Log-In/Log-Out

HDFilmMaker2112 · June 20, 2012

I for the life of me can get this to work:

When you first land on the homepage of my site, the links at the top are set to the user being logged out. When you log-in the links on the top the page change to the menu for a logged in user as they should. When You select sign-out everything looks like it goes okay, you get logged out and the user is returned to the homepage. However, if you simply click the log-in button again, without typing anything into the username or password fields, you're magically signed in again.

login.php

<?php
header('Content-type: text/html; charset=utf-8');
session_start();
$viewed_homepage=$_SESSION['homepage'];
$login_username=$_POST['email'];
$login_username=strtolower($login_username);
$login_password=$_POST['password'];
$login_stay_logged_in=$_POST['stayloggedin'];
$login_form_submitted=$_POST['login_form_submit'];

/*if form has been submitted and the front page has been viewed*/
if($viewed_homepage=="viewed" && $login_form_submitted=="submitted"){
require_once 'db_select.php';
require_once 'function.php';

/*Connect to DB*/
$LoginDB = $db->connect('mysqli', 'persist', 'db418598519');

/*Encode - Sanitize user input for query*/
$sanitized_email = $LoginDB->mysqli_sanitize($login_username);
$encoded_password = $LoginDB->kam3($login_password);

/*run query*/
$result = $LoginDB->query("SELECT * FROM user WHERE email_address='$sanitized_email' AND password='$encoded_password'");
$num_rows = $result->num_rows;
$rows = $result->fetch_assoc();

/*Close Database Connection*/
$LoginDB->close();

/*If user matches a database entry log-in*/
if(($num_rows==1) && ($rows["email_address"]==$sanitized_email && $rows["password"]==$encoded_password)){

/*Set Session/Cookie data to stay logged in*/
$_SESSION['username']=$sanitized_email;
$_SESSION['password']=$encoded_password;
$_SESSION['user_id']=$rows['id'];

/*If selected, Set Cookies*/
if($login_stay_logged_in=="yes"){
/*Connect to DB to insert cookie key*/
$CookieDB = $db->connect('mysqli', 'persist', 'db418598519');

/*Generate key, encode username, and get current time for cookies */
$hased_value = kam3(md5(generatepassword(6)));
$hashed_username = md5s($rows["email_address"]);
$time = time();
setcookie("knxn_hash", $hased_value, time()+(86400*180), "/", "beta.area51entertainment.com",false,false);
setcookie("knxn_username", $hased_username, time()+(86400*180), "/", "beta.area51entertainment.com",false,false);
setcookie("knxn_visited", $time, time()+(86400*180), "/", "beta.area51entertainment.com",false,false);
}

/*Unset error alert for log-in form*/
unset($_SESSION['login_error']);

/*redirect to dashboard*/
header("Location: /?p=newsstream");
}
else{
/*redirect to index.php with error message*/
$_SESSION['login_error']="error";
header("Location: ./");
}
}
else{
/*redirect to index.php if submission didn't originate from log-in form on index.php*/
header("Location: ./");
}
?>

Logout.php

<?php
header('Content-type: text/html; charset=utf-8');
session_start();

/*Unset and destroy users session data*/
if(isset($_SESSION['username'])){
unset($_SESSION['username']);
unset($_SESSION['password']);
unset($_SESSION['user_id']);
unset($_SESSION['homepage']);
session_destroy();

header("location: ./");
}
else{
header("location: ./");
}
?>

xyph · June 20, 2012

Take out your redirects, echo out variables before you use them in critical if conditionals, echo out queries. Verify the data actually is what you think it is.

Nice passwords, btw

HDFilmMaker2112 · June 20, 2012

Alright, just tried echoing everything out, and everything is doing what it should, still getting magically logged in when I have the redirects in place though.

echoing out all the log-in information in login.php displays the information when details are entered, and shows no details when no details are entered.

Echoing everything out in logout.php after everything is unset shows a blank page, as expected.

HDFilmMaker2112 · June 20, 2012

Actually $_SESSION['username'] doesn't appear to be set inside of logout.php so it's going around that if statement. Doesn't make sense why.... It's set only nearly every other page other than my logout.php page; so it's staying set.

HDFilmMaker2112 · June 20, 2012

Alright, I made a test.php... If I log-in, then manually type in test.php in the address bar, it loads and displays the $_SESSION['username']. Then I manually type in logout.php, and it displays the $_SESSION['username']... but if I try to access it directly though a link, like the sign-out link, it doesn't show it.

Skewled · June 20, 2012

  // Delete the hash, username and visited cookies by setting their expiration's to an hour ago (3600)
  setcookie('knxn_hash', ' ', time() - 3600);
  setcookie('knxn_username', ' ', time() - 3600);
  setcookie('knxn_visited', ' ',time() -3600)

Just curious if you're deleting the cookies if the user isn't selecting stay logged in, even still you should make them expire 30 days out or so. Is the form defaulting to selected for the stay logged in box? If you've tested it checked then your going to be able to log out and back in without any issues, you'd have to clear your browser data.

HDFilmMaker2112 · June 20, 2012

  // Delete the hash, username and visited cookies by setting their expiration's to an hour ago (3600)
  setcookie('knxn_hash', ' ', time() - 3600);
  setcookie('knxn_username', ' ', time() - 3600);
  setcookie('knxn_visited', ' ',time() -3600)
Just curious if you're deleting the cookies if the user isn't selecting stay logged in, even still you should make them expire 30 days out or so. Is the form defaulting to selected for the stay logged in box? If you've tested it checked then your going to be able to log out and back in without any issues, you'd have to clear your browser data.

I'm not worried about the cookies right now. They're not being set because I couldn't get them to work, and I disabled the option on the log-in form for the time being.

I turned error reporting on in logout.php and I'm getting this:

Notice: Undefined index: username

Skewled · June 20, 2012

/*Unset and destroy users session data*/
if(isset($_SESSION['username'])){
$_SESSION = array();
session_destroy();

header("location: ./");
}
else{
header("location: ./");
}

Rather then unset for all those $_SESSION values give the above a shot.

HDFilmMaker2112 · June 20, 2012

   // Delete the session vars by clearing the $_SESSION array
    $_SESSION = array();
Rather then unset for all those $_SESSION values give the above a shot.

No luck.

Skewled · June 20, 2012

if (isset($_SESSION['user_id']) && isset($_SESSION['username']) &&  isset($_SESSION['password']) &&!empty($_SESSION['user_id']) && !empty($_SESSION['username']) && !empty($_SESSION['password'])) {

// Execute code here

} else {

// do redirect
}

The page that the login for redirects to should check for the session data or redirect back to the login page, I want to see if the session data is being deleted properly. The above code will check that the session is set and that the values are not empty then proceed. Pretty late here and my brain is mush, hope you get it solved soon, make sure to echo all variables to verify they are correct as stated above and then move piece by piece over the code to help debug any issues with mistyping etc..

I don't know what the redirect page has for code so I'm hoping your checking the data like above

HDFilmMaker2112 · June 20, 2012

I throw in a unset($_SESSION['username']; in the login.php

<?php
header('Content-type: text/html; charset=utf-8');
session_start();
$viewed_homepage=$_SESSION['homepage'];
$login_username=$_POST['email'];
$login_username=strtolower($login_username);
$login_password=$_POST['password'];
$login_stay_logged_in=$_POST['stayloggedin'];
$login_form_submitted=$_POST['login_form_submit'];

/*if form has been submitted and the front page has been viewed*/
if($viewed_homepage=="viewed" && $login_form_submitted=="submitted"){
require_once 'db_select.php';
require_once 'function.php';

/*Connect to DB*/
$LoginDB = $db->connect('mysqli', 'persist', 'db418598519');

/*Encode - Sanitize user input for query*/
$sanitized_email = $LoginDB->mysqli_sanitize($login_username);
$encoded_password = $LoginDB->kam3($login_password);

/*run query*/
$result = $LoginDB->query("SELECT * FROM user WHERE email_address='$sanitized_email' AND password='$encoded_password'");
$num_rows = $result->num_rows;
$rows = $result->fetch_assoc();

/*Close Database Connection*/
$LoginDB->close();

/*If user matches a database entry log-in*/
if(($num_rows==1) && ($rows["email_address"]==$sanitized_email && $rows["password"]==$encoded_password)){

/*Set Session/Cookie data to stay logged in*/
$_SESSION['username']=$sanitized_email;
$_SESSION['password']=$encoded_password;
$_SESSION['user_id']=$rows['id'];

/*If selected, Set Cookies*/
if($login_stay_logged_in=="yes"){
/*Connect to DB to insert cookie key*/
$CookieDB = $db->connect('mysqli', 'persist', 'db418598519');

/*Generate key, encode username, and get current time for cookies */
$hased_value = kam3(md5(generatepassword(6)));
$hashed_username = md5s($rows["email_address"]);
$time = time();
setcookie("knxn_hash", $hased_value, time()+(86400*180), "/", "beta.area51entertainment.com",false,false);
setcookie("knxn_username", $hased_username, time()+(86400*180), "/", "beta.area51entertainment.com",false,false);
setcookie("knxn_visited", $time, time()+(86400*180), "/", "beta.area51entertainment.com",false,false);
}

/*Unset error alert for log-in form*/
unset($_SESSION['login_error']);


/*redirect to dashboard*/
header("Location: /?p=newsstream");
}
else{
/*redirect to index.php with error message*/
$_SESSION['login_error']="error";
unset($_SESSION['username']);
header("Location: ./");
}
}
else{
/*redirect to index.php if submission didn't originate from log-in form on index.php*/
header("Location: ./");
}
?>

Seems to be working correctly that way.

Skewled · June 20, 2012

That's rather interesting, glad it's working though!!

HDFilmMaker2112 · June 20, 2012

Well it's not quite working correctly. Right now if I log-in, it'll change the top menu bar, and if I directly access the rewritten URLs (using mod_rewrite) via browser address bar, such as /home it loads fine... but if I access it via a link with /home it logs me out. But right now I guess it's good enough to do development...

HDFilmMaker2112 · June 20, 2012

I think this whole issue might be non-www. vs. www. issue...

How would I make sure everything uses one or the other?

It seems as though the session is getting set on www. (if the users access via www.) and redirected to www.kynxin.com/newsstream, but the links in my site are for non-www.

So I need something to set something so the site always uses one or the other.

HDFilmMaker2112 · June 20, 2012

Mod_Rewrite Solved:

RewriteCond %{HTTP_HOST} !^www [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]

Solved the log-in/out issue as well.

Turns out the sessions themselves were fine, it was the SessionID cookie being written as non-www to the browser.

Sign In

Log-In/Log-Out

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information