Need Help With Session Login

[lwmiller]

Hi,

I am writing some code to check logins to a mySQL database(WANIP) of remotes sites against usernames in wanipusers database. I have the login.php checking to see if there is a valid session, if not they are prompted to login, if there is a valid session, they are passed to login_success.php. Below is my login.php and the checklogin.php that checks for a valid session and the usernames against the wanipusers database. The login_success.php just gives them a choice to either update the database or add a new site.

 

Currently, once they hit login.php, they are automatically sent to checklogin.php and the incorrect username message is displayed, once they click the return link to enter proper credentials, they are automatically sent to login_success.php, and that's not the way it's supposed to work.

 

Any help would be appreciated,

Thanks,

Leonard

 

****

login.php

<?php
session_start();
// Set timeout and kill session if necessary
$inactive = 600;
if (isset($_SESSION["timeout"])) {
// calculate sessions TTL
$sessionTTL = time() - $_SESSION["timeout"];
if ($sessionTTL > $inactive) {
	session_destroy();
	header("Location: logout.php");
}
}
echo "<title>WANIP Login</title>";
if ($_SESSION["authorized"] = true) {
header( 'Location: login_success.php' ) ;
} else {
$_SESSION["authorized"] = false;
echo "<table width=300 border=0 align=center cellpadding=0 cellspacing=1 bgcolor=#CCCCCC><tr><form method=post action=checklogin.php><td><table width=100% border=0 cellpadding=3 cellspacing=1 bgcolor=#FFFFFF>";
echo "<tr>";
echo "<td colspan=3><strong>Login </strong></td></tr>";
echo "<tr><td width=78>Username</td><td width=6>:</td><td width=294><input name=myusername type=text id=myusername></td></tr><tr><td>Password</td><td>:</td><td><input name=mypassword type=password id=mypassword></td></tr><tr><td> </td><td> </td><td><input type=submit value=Login></td></tr></table></td></form></tr></table>";
echo "</center>";
echo "<center><a href=index.html>Return</a>";
}
?>

****

checklogin.php

<?php

// Connect to server and select databse.
mysql_connect("localhost", "user", "password")or die("cannot connect");
mysql_select_db("wanipusers")or die("cannot select DB");

// Define $myusername and $mypassword
$username=$_POST['myusername'];
$password=$_POST['mypassword'];
echo "$username - $password";

// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$sql="SELECT * FROM users WHERE username='$username' and password='$password'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $username and $password, table row must be 1 row
if($count==1){
// Register $username, $password and redirect to file "login_success.php"
session_register("username");
session_register("password");
header("location:login_success.php");
$_SESSION["authorized"] = true;
} else {
echo "<center>Incorrect Username and/or Password</center>";
echo "<center><a href=login.php>Return</a> and enter proper credetials</center>";
}
?>

Edited October 22, 2012 by lwmiller

[ManiacDan]

Please use [ code ] or [ php ] tags so we can actually see your code properly.

 

There's nothing I could see in login.php that would automatically do a redirect. Are you sure you're hitting that page? How are you being redirected? Do you have firebug or anything installed so you can confirm the header() calls are working?

 

You should call die(); after every header redirect.

[lwmiller]

Hi ManiacDan,

I realized I forgot the

 tags after I posted it, thanks for pointing that out.

Actually no, I just realized that I forgot to change the link in the index.html that takes me to the login.php. So now that problem is that once I click the link for login.php, it automatically takes me to login_success.php. So it thinks $_SESSION["autorized"] is true, even if is hasn't been set yet, which it would in login.php.

 

Thanks for your help,

Leonard

Edited October 22, 2012 by lwmiller

[lwmiller]

And I put die(); after my headers, I was not aware that was necessary or even an option.

 

Leonard

[ManiacDan]

if ($_SESSION["authorized"] = true) {

 

= is assignment.

 

== is comparison.

[lwmiller]

Thanks Dan,

That worked, now it takes me to the login page. But now when I try to return to the login page, it still prompts me to login, instead of passing me to the login_success.php. Would that be due to the fact that I have session_start(); in the login.php? Should it be someplace else?

 

Thanks

[ManiacDan]

Session_start() must be on every single page which uses the session, and if you don't die() after your header call, the session may not save properly (though in your instance it proably will regardless).