE users SET last_login='$date' WHERE username='$user'");

						$row = mysql_fetch_assoc($res2);
						$_SESSION['uid'] = $row['id'];
						$previous = $_COOKIE['prev_url'];
						echo "    You have successfully logged in as " . $user . "<br><br><a href='" . $previous . "'>Click here</a> to go to the previous page.\n";
						}else
							{
							echo "Your acount has been locked out due to a violation of the rules, if you think there has been a mistake please <a href='contact.php'>contact us</a>.";
							}
					} else {
						echo "You need to activate your account! Please check your email ($email)";
						}
			   }else {
                        echo "    Username and password combination are incorrect!\n";
                    }
                }else {
                    echo "    The username you supplied does not exist!\n";
                }
            }else {
                echo "    You must supply both the username and password field!\n";
            }
}

}
?>

 

It says that I have logged in successfully but the session is not created. You can find the script here and log in with the username "test" and the password "testing". I'm not sure what more information I should add.

 

Thanks,

Cameron

[Eyewash01]

You haven't started the session anywhere - to utilise session variables you must have the following on the page (preferably at the top, or in an external includes file)

 

<?php
  session_start();
?>

[Eyewash01]

I would also suggest using seperate processing pages for page actions.  For example, if you had a login page, you would want a mainly HTML based page displaying the login form, which has an action pointing at a seperate PHP based processing page, which then redirects back to either the login page if unsuccessful, or elsewhere if successful.

 

<!-- Login page (login.html) -->
<html>
  <body>
    <form action="/procs/login_proc.php" method="post">
      <!--  login form stuff here -->
    </form>
  </body>
</html>

 

<?php
  // PROCESSING PAGE - login_proc.php
  
  // if details are incorrect:
     header("Location: ../login.html");
  // if details are correct:
    header("Location: ../admin.php")
?>

 

This stops the annoying thing of people pressing F5 on pages and it asking if you want to repost data etc

[nicholasolsen]

This stops the annoying thing of people pressing F5 on pages and it asking if you want to repost data etc

 

The user should not be able to visually see the login page after the user has actually logged in, so the F5 example your mentioned wont be a concern.

When the user is logged in, simply use header to redirect them to the index or whereever.

If the user has entered wrong details (email / pw), simply show redirect them to the login form once more......

 

header('Location:www.url.com');

 

To sum up: Keep the login form and php login code in the same file, dont split them... Easier to keep track of in one simple file.

[Eyewash01]

 

The user should not be able to visually see the login page after the user has actually logged in, so the F5 example your mentioned wont be a concern.

 

 

Yes but as you say, if their details are incorrect, then they are directed back to the login page - therefore if the processing is on the same page, hitting F5 will post the data again.  Not necessarily a bad thing in this instance as it will simply try to log them in using the same details again, however in other situations where the processing code is doing something more "destructive" (e.g. writing to a database), then it is best to keep processing away from the mercies of the user refresh!

[coolcam262]

I have tried adding session start to the top of my header page without success so I wil try re-writing the code as you sugested later to today but I don't understand why this would work.

 

Thanks

[coolcam262]

I found something I was doing wrong, I included header.inc when I was editing header.php! I still have an error message though:

 

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /hermes/bosweb/web035/b357/ipg.projectstratoscom/header.inc:2) in /hermes/bosweb/web035/b357/ipg.projectstratoscom/header.inc on line 3

 

Isn't that basically saying you can't include it there because you've already included it there!?  Well this line 3 is just session_start(), what's going on?!

 

Thanks,

Cameron

[PFMaBiSmAd]

Since the session_start() statement is on line 3 in header.inc, what are lines 1 and 2 of header.inc?

[coolcam262]

This is the whole of header.INC (emphasis on the inc  ):

 

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<?php
session_start();
include "global.php";

$sql5 = "SELECT * FROM comments WHERE `pending_approval`='1'";
$res5 = mysql_query($sql5) or die(mysql_error());

$new_comments = mysql_num_rows($res5);

$sql6 = "SELECT * FROM posts WHERE `pending_approval`='1'";
$res6 = mysql_query($sql6) or die(mysql_error());

$new_posts = mysql_num_rows($res6);

$new_admin = $new_comments + $new_posts;
$new_mod = $new_comments;
?>

<html>
<head>
<title>Project Stratos</title>
<link rel="stylesheet" type="text/css" href="style.css" />

</head>
<body>
<div style="text-align: center;">
<div id="wrapper">
	<!--Menu-->
	<div id="menu">
		<ul id="menubar">
			<li><a href="http://projectstratos.com/index.php">Home</a></li>
			<li><a href="http://projectstratos.com/blog.php">Blog</a></li>
			<li><a href="http://projectstratos.com/forum">Forum</a></li>
			<li><a href="http://projectstratos.com/about.php">About</a>
				<ul>
				<li><a href="http://projectstratos.com/contact.php">Contact</a></li>
				<li><a href="http://projectstratos.com/history.php">History</a></li>
				<li><a href="http://projectstratos.com/forum/faq.php">FAQ</a></li>
				</ul>
			</li>

			<?php
			////Login logout or register///////
				if ($_SESSION['uid']) {					
					echo "<li><a href=\"http://projectstratos.com/logout.php\">Logout</a></li>";
				} else{					
					echo "<li><a href=\"http://projectstratos.com/login.php\">Login</a></li>";
					echo "<li><a href=\"http://projectstratos.com/register.php\">Register</a></li>";
				}

				$sql = "SELECT * FROM `users` WHERE `id`='".$_SESSION['uid']."'";
                    $res = mysql_query($sql) or die(mysql_error());
				if(mysql_num_rows($res) != 0){
					$row = mysql_fetch_assoc($res);
						if($row['admin'] == '1'){
							if($new_admin == '0'){
								echo "<li><a href=\"http://projectstratos.com/admin.php\">Admin</a></li>";
							} else {
								echo "<li><a href=\"http://projectstratos.com/admin.php\">Admin (".$new_admin.")</a></li>";
							}
						}

						if($row['admin'] == '2'){
							if($new_mod == '0'){
								echo "<li><a href=\"http://projectstratos.com/admin.php\">Admin</a></li>";
							} else {
								echo "<li><a href=\"http://projectstratos.com/admin.php\">Admin (".$new_mod.")</a></li>";
							}
						}
				}
			////End Login logout or register///
			?>

		</ul>
	</div>
	<!--End Menu-->
	<table>
		<tr>
			<td id="content_wrapper" border="0">
				<table>
					<tr>
						<td id="content_cell">
							<div id="body_content">

[PFMaBiSmAd]

Line 1 of header.in is HTML (specifically the HTML doctype) that is sent to the browser.

 

You must put the session_start() statement before any characters are sent to the browser.

[coolcam262]

Thanks! This has fixed everything but the phpbb3 forum. I tried intergrating it and it stopped working however even once I had completely reinstalled it it still didn't work! This is the the empty forum, you can login with the username of test and the password of testing. Your login details will be confirmed and you can navigate the site but then you will be logged out again seconds afterwards. Why?!

 

Thanks

[coolcam262]

Anyone?!

[PFMaBiSmAd]

This is the the empty forum, you can login with the username of test and the password of testing.

 

^^^ No, you can't. Did you try logging in as the test user?

[coolcam262]

You can now, don't worry about the intergration, I'll fix that later.

 

Username: test

password: testing4

 

Thanks,

Cameron

[PFMaBiSmAd]

And the current problem is???

[coolcam262]

When you log in you are immediately, if not then after a few seconds, logged out!

[PFMaBiSmAd]

The 'test' user stays logged in for me (on the phpbb pages and in going to your main page and back to the forum), however, it appears that php is configured on your system to put the session id on the end of the URL, while phpbb is using a session id cookie.

 

I'm going to guess if you are having a problem staying logged in that either you are switching back and forth between URL's that have and don't have the www. on them or your browser is not configured to accept cookies or you have a corrupted or invalid cookie from some previous testing and should delete it/them and try again.

[coolcam262]

Well, could try waiting 10 seconds as this is not the problem, I have tried it on different computers. The problem is that it doesn't stay logged in, no matter what the url is, you can log into the forum and go to another part of the site or even just refresh the page and you are still logged out.

 

Thanks,

Cameron

[PFMaBiSmAd]

From my post in reply #14 in this thread (~ 1 hour ago), up until right before I typed this reply, I have remained logged in as the 'test' user and have even closed my browser completely, twice, and have taken the time to navigate to some of the admin pages.

 

You are going to need to investigate what is happening with the session id in your browser and I both recommend that you make an account separate from the 'test' one to do so because someone else being logged in as that user might be kicking you off and that you change the test user (or at least change the password) so that it is not an administrator to the script so that all the people that have read this thread don't take over your site.

[coolcam262]

Okay but what browser are you using, I have tried this both in firefox and ie on three seperate computers, one of them is not even connected to the same network! Is there anything I could try? And just to confirm, you are using the phpbb3 login page and not my sites?

[PFMaBiSmAd]

I'm using the latest Firefox 3.6.15 under Windows XP and yes I went to the http://projectstratos.com/forum link you posted above, which redirects to http://www.projectstratos.com/forum/

[coolcam262]

That's strangee, I'm using firefox 3.6 but on windows 7, I doubt it would make a difference so could someone else try? Oh and before you ask I have deleted my cache!  This problem has been persistant for over a week now.

[coolcam262]

Anyone? 

[coolcam262]

bump- I just need someone else to test the login at projectstratos.com/forum as all the computers I have tried it on it doesn't work! PLEASE!  :'(

[coolcam262]

I've got other people to test it in firefox, chrome and ie and it doesn't work on any of them. Why does it work on yours and noone elses?!