Jump to content

Strange session behaviour


MargateSteve

Recommended Posts

I have something strange going on with sessions set after a user logs in.

 

After posting the form, the following code (only part of the log in script) correctly assigns the users ID to $_SESSION['id'] but after a while it starts showing up as the users level ($_SESSION['level']). I have rechecked all of my code to see if something mistakenly assigns the level to $_SESSION['id'] but everything seems fine.

 

I am going to rewrite the log in script today, as I am sure that I can streamline it but wondered if anyone can give any advice on what it happening here to make sure I do not fall into the same trap!

 

Thanks

Steve

 

$username = mysql_escape_string($_POST['Lname']);  
$password = mysql_escape_string(md5($_POST['Lpassword'])); 
	   
	  $search = mysql_query("SELECT 
	  userid, username, password, active, level 
	  FROM 
	  users WHERE username like binary '".$username."' AND password='".$password."' AND active='1'") 
	  or die(mysql_error());  
	  
	  $match  = mysql_num_rows($search);  
	  $level = mysql_fetch_assoc($search);
	  
		if($match > 0) //The username and password is correct
		  {//START MANUAL LOGIN & SET SESSION VARIABLES  
		  $_SESSION['user'] = $username;
		  $_SESSION['level'] = $level['level'];
		  $_SESSION['loggedin'] = '1';
		  $_SESSION['id'] = $level['userid'];

Link to comment
Share on other sites

There are two like possibilities for your session variable changing -

 

1) register_globals are on and you have another variable named 'id',  - $id, $_COOKIE['id'], $_POST['id'], $_GET['id'] (and less common but still possible - $_FILES['id'], $_SERVER['id'], $_ENV['id']) that contains or has been assigned the level value. What does a phpinfo statement show for register_globals and do you have any of those other 'id' variables present with the level in it?

 

2) Your code is assigning a value to $_SESSION['id'], using one = equal sign, instead of comparing a value using two == signs.

 

 

Link to comment
Share on other sites

It is $_SESSION['id'] that gets changed but it gets assigned the value that should be assigned to $_SESSION['level'].

 

Register Globals is on but no other variables are named 'id'. I have checked all other scripts just in case any others caused a conflict but nothing sets 'id'.

 

I tried setting the variable using == but the problem is still there. As I said, I am going to rewrite it anyway to try to remove some of the duplication but I have put my current full script below in case I am missing something obvious!!

 

Thanks

Steve

 

#CHECK IF COOKIES ARE SET
if(isset($_COOKIE['username']) AND isset($_COOKIE['password']))
{// Cookies are set so check if they are still active 
$username = mysql_real_escape_string($_COOKIE['username']);  
$password = mysql_real_escape_string($_COOKIE['password']);

$search = mysql_query("	SELECT 
userid, username, password, active, level FROM users WHERE username='".$username."' AND password='".$password."' AND active='1'
") 
or die(mysql_error());  

$match  = mysql_num_rows($search);  
$level = mysql_fetch_assoc($search);

if($match > 0) //There are valid cookies so use that to log the user in 
  {//START AUTO LOGIN & SET SESSION VARIABLES  
  $_SESSION['user'] = $username;
  $_SESSION['level'] = $level['level'];
  $_SESSION['pass'] = $level['password'];
  $_SESSION['loggedin'] = '1';
  $_SESSION['id'] == $level['userid'];
  }//END AUTO LOGIN 
}
#END CHECK IF COOKIES ARE SET

#CHECK IF USER IS LOGGED IN
if( $_SESSION['loggedin'] !== 1 )
{//User is not logged in
#CHECK IF A LOGIN HAS BEEN ATTEMPTED	
if(!isset($_POST['Lname']) AND !isset($_POST['Lpassword']) OR isset($_POST['cancel']))
	{//No Login attempted so see if the form has been requested   
		if(isset($_POST['log']))//Check if login form has been requested
		{//User has clicked LOGIN so show form
		$form = 1;
		} 
	}
else
	{//Login attempted so check details
	#CHECK BOTH USERNAME AND PASSWORD FIELDS HAVE BEEN ENTERED
	if(!empty($_POST['Lname']) AND !empty($_POST['Lpassword']))
	  {//Username and password have both been entered so check against dbase
	  $username = mysql_real_escape_string($_POST['Lname']);  
	  $password = mysql_real_escape_string(md5($_POST['Lpassword'])); 
	   
	  $search = mysql_query("SELECT 
	  userid, username, password, active, level FROM users WHERE username like binary '".$username."' AND password='".$password."' AND active='1'") 
	  or die(mysql_error());  
	  
	  $match  = mysql_num_rows($search);  
	  $level = mysql_fetch_assoc($search);
	  
		if($match > 0) //The username and password is correct
		  {//START MANUAL LOGIN & SET SESSION VARIABLES  
		  $_SESSION['user'] = $username;
		  $_SESSION['level'] = $level['level'];
		  $_SESSION['loggedin'] = '1';
		  $_SESSION['id'] == $level['userid'];
		  $_SESSION['pass'] = $level['password'];
		  
		  
		  #CHECK IF USER HAS CHECKED 'REMEMBER ME'			
		if(isset($_POST['remember']))
			{//'Remember me' was checked so store cookies to autologin next time
			setcookie('username', $username, time()+60*60*24*365, "/");
			setcookie('password', $password, time()+60*60*24*365, "/");
			}
		  header( 'Location: '. $thispage.'' ) ;
		  }
		else
		{//No Match found so show error message and login form
			$form = 1;  $error = 1;
		}//END MANUAL LOGIN
	  } 
	else
	  {//Username or password were incorrect so show error message and login form  
	  $form = 1;  $error = 1;
	  }   
	}//End log in attempted
};//End log in	

Link to comment
Share on other sites

Register Globals is on

 

You need to turn register_globals OFF. They were depreciated and turned off by default 10 years ago last month, because they allow hackers to set your session variables to anything they want, so anyone can bypass your login code anyway with them on, which is why they have been completely removed as of php5.4.

 

The problem is not in your log in code, it is in your code on other pages that sets or tests the $_SESSION['id'] variable.

 

You also have the following 'assignment' statement in two places: $_SESSION['id'] == $level['userid']; One = sign is an assignment operator. Two == signs is a comparison operator. That statement is not setting $_SESSION['id'].

Link to comment
Share on other sites

I have switched register_globals OFF and removed the extra ='s -  I misunderstood what you meant by

2) Your code is assigning a value to $_SESSION['id'], using one = equal sign, instead of comparing a value using two == signs.

- and everything seems to be working fine at the moment.

 

I was previously using the script happily on another host which is why I was puzzled at it not working.

 

Thanks

Steve

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.