Jump to content

Disappearing Cookies


cmb

Recommended Posts

i have this login in system the login page is in a folder called login with a couple other files related to a login system. when a user logs in the php creates several cookies and is suppose to redirect to another page which is in a separate folder. on the page you are suppose to get redirected to, it calls a file that checks to see if the user is loged  on by checking some cookies against the database but the cookies aren't their anymore even though they were set.  here is the login script

<?php
require('database.php'); //Include DB connection information

if (isset($_POST['login'])) { //Execute the following if form is submitted
$ip = mysql_real_escape_string($_SERVER["REMOTE_ADDR"]); //Geet user's IP Address
$email = mysql_real_escape_string($_POST['email']); //Post email from form
$password = mysql_real_escape_string(sha1(md5($_POST['pass']))); //Post password from form and encrypt


if (empty($email) || empty($password)) { //Check for empty fields
die("<b>Error:</b> All fields are required to be filled in.");
}

$check = mysql_query("SELECT * FROM users WHERE email = '$email'") or die(mysql_error());
$check2 = mysql_num_rows($check);
if ($check2 == 0) { //Check if account exists
die("<b>Error:</b> Email and password do not match the database.");
}
$row = mysql_fetch_array($check);
$key = $row['key'];
$ppas = $password . $key;
$db_password =  $row['password'];
if ($ppas != $db_password) { //Check if password is correct
die("<b>Error:</b> Email and password do not match the database.");
}

$allowed = $row['pp'];
if ($allowed != 1) { //Check if they have permission
die("<b>Error:</b> You do not have permission to view this section.");
}

function randomstring($length = 10) {
    $validCharacters = "abcdefghijklmnopqrstuxyvwz1234567890";
    $validCharNumber = strlen($validCharacters);

    $result = "";

    for ($i = 0; $i < $length; $i++) {
        $index = mt_rand(0, $validCharNumber - 1);
        $result .= $validCharacters[$index];
    }

    return $result;


}
$session = randomstring();

$pas = $password . $key;

mysql_query("UPDATE users SET session_id='$session' WHERE email='$email' AND password='$pas' ") or die(mysql_error()); //Add session ID to DB
mysql_query("UPDATE users SET login_ip='$ip' WHERE email='$email' AND password='$pas'") or die(mysql_error()); //Add login IP to DB

$level = $row['accounttype'];
$pp = $row['pp'];
$fs = $row['fs'];
$fam = $row['fam'];
$fname = $row['firstname'];
$gbsa = $row['gbsa'];
$future = time() + 1209600;
setcookie("uemail", $email, $future); //Set cookie containing username
setcookie("sessionid", $session, $future); //Set cookie containging session ID
setcookie("acounttype", $level, $future);
setcookie("pp", $pp, $future);
setcookie("fs", $fs, $future);
setcookie("fam", $fam, $future);
setcookie("gbsa", $gbsa, $future);
setcookie("name", $fname, $future);
//////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////
$page = mysql_real_escape_string($_GET['page']);
if ($page == 1){
header("Location: ../pinkpanthers/index.php"); //Redirect to members page
}else{
header("Location: ../main.php");
}
}else
{ //If form is not submitted display the form
echo<<<login
<center>
<h1>Log In </h1>
<h2>Or GO <a href="../main.php">Home</a></h2>
<form method="post" action="">
Email: <input type="text" name="email"><br>
Password: <input type="password" name="pass"><br>
<input type="submit" name="login" value="Login"><br><br>

</form></center>
login;
}
?>

and here is the check login page

<?php
require('../login/database.php'); //Include DB connection information
$ip = mysql_real_escape_string($_SERVER["REMOTE_ADDR"]); //Get user's IP Address
$email = mysql_real_escape_string($_COOKIE['uemail']); //Get username stored in cookie
$pp = mysql_real_escape_string($_COOKIE['pp']);
if ($pp == 1){
$sessionid = mysql_real_escape_string($_COOKIE['sessionid']); //Get user's session ID
$query = "SELECT * FROM `users` WHERE `email` = '$email' AND `session_id` = '$sessionid' AND `login_ip` = '$ip' AND `pp` = '1' ";
$check = mysql_query($query) or die(mysql_error()); //Check if all information provided from the user is valid by checking in the DB
$answer = mysql_num_rows($check); //Return number of results found. Equal to 0 if not logged in or 1 if logged in.
if ($answer == 0 || $sessionid == '') { //Check if login is valid. If not redirect user to login page
header('Location: ../login/login.php?page=1');
exit();
}
$row = mysql_fetch_array($check);
$email = stripslashes($row['email']);
}else{

header('Location: ../login/login.php?page=1');
}

?>

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.