Login script problems

[arbitter]

Hi there

 

I am having some issues with my site login. When a user logs in, it loads the page as a logged in user. But often when you click on a link inside the page, for some reason the user is logged out. After logging in again it sometimes does work, it's weird..

Also, even if you keep the page loaded in the browser yet you don't interact with it for a couple of minutes, and you click something, you're logged out again..

Here's my code, this is on the top of the page. When a user logs in, the $_POST['login'] is set.

 

<?php
session_start();
setlocale(LC_ALL, 'nl_NL');
require_once('mysql_connect.inc.php');
date_default_timezone_set('Europe/Brussels');
$verbinding = mysql_connect(MYSQL_SERVER, MYSQL_GEBRUIKERSNAAM, MYSQL_WACHTWOORD) or die("Connection failed: " . mysql_error());
function CleanMyDirtyData($dirtydata){
	return mysql_real_escape_string(htmlentities($dirtydata, ENT_QUOTES,'UTF-8'));
}
if(isset($_COOKIE['LoginCookie'])){
$hash = mysql_real_escape_string($_COOKIE['LoginCookie']);
mysql_select_db('db');
$sql = "SELECT * FROM leden WHERE cookie_hash = '".$hash."'";
if($result = mysql_query($sql)){
	$row = mysql_fetch_array($result);
	if(empty($row)){
		setcookie('LoginCookie','',time()-3600);
	}
	if(mysql_num_rows($result) == 1){
		$_SESSION['loggedin'] = true;//this is the parameter throughout the site that determines wether to show logged in data or not-logged in data.
		//extra parameters for identification
		$_SESSION['loggedinnick'] = $row['nick'];
		$_SESSION['loggedinvoornaam'] = $row['voornaam'];
		$_SESSION['loggedinachternaam'] =  $row['achternaam'];
		$_SESSION['loggedinid'] = $row['id'];
		$_SESSION['loggedintype'] = $row['type'];
	}
}
}
if(isset($_POST['login'])){
if(empty($_POST['username']) || empty($_POST['wachtwoord'])){
	$_SESSION['melding'] = "You need to fill in both fields.";
	header('Location: index.php');
	exit();
}
$username = CleanMyDirtyData($_POST['username']);
$wachtwoord = sha1(CleanMyDirtyData($_POST['wachtwoord']));
mysql_select_db('db');
$sqlmail = mysql_query("SELECT * FROM leden WHERE email='$username' AND wachtwoord = '$wachtwoord'");
$sqlnaam = mysql_query("SELECT * FROM leden WHERE nick='$username' AND wachtwoord = '$wachtwoord'");
if(mysql_num_rows($sqlmail) == 1 || mysql_num_rows($sqlnaam) == 1){
	if(mysql_num_rows($sqlmail) == 1){
		$row = mysql_fetch_array($sqlmail);
	}else{
		$row = mysql_fetch_array($sqlnaam);
	}
	if(isset($_POST['remember'])){
		$hash = sha1($whatev);//combination of 3 parameters; time, salt, and something else.
		setcookie('LoginCookie',$hash,time()+30000000);
		mysql_query("UPDATE leden SET cookie_hash='" . $hash . "' WHERE id='" . $row['id'] . "'")or die(mysql_error());
	}
	$_SESSION['loggedin'] = true;
	$_SESSION['loggedinnick'] = $row['nick'];
	$_SESSION['loggedinvoornaam'] = $row['voornaam'];
	$_SESSION['loggedinachternaam'] = $row['achternaam'];
	$_SESSION['loggedinid'] = $row['id'];
	$_SESSION['loggedintype'] = $row['type'];
	$_SESSION['melding'] = "You have successfully logged in.";
	header('Location: index.php');
	exit();
}else{
	$_SESSION['melding'] = "Wrong combination.";
	header('Location: index.php');
	exit();
}
}
?>

[Julius]

check session ID on different pages: is it different?

[arbitter]

That does indeed seem to change! Is it because I have session_start() on the top of all my pages? Or how do I prevent this?

[lonewolf217]

if(!isset($_SESSION)) {
   session_start();
}

 

i think that will do it. you would have to hande the session unregister on logout though or have some sort of session timeout probably

[arbitter]

Well currently I unset the session on logout as well, so that wont be a problem.

 

I'll give it a try, thanks!