Login help: staying logged in

[mannyguy]

Hi. I'm new to php. I created a register, log in, welcome, and log out page for my site. They are all working accordingly. I'm having one problem that I can't seem to fix. I would like to stay logged in as I navigate other pages of my site. Everytime i click on a link to another page within my site I get logged out. I know this issue might pertain to using session but thats all I was able to find using google search. Can anyone help? Much appreciated.

[Spring]

Post your code so we can help you.

 

Are you using session_start?

[mannyguy]

<?php

//connects to database
mysql_connect("hose "name", "password") or die(mysql_error());
mysql_select_db("name") or die (mysql_error());

//checks if there is a login cookie
if(isset($_COOKIE['ID_my_site']))

//if there is, it logs in and directs to members page
{
   $username = $_COOKIE['ID_my_site'];
   $userpassword = $_COOKIE['Key_my_site'];
   $check = mysql_query("SELECT * FROM users WHERE username = '$username'")
   or die(mysql_error());
   
   while($info = mysql_fetch_array( $check ))
   {
      if ($userpassword != $info['password'])
         {
         }
      else
         {
         header(" testing_login.php");
         }
   }
}
//if the log in form is submitted
if (isset($_POST['loginsubmit'])) { //if form has been submitted

//makes sure forms is filled in
if(!$_POST['username'] | !$_POST['userpassword']) {
      die("<div id='welcomesign2'>You did not fill in all of the required fields.<br /> <a href='spartacus_home.php'>Try Again.</a></div>");
      }
      
//checks against database
if (!get_magic_quotes_gpc()) {
   $_POST['email'] = addslashes($_POST['email']);
   }
   
   $check = mysql_query("SELECT * FROM users WHERE username = 
   '".$_POST['username']."'")or die(mysql_error());
   
//gives error if user doesn't exist
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
   die("<div id='welcomesign2'>Username does not exist in our database. <br /> <a href='spartacus_joinsite.php'>Register</a> or <a href='spartacus_home.php'>Try Again. </a></div>");
   }
   while($info = mysql_fetch_array( $check))
   {
   $_POST['userpassword'] = stripslashes($_POST['userpassword']);
   $info['userpassword'] = stripslashes($info['userpassword']);
   $_POST['userpassword'] = md5($_POST['userpassword']);
   
//gives error if the password is wrong 

    if ($_POST['userpassword'] != $info['userpassword']) { 
        die("<div id='welcomesign2'>Sorry, incorrect password, please retry.<br />  <a href='spartacus_home.php'> Try Again. </a></div>");
    }
    else
    {
//keeps username in form after 'Incorrect password' error
$_SESSION['username'] = $_POST['username'];


//if log in is ok we add a cookie
$_POST['username'] = stripslashes($_POST['username']);
$hour = time() + 3600;

   setcookie(ID_my_site, $_POST['username'], $hour);
   setcookie(Key_my_site, $_POST['userpassword'], $hour);
   
//then redirect to members area

header("testing_login.php");
   }
   }
   }
   else
   {
   //if they are not logged in
   ?>
    


Thast my check loggin php. Its the code used to log in. I assume this is where the error lies? Here's my welcome php. 

<?php
function CheckLogin()
{
   session_start();
   $sessionvar = $this->GetLoginSessionVar();
   if(empty($_SESSION['$sessionvar']))
   {
      return false;
   }
   return true;
}

require("spartacus_home.php");

$username=filter_input(INPUT_POST, 'username');
print "<div id='welcomesign'><h4>Welcome, $username!</h4></div>";
?>
<div id="welcomesign2">

<p> You now have access to all content including,<br />
the Downloads and Combat Tips.<br />Enjoy! </p>

<form action="spartacus_home.php" method="post">
<input type="submit" class="submit" name="logout" value="Log Out" />
</form>

 

MOD EDIT:

 . . . 

BBCode tags added.

[Pikachu2000]

When posting code, enclose it within the forum's

 . . . 

BBCode tags.

[mannyguy]

My bad. Thanks! Anyone have any ideas?

[scootstah]

No offense, but you seem to be copy and pasting code left and right. You have some very wrong things in that code. How does it not throw a ton of errors?

 

1. Never store a password in a cookie and use it in that way. Terrible idea. There is never a reason you need to store a password in a cookie.

 

2. You are missing a quotation and a comma here:

mysql_connect("hose "name", "password") or die(mysql_error());

 

3. header(" testing_login.php"); - This is not how you redirect. You want

header('Location: testing_login.php');

 

4. You need another | here:

if(!$_POST['username'] | !$_POST['userpassword']) {

 

5. You are putting things in while loops that don't need to be there.

 

6. session_start() should be called at the top of the page.

 

7. $sessionvar = $this->GetLoginSessionVar(); - I have no idea what you are trying to do with this. You can't use $this in a procedural function.

 

8. if(empty($_SESSION['$sessionvar'])) - You can't use single quotes with a variable because it will output what is literally contained in the quotes. When dealing with array keys you don't need any quotes if you are passing a variable.

 

I would seriously recommend you learn some fundamentals of PHP before you go any further. You seem to be missing a lot of key concepts.

 

Sorry if I seem harsh.

[mannyguy]

Not at all harsh. I know very little about php I'm learning as I go. NO offense taken. I just need help having the code work on all the pages of my site.

 

1. I copied the code from a tutorial…What should I do instead of a cookie?

2. those are just my errors that i made right now when i was deleted my info to post here

3. I will fix the this error asap

4. I'm not sure what you mean here.

5. Like I said I used a tutorial

6. I did the session_start() but it didn't do anything for me. but i will put it back in

7. I'll delete this if its doing nothing for me

8. I will delete the quotes

[scootstah]

1. I copied the code from a tutorial…What should I do instead of a cookie?

 

You can use a cookie, just don't store a password in it. You should store as little as you possibly can. To auto login users after their session has expired, generally you would make an autologin cookie. This cookie will contain a unique auto login key assigned to the user when they first logged in. It will be stored in a database table and used to login the user.

 

The database table should have these columns : user_id, autologin_key, ip_address, user_agent, time

 

The user_id is, obviously, the user's id and is the PRIMARY KEY. This is how you will look up the user after matching the autologin key.

 

The autologin_key is the unique key assigned to the user when they first login. It will probably be an MD5 or SHA1 hash, so 32 or 40 characters in length.

 

The ip-address and user_agent will be optionally used to verify the cookie wasn't stolen. If it has a different IP and user agent, then it may be a safe bet to destroy that autologin and make them login again.

 

The time will be the time at which the autologin was created. This is so you can expire them after so long and force them to relogin.

 

The code is pretty simple. When they first login, just create a unique key and insert it into the autologin table.

$autologin_key = sha1(uniqid(mt_rand(), true);

 

Now, store this key in a cookie. When the user's session expires you can check if an autologin cookie exists. If it does, see if that autologin key was found in the database. If it was, you can (optionally) compare the ip address's, user agents, and see if it has expired. If all of these check out, you can login the user.

 

This is a better approach than storing a password in a cookie, because in the event the cookie gets comprised, while they can potentially hijack that user's account they won't be able to steal their password (where they could then compromise accounts on other websites).

 

4. I'm not sure what you mean here.

 

if(!$_POST['username'] | !$_POST['userpassword']) {

 

You have a single | between these two items. What you wanted was ||, which is a logical operator meaning "or".

 

So it should read

if(!$_POST['username'] || !$_POST['userpassword']) {

 

 

6. I did the session_start() but it didn't do anything for me. but i will put it back in

 

Well, session_start() doesn't "do" anything. It allows you to use sessions and keep them active between pages.

[mannyguy]

Well the issue is that I log in and when I switch to another page within the site I'm automatically logged out. so i'm forced to log in again everytime i change pages in the site.

 

I hope this makes sense, because I'm not trying to auto log in the user. I'm just rying to stay logged in when i click on another page WITHIN my own site.

[scootstah]

Then it is a sessions issue, or an issue with how you are implementing them.

 

Do something like this on each page:

 

session_start();

if ($_SESSION['logged_in'] === true) {
     // logged in
}

 

Make sure you set $_SESSION['logged_in'] = true when you log in.

 

Also note that session_start() has to be on every page (where you want this functionality) or this won't work.

[mannyguy]

I tried this and it didn't work maybe i'm not using it right. The session_start() goes at the top of the page right? not at the beggining of the log in php?

Should I copy that code into the log in page and into all the pages that I want the log in to continue active?

[scootstah]

Should I copy that code into the log in page and into all the pages that I want the log in to continue active?

 

Yes - you must have session_start() at the top of every page in which you wish to use session functionality.

 

Also if you are going by my example, make sure you set $_SESSION['logged_in'] = true when you login.

[mannyguy]

I appologize for my ignorance, but what do you mean by:

 

Also if you are going by my example, make sure you set $_SESSION['logged_in'] = true when you login.

[scootstah]

Well in my example, every page has

if ($_SESSION['logged_in'] === true) { }

to determine if the user is logged in. So, obviously it won't magically become true, so you have to assign it to true when you authenticate the user.

 

// username is good
// password is good
// blah blah
// user is authenticated
$_SESSION['logged_in'] = true;