login form with sessions

[paulus4605]

I'm using a login form which allows me enter the pages as member only

the only thing that I need to do is to include the file safe.php and the user has to login in order to see the content of this page. so far so good.

 

if I use my subscription forms ( spread over 2 pages) the first page can be filled in properly however when I come to the second page (where I included the safe.php aswell I think I loose the session ID that I got after logging in the first time) I am redirected to the login page which I don't want. how can I avoid this?

 

this is the  content of safe.php

<?php
// Pagina: safe.php: Includen if you want te securise your page just add it at the top of your page
include("config.php");

if(isset($_SESSION['user_id'])) {
// Inloggen correct, updaten laatst actief in db
$sql = "UPDATE gebruikers SET lastactive=NOW() WHERE id='".$_SESSION['user_id']."'";
mysql_query($sql);
}else{
if(isset($_COOKIE['user_id'])) {
  $sql = "SELECT wachtwoord,status FROM gebruikers WHERE id='".$_COOKIE['user_id']."'";
  $query = mysql_query($sql);
  $rij = mysql_fetch_object($query);
  $dbpass = htmlspecialchars($rij->wachtwoord);
  $dbstatus = htmlspecialchars($rij->status);
  if($dbpass == $_COOKIE['user_password']) {
   $_SESSION['user_id'] = $_COOKIE['user_id'];
   $_SESSION['user_status'] = $dbstatus;
  }else{
   setcookie("user_id", "", time() - 3600);
   setcookie("user_password", "", time() - 3600);
   echo "Cookies incorrect. Cookies verwijderd.";
   header("Location: inloggen.php");
  }
}else{
  header("Location: inloggen.php");
}
}
?> 

[PFMaBiSmAd]

Where's your session_start() statement?

 

Also, you need an exit; statement after those header() redirects to prevent the remainder of the code on your 'protected' page from being executed when a hacker ignores the redirect.

[paulus4605]

the session start is mentioned in the config.php

[paulus4605]

this is the detail of the config.php

<?php
// Start je zelf ergens anders je sessies/cookies? Maak van de volgende twee regels dan commentaar (# of //)
session_start();
ob_start();

// Error reporting zetten we uit, het is niet echt netjes je bezoekers errors voor te schotelen
ERROR_REPORTING(0);

// MySQL
$db_user = "*******"; // Gebruiker voor MySQL
$db_pass = "*******"; // Wachtwoord voor MySQL
$db_host = "localhost"; // Host voor MySQL; standaard localhost
$db_db = "*******"; // Database

// Als je al ergens anders een database connectie hebt gemaakt,
// maak dan van de volgende twee regels commentaar (# of // ervoor zetten)
mysql_connect($db_host,$db_user,$db_pass);
mysql_select_db($db_db);

// Instellingen
$loginpage = "useropties.php"; // Pagina waar de gebruiker heen wordt gestuurd wanneer deze is ingelogd
$forgoturl = "http://berknet.be.funpic.de/voorbeelden/inlogsysv2/"; // Volledige URL naar inlogsysteem, voor activeren van wachtwoord vergeten, / aan einde
$sitenaam = "Groot Inlogsysteem v2"; // Naam van je site; deze word oa. gebruikt bij het verzenden van mail
$sitemail = "inlogsys@berknet.tk"; // Afzender van verzonden mail
?> 

[PFMaBiSmAd]

ERROR_REPORTING(0);

 

By setting error_reporting to zero, you are hiding any php errors that would help tell you why your code is not working.

 

ob_start();

 

By using output buffering and performing a header() redirect, any php errors that would have been reported and displayed on that page will be lost.

 

When developing and debugging php code, you need to have error_reporting set E_ALL and display_errors set to ON and you need to get all output buffering statements out of your code.

 

Edit: If you are going to set the error_reporting/display_errors settings in your script (for debugging purposes), you need to set them immediately after the first opening <?php tag on your main page that is being requested so that any errors in all the code on that page will be reported and displayed. Putting them inside included files won't help if there is a problem including that file.

[AyKay47]

as PFM stated, you are hiding the errors that can potentially help you solve this issue.. also, I see that you start output buffiering.. but where do you flush the data?

[the182guy]

Storing the user ID and password in cookies is a bad idea, why have you chosen this approach?