devtech2015 Posted January 6, 2013 Share Posted January 6, 2013 (edited) I have this login page using sessions but when I provide the correct username and password, am just re-directed to the same login page but if the credentials are wrong, am issued with a warning. When i check the logged data in the database on provision of correct username and password, a blank username is logged as logged in at that time. I need your help. here is my code. // login.php <?php session_start(); include("config.php"); $error = ""; if($_SERVER["REQUEST_METHOD"] == "POST") { // username and password sent from form $myusername=addslashes($_POST['username']); $mypassword=addslashes($_POST['password']); $error="<h3><strong>Your Login Name or Password is invalid</h3></strong>"; $sql="SELECT uid FROM users WHERE username='$myusername' and password='$mypassword'"; $result=mysql_query($sql); $row=mysql_fetch_array($result); $active=$row['active']; //if( isset($_SESSION[$myusername]) ) $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1) { if( isset($_SESSION[$myusername]) ) //session_register("myusername"); //$_SESSION['login_user']=$myusername; $_SESSION['login_user']= $_POST['username']; header("location: welcome.php"); } } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Login Page</title> <style type="text/css"> @import url("../../../Users/devtech/Documents/Unnamed Site 1/CSS/colors5.css"); body { font-family:Arial, Helvetica, sans-serif; font-size:14px; background-image: url(); background-color: #FFFFFF; background-repeat: repeat-x; } label { font-weight:bold; width:100px; font-size:14px; font-family: "Times New Roman", Times, serif; text-decoration: none; } .box { border:#666666 solid 1px; } body,td,th { color: #0000FF; font-weight: bold; background-color: #FFFFCC; line-height: normal; text-transform: capitalize; font-family: "Times New Roman", Times, serif; background-attachment: scroll; background-position: left bottom; text-decoration: overline; } </style> </head> <p align="center"> </p> <body> <img src="images/COMVOO Logo.jpg" width="194" height="156"/> <div align="center"> <div align="left" style="width:300px; border: solid 1px #333333; "> <div style="background-color:#333333; color:#FFFFFF; padding:3px;"><em><strong>COMVOO LOGIN</strong></em></div> <div style="margin:30px"> <form action="" method="post"> <label>UserName :</label> <input type="text" name="username" class="box"/> <br /> <br /> <label>Password :</label> <input type="password" name="password" class="box" /> <br/> <br /> <input type="submit" value=" Submit "/> <br /> </form> <div style="font-size:11px; color:#cc0000; margin-top:30px"><?php echo $error; ?></div> </div> </div> </div> </div> </body> </html> //// lock.php <?php session_start(); include('config.php'); // $inactive = 299; // set timeout period in seconds // $user_check=$_SESSION['login_user']; $ses_sql=mysql_query("select username from users where username='$user_check' "); $row=mysql_fetch_array($ses_sql); $login_session=$row['username']; if(!isset($login_session)) { header("Location:login.php"); } /////////////////////////////////// else if (isset($_SESSION['timeout'])) { $session_life = time() - $_SESSION['timeout']; if ($session_life > $inactive) { session_destroy(); header("Location: logout.php"); //header("Location: login.php"); } } $_SESSION['timeout'] = time(); /////////////////////////////////// ?> /////////// welcome.php <?php //include('lock.php'); //include("config.php"); require_once("config.php"); require_once("lock.php"); ?> <?php $login="INSERT INTO logaudit (eventid, username, event, eventdate) VALUES ('', '$login_session', 'logged in', NOW())"; $sql2=mysql_query($login); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Welcome </title> <style type="text/css"> <!-- body { background-color: #FFFFCC; background-image: url(); background-repeat: no-repeat; } --> </style></head> <?php $url=$_SERVER['REQUEST_URI']; header("Refresh: 300; URL=$url"); ?> lock.php Edited January 6, 2013 by devtech2015 Quote Link to comment Share on other sites More sharing options...
Christian F. Posted January 7, 2013 Share Posted January 7, 2013 Please use the [code][/code] tags around your code, as it helps make both your post and your code a lot easier to read. Thank you. Quote Link to comment Share on other sites More sharing options...
sourcy Posted January 7, 2013 Share Posted January 7, 2013 (edited) Well for starters: You login.php page is missing {}'s I re-wrote it for you to include them if($_SERVER["REQUEST_METHOD"] == "POST") { // username and password sent from form $myusername=addslashes($_POST['username']); $mypassword=addslashes($_POST['password']); $error="<h3><strong>Your Login Name or Password is invalid</h3></strong>"; $result=mysql_query("SELECT uid FROM users WHERE username='$myusername' and password='$mypassword'"); $row=mysql_fetch_array($result); $active=$row['active']; // If result matched $myusername and $mypassword, table row must be 1 row if(mysql_num_rows($result)==1) { if( isset($_SESSION[$myusername]) ) { //session_register("myusername"); //$_SESSION['login_user']=$myusername; $_SESSION['login_user']= $_POST['username']; header("location: welcome.php"); } } } Second on login.php you're adding slashes to the username that they are entering, but setting the raw $_POST as the $_SESSION['login_user'] and then running that on a SQL query meaning it's vulnerable to SQL injection. Third: You should encrypt passwords in your DB. Edited January 7, 2013 by sourcy Quote Link to comment Share on other sites More sharing options...
sourcy Posted January 7, 2013 Share Posted January 7, 2013 (edited) if( isset($_SESSION[$myusername]) ) { I also think you need to change this to if (!isset($_SESSION['login_user'])) { $_SESSION['login_user'] = $myusername; Because I don't see $_SESSION[$myusername] being set anywhere. This will check if they are already logged in, and if they aren't it will set them a session and then send them to welcome.php. But if they are, i will do nothing. Edited January 7, 2013 by sourcy Quote Link to comment Share on other sites More sharing options...
Christian F. Posted January 8, 2013 Share Posted January 8, 2013 I recommend that you read this article about secure login systems. It'll help explain a lot of the stuff you need to do, why you need to do them, and give you examples on how they're done. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.