Users have to login twice to get to restricted page

[Zola]

Hi,

 

I have a restricted area for my work's company. This is an area where registered users with their own user name and password can access to download technical documents etc.

 

I am hearing some reports that users will have to login twice to get to the area - This happens in Chrome, IE 7/8 and some Firefox's.

 

It has only happened to me once or twice. Does anyone know why this may be?

 

Here is the HTML code from the login form on the index page:

 

      <form name="login_form" method="post" action="log.php?action=login">
        <p>Login:<br /> <input type="text" name="user" />
        </p>
      
       <p>Password: <br /><input type="password" name="pwd" />  </p>
       
        <p class="submit">
          <input type="submit" value="Submit" name="submit" class="submit" />
          </p>
        </form>

 

 

Here is the log.php File:

 

(personal connection details edited)

 

<?php

    $hostname = "IP:3306";
    $username = "user";
    $password = "password";
    $database = "db_name";

    $link = MYSQL_CONNECT($hostname,$username,$password);
    
    mysql_select_db($database);    
?>

<?php
session_name("MyWebsiteLogin");
session_start();

if($_GET['action'] == "login") {
$conn = mysql_connect("IP:3306","user","password");
$db = mysql_select_db("db_name"); //Your database name goes in this field. 
$name = $_POST['user'];
$ip=$_SERVER['REMOTE_ADDR'];
$country = file_get_contents('http://api.hostip.info/country.php?ip='.$ip);
$q_user = mysql_query("SELECT * FROM customer WHERE username='$name'");

?>

<?php
               $insert_query = ("INSERT INTO login(username, ip, country) VALUES ('$name','$ip','$country');");
               mysql_query($insert_query) or die('Error, insert query failed');

?>

<?php
if(mysql_num_rows($q_user) == 1) {

$query = mysql_query("SELECT * FROM customer WHERE username='$name'");
$data = mysql_fetch_array($query);
if($_POST['pwd'] == $data['password'])
{
session_register("name");
header("Location: http://#/download/index.php?un=$name"); // This is the page that you want to open if the user successfully logs in to your website.
exit;
} else {
header("Location: login.php?login=failed&cause=".urlencode('Wrong Password'));
exit;
}
} else {
header("Location: login.php?login=failed&cause=".urlencode('Invalid User'));
exit;
}
}


?> 

 

 

Any help or ideas would be greatly appreciated.

[Vel]

First off, you are wide open to SQL injection attacks. You need to escape any data that you don't know the contents of, such as name, the IP ($_SERVER can be manipulated through the browser) and password. This is very easy to do, all you do is add

$var = mysql_real_escape_string($var);

before using it in any mysql statements.

 

Secondly, we need more information on what is actually happening. What do your users see when the first login fails?

[Zola]

Hi mate, thanks for the reply, I appreciate it!!  I have added the statements here:

 

$name = $_POST['user'];
$var = mysql_real_escape_string($var);
$ip=$_SERVER['REMOTE_ADDR'];
$var = mysql_real_escape_string($var);

 

I am very new to PHP and MySQL. can you explain what this does and a little about the potential threat please? I am eager to learn.

 

 

The login problem for some users will be when they try to log in from the index page. When they submit the form seems to post the data, but then the page refreshes on the index page. Its just like someone pressed refresh in the browser.

 

Then when they submit data again it will work.

 

[PFMaBiSmAd]

It's likely that the host-name/subdomain (www. vs no www.) in the URLs are changing back and forth (between having and not having the www. on them) and the session id cookie only matches the URL variation where it was set at and when you are redirecting around, you finally end up going between pages that all have the same host-name (or lack thereof) in the URL. The people who need to log in twice arrived at the login in form either through a link or through a short-cut/bookmark that has the opposite variation of the host-name from your header() redirect to the ....download/index.php page.

 

You can confirm this by going to your log in form using a URL that works. Then either adding the www. (if the working URL doesn't have it) or removing the www. (if the working URL has it), then trying to log in to see if it takes two tries.

 

If this is the case, here's some things you can do to fix the problem -

 

1) You should set up a .htaccess redirect to force all URL's to goto a single variation of your domain,

 

2) You should be constant in your code to always build links/redirects with the same variation of your domain,

 

3) You should set the session.cookie_domain setting to be .yourdomain.com (with the leading dot . ) to get the session id cookie to match all variations of your domain.

 

 

[Zola]

Thanks!

 

I will take your points in and will hopefully get this sorted.

[Zola]

Update!

 

This has been fixed now!

 

I had two duplicate files which were conflicting - one (an older log.php file) in the root directory and one in the restricted directory.

 

They were causing the whole problem.

 

I = noob,

 

but at least I am learning.

 

I also swatted up on books and videos and removed lots of garbage code that wasn't needed.