paulus4605 Posted August 29, 2011 Share Posted August 29, 2011 I'm using a login form which allows me enter the pages as member only the only thing that I need to do is to include the file safe.php and the user has to login in order to see the content of this page. so far so good. if I use my subscription forms ( spread over 2 pages) the first page can be filled in properly however when I come to the second page (where I included the safe.php aswell I think I loose the session ID that I got after logging in the first time) I am redirected to the login page which I don't want. how can I avoid this? this is the content of safe.php <?php // Pagina: safe.php: Includen if you want te securise your page just add it at the top of your page include("config.php"); if(isset($_SESSION['user_id'])) { // Inloggen correct, updaten laatst actief in db $sql = "UPDATE gebruikers SET lastactive=NOW() WHERE id='".$_SESSION['user_id']."'"; mysql_query($sql); }else{ if(isset($_COOKIE['user_id'])) { $sql = "SELECT wachtwoord,status FROM gebruikers WHERE id='".$_COOKIE['user_id']."'"; $query = mysql_query($sql); $rij = mysql_fetch_object($query); $dbpass = htmlspecialchars($rij->wachtwoord); $dbstatus = htmlspecialchars($rij->status); if($dbpass == $_COOKIE['user_password']) { $_SESSION['user_id'] = $_COOKIE['user_id']; $_SESSION['user_status'] = $dbstatus; }else{ setcookie("user_id", "", time() - 3600); setcookie("user_password", "", time() - 3600); echo "Cookies incorrect. Cookies verwijderd."; header("Location: inloggen.php"); } }else{ header("Location: inloggen.php"); } } ?> Quote Link to comment https://forums.phpfreaks.com/topic/245931-login-form-with-sessions/ Share on other sites More sharing options...
PFMaBiSmAd Posted August 29, 2011 Share Posted August 29, 2011 Where's your session_start() statement? Also, you need an exit; statement after those header() redirects to prevent the remainder of the code on your 'protected' page from being executed when a hacker ignores the redirect. Quote Link to comment https://forums.phpfreaks.com/topic/245931-login-form-with-sessions/#findComment-1263028 Share on other sites More sharing options...
paulus4605 Posted August 29, 2011 Author Share Posted August 29, 2011 the session start is mentioned in the config.php Quote Link to comment https://forums.phpfreaks.com/topic/245931-login-form-with-sessions/#findComment-1263034 Share on other sites More sharing options...
paulus4605 Posted August 29, 2011 Author Share Posted August 29, 2011 this is the detail of the config.php <?php // Start je zelf ergens anders je sessies/cookies? Maak van de volgende twee regels dan commentaar (# of //) session_start(); ob_start(); // Error reporting zetten we uit, het is niet echt netjes je bezoekers errors voor te schotelen ERROR_REPORTING(0); // MySQL $db_user = "*******"; // Gebruiker voor MySQL $db_pass = "*******"; // Wachtwoord voor MySQL $db_host = "localhost"; // Host voor MySQL; standaard localhost $db_db = "*******"; // Database // Als je al ergens anders een database connectie hebt gemaakt, // maak dan van de volgende twee regels commentaar (# of // ervoor zetten) mysql_connect($db_host,$db_user,$db_pass); mysql_select_db($db_db); // Instellingen $loginpage = "useropties.php"; // Pagina waar de gebruiker heen wordt gestuurd wanneer deze is ingelogd $forgoturl = "http://berknet.be.funpic.de/voorbeelden/inlogsysv2/"; // Volledige URL naar inlogsysteem, voor activeren van wachtwoord vergeten, / aan einde $sitenaam = "Groot Inlogsysteem v2"; // Naam van je site; deze word oa. gebruikt bij het verzenden van mail $sitemail = "inlogsys@berknet.tk"; // Afzender van verzonden mail ?> Quote Link to comment https://forums.phpfreaks.com/topic/245931-login-form-with-sessions/#findComment-1263047 Share on other sites More sharing options...
PFMaBiSmAd Posted August 29, 2011 Share Posted August 29, 2011 ERROR_REPORTING(0); By setting error_reporting to zero, you are hiding any php errors that would help tell you why your code is not working. ob_start(); By using output buffering and performing a header() redirect, any php errors that would have been reported and displayed on that page will be lost. When developing and debugging php code, you need to have error_reporting set E_ALL and display_errors set to ON and you need to get all output buffering statements out of your code. Edit: If you are going to set the error_reporting/display_errors settings in your script (for debugging purposes), you need to set them immediately after the first opening <?php tag on your main page that is being requested so that any errors in all the code on that page will be reported and displayed. Putting them inside included files won't help if there is a problem including that file. Quote Link to comment https://forums.phpfreaks.com/topic/245931-login-form-with-sessions/#findComment-1263141 Share on other sites More sharing options...
AyKay47 Posted August 29, 2011 Share Posted August 29, 2011 as PFM stated, you are hiding the errors that can potentially help you solve this issue.. also, I see that you start output buffiering.. but where do you flush the data? Quote Link to comment https://forums.phpfreaks.com/topic/245931-login-form-with-sessions/#findComment-1263144 Share on other sites More sharing options...
the182guy Posted August 29, 2011 Share Posted August 29, 2011 Storing the user ID and password in cookies is a bad idea, why have you chosen this approach? Quote Link to comment https://forums.phpfreaks.com/topic/245931-login-form-with-sessions/#findComment-1263146 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.