dannon Posted May 30, 2013 Share Posted May 30, 2013 (edited) Hello, my login system sometimes doesn't log me in. I have been trying to solve this for a past couple of days, and I can't figure out whats wrong as sometimes it works and sometimes it doesn't. For my website, I use an MVC, and in my Model superclass I initiate the user class. The User class logs the user in using a constructor: function __construct() { //print_r($_SESSION); if (!isset($_SESSION['user_data']) || $_SESSION['user_data']['loggedIn'] === false) { if (isset($_COOKIE['rm_session'])) { $cookieInfo = explode("-", $_COOKIE['rm_session']); if ($this->checkCookie($cookieInfo[0], $cookieInfo[1])) { $this->updateCookie($cookieInfo[0]); $this->loginId($this->getId($cookieInfo[0])); return; } } $this->loginGuest(); } } This checks if the session is set, if not it will check the cookie. Here is my check cookie function: public function checkCookie($username, $token) { $sql = "SELECT token, time FROM remember_auths WHERE username = :username ORDER BY time DESC"; $sth = Model::$db->preparedQuery($sql, array( ":username" => $username, )); $data = $sth->fetch(PDO::FETCH_ASSOC); if (!empty($data)) { if ($this->validateString($token, $data['token'])) { $time = time() - strtotime($data['time']); if ($time < 2592000) { return true; //all good! } else { echo "times are wrong!"; return false; //cookie auth too old | can be checked in query? } } else { echo "invalid tokens"; return false; //invalid token } } else { echo "cookie not found"; return false; //no cookie found } } When the website logs the user in, it updates the cookie. Here is the function for that: public function updateCookie($username) { $randomString = $this->generateString(); setcookie("rm_session", $username . "-" . $randomString, strtotime('+1 month'), "/"); Model::$db->preparedQuery("INSERT INTO remember_auths (username, token) VALUES(:username, :token)", array( ":username" => $username, ":token" => $this->cryptString($randomString) )); } For some reason, this login system doesn't log the user in sometimes when the user revisits. For debugging, I have echo'ed out where the login system fails, and it seems that the tokens do not match. I can't figure out what is causing this as I am saving the cookie and the token into the database in the same function. It seems as if half of the function gets called, and the other doesn't. How can I fix this? Thank you in advance. Also sorry if my code is horrible. Edited May 30, 2013 by dannon Quote Link to comment https://forums.phpfreaks.com/topic/278576-login-system-doesnt-log-me-in/ Share on other sites More sharing options...
mac_gyver Posted May 30, 2013 Share Posted May 30, 2013 do you have php's error_reporting set to E_ALL and display_errors set to ON so that things like header errors on the setcookie() statement would be reported and displayed? you may be outputting something on the page(s) that is preventing the setcookie() statement from working, depending on how you are reaching the code. you should log the token values with a time stamp so that you can determine which ones are the correct ones/what order they are generated in. Quote Link to comment https://forums.phpfreaks.com/topic/278576-login-system-doesnt-log-me-in/#findComment-1433106 Share on other sites More sharing options...
dannon Posted May 30, 2013 Author Share Posted May 30, 2013 (edited) do you have php's error_reporting set to E_ALL and display_errors set to ON so that things like header errors on the setcookie() statement would be reported and displayed? you may be outputting something on the page(s) that is preventing the setcookie() statement from working, depending on how you are reaching the code. you should log the token values with a time stamp so that you can determine which ones are the correct ones/what order they are generated in. As far as I can see, there are no values which are outputted before the cookies are set. I do have E_ALL and display_errors set to ON. 1 second, I'll try to do the logging of timestamps. I do have a timestamp in my remember_auths table, so I'll just make one for the cookies. Edited May 30, 2013 by dannon Quote Link to comment https://forums.phpfreaks.com/topic/278576-login-system-doesnt-log-me-in/#findComment-1433107 Share on other sites More sharing options...
dannon Posted May 30, 2013 Author Share Posted May 30, 2013 (edited) Ok, the query gets executed, but the cookies don't update. I don't see why it works for a couple of times and then it doesn't. Edited May 30, 2013 by dannon Quote Link to comment https://forums.phpfreaks.com/topic/278576-login-system-doesnt-log-me-in/#findComment-1433109 Share on other sites More sharing options...
dannon Posted May 30, 2013 Author Share Posted May 30, 2013 bump Quote Link to comment https://forums.phpfreaks.com/topic/278576-login-system-doesnt-log-me-in/#findComment-1433198 Share on other sites More sharing options...
mac_gyver Posted May 30, 2013 Share Posted May 30, 2013 another possible reason for 'random' operation of cookies/sessions is if the hostname (with or without the www.) or path in the URL changes, depending on how you arrive at a page and then navigate around. since you are setting the cookie path parameter to a /, that leaves the hostname changing as a possible cause. you may have multiple versions of your url (with/without the www.) in links, redirects, shortcuts, bookmarks, or in your browser history, so you might be starting with one variation of the hostname and it works until you switch to a different variation of the hostname. Quote Link to comment https://forums.phpfreaks.com/topic/278576-login-system-doesnt-log-me-in/#findComment-1433205 Share on other sites More sharing options...
dannon Posted May 30, 2013 Author Share Posted May 30, 2013 (edited) another possible reason for 'random' operation of cookies/sessions is if the hostname (with or without the www.) or path in the URL changes, depending on how you arrive at a page and then navigate around. since you are setting the cookie path parameter to a /, that leaves the hostname changing as a possible cause. you may have multiple versions of your url (with/without the www.) in links, redirects, shortcuts, bookmarks, or in your browser history, so you might be starting with one variation of the hostname and it works until you switch to a different variation of the hostname. This is what most probably is causing the problem. I am using the RewriteEngine and the URLs are similar to this forum, where it's "example.com/ab/cd". Seems to be working better when use the domain. This is what my setcookie function looks like now: $domain = ($_SERVER['HOST_NAME'] == "localhost" ? "localhost" : "." . DOMAIN); setcookie("rm_session", $username . "-" . $randomString, strtotime('+1 month'), "/", $domain); Also my domain creates two PHPSESSID cookies when I go to my website with www. and without. How can I fix this? Edited May 30, 2013 by dannon Quote Link to comment https://forums.phpfreaks.com/topic/278576-login-system-doesnt-log-me-in/#findComment-1433236 Share on other sites More sharing options...
mac_gyver Posted May 30, 2013 Share Posted May 30, 2013 you need a leading dot . on the domain value to match all hostnames/subdomains. Quote Link to comment https://forums.phpfreaks.com/topic/278576-login-system-doesnt-log-me-in/#findComment-1433244 Share on other sites More sharing options...
dannon Posted May 30, 2013 Author Share Posted May 30, 2013 (edited) Ok, I fixed the PHPSESSIDs by doing this: $domain = ($_SERVER['HTTP_HOST'] == "localhost" ? false : "." . DOMAIN); session_set_cookie_params(0, "/", $domain, false, true); and for some reason the it's still not updating the token cookie on localhost. However it looks like it's working on my domain. I never knew cookies would be such a pain for me. What domain should I use for localhost? I tried false, null and localhost, it seems to cause problems for me. Edit:: nope, still doing it sometimes. Could it be something wrong with my time checking? Edited May 30, 2013 by dannon Quote Link to comment https://forums.phpfreaks.com/topic/278576-login-system-doesnt-log-me-in/#findComment-1433252 Share on other sites More sharing options...
dannon Posted May 30, 2013 Author Share Posted May 30, 2013 Nope, there's nothing wrong with my time checking. Quote Link to comment https://forums.phpfreaks.com/topic/278576-login-system-doesnt-log-me-in/#findComment-1433256 Share on other sites More sharing options...
dannon Posted May 30, 2013 Author Share Posted May 30, 2013 I have tried using: header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT"); Didn't help. Quote Link to comment https://forums.phpfreaks.com/topic/278576-login-system-doesnt-log-me-in/#findComment-1433286 Share on other sites More sharing options...
jazzman1 Posted May 30, 2013 Share Posted May 30, 2013 Can you save a session without cookies? Quote Link to comment https://forums.phpfreaks.com/topic/278576-login-system-doesnt-log-me-in/#findComment-1433287 Share on other sites More sharing options...
dannon Posted May 30, 2013 Author Share Posted May 30, 2013 (edited) Can you save a session without cookies? Great idea! I was actually trying following this: http://stackoverflow.com/questions/549/the-definitive-guide-to-forms-based-website-authentication/477578#477578 to try and make my login secure. Could you tell me how I can save sessions? or should I just use session_set_cookie_params() and just set it for a month? Also is it possible to make the session ID update once the user revisits the site? Edited May 30, 2013 by dannon Quote Link to comment https://forums.phpfreaks.com/topic/278576-login-system-doesnt-log-me-in/#findComment-1433291 Share on other sites More sharing options...
dannon Posted May 30, 2013 Author Share Posted May 30, 2013 Also, as sessions are saved on my web server, wouldn't this waste a lot of space if a lot of people use the remember me? because a lot of sessions would need to be saved? I also cannot find a way to save the session. Quote Link to comment https://forums.phpfreaks.com/topic/278576-login-system-doesnt-log-me-in/#findComment-1433296 Share on other sites More sharing options...
jazzman1 Posted May 30, 2013 Share Posted May 30, 2013 (edited) Alright then, step by step: Go back to the __constructor method did you start a session_start() function on the page before to call that method? Because if not, the logic of your code every time will be the same. Edited May 30, 2013 by jazzman1 Quote Link to comment https://forums.phpfreaks.com/topic/278576-login-system-doesnt-log-me-in/#findComment-1433307 Share on other sites More sharing options...
dannon Posted May 31, 2013 Author Share Posted May 31, 2013 (edited) Alright then, step by step: Go back to the __constructor method did you start a session_start() function on the page before to call that method? Because if not, the logic of your code every time will be the same. Ok, I have placed the session_start() into the constructor of my User class. It makes more sense for me to keep it here. And yes, I have used session_start() in my Bootstrap class which gets called first. Edited May 31, 2013 by dannon Quote Link to comment https://forums.phpfreaks.com/topic/278576-login-system-doesnt-log-me-in/#findComment-1433309 Share on other sites More sharing options...
jazzman1 Posted May 31, 2013 Share Posted May 31, 2013 So, if the user is on a session that part of the code has never been executed,right? if (!isset($_SESSION['user_data']) || $_SESSION['user_data']['loggedIn'] === false) { if (isset($_COOKIE['rm_session'])) { $cookieInfo = explode("-", $_COOKIE['rm_session']); if ($this->checkCookie($cookieInfo[0], $cookieInfo[1])) { $this->updateCookie($cookieInfo[0]); $this->loginId($this->getId($cookieInfo[0])); return; } } Quote Link to comment https://forums.phpfreaks.com/topic/278576-login-system-doesnt-log-me-in/#findComment-1433316 Share on other sites More sharing options...
dannon Posted May 31, 2013 Author Share Posted May 31, 2013 (edited) So, if the user is on a session that part of the code has never been executed,right? if (!isset($_SESSION['user_data']) || $_SESSION['user_data']['loggedIn'] === false) { if (isset($_COOKIE['rm_session'])) { $cookieInfo = explode("-", $_COOKIE['rm_session']); if ($this->checkCookie($cookieInfo[0], $cookieInfo[1])) { $this->updateCookie($cookieInfo[0]); $this->loginId($this->getId($cookieInfo[0])); return; } } Yes. Edited May 31, 2013 by dannon Quote Link to comment https://forums.phpfreaks.com/topic/278576-login-system-doesnt-log-me-in/#findComment-1433317 Share on other sites More sharing options...
jazzman1 Posted May 31, 2013 Share Posted May 31, 2013 What happens further in that __construct (), when the user is on a session? Quote Link to comment https://forums.phpfreaks.com/topic/278576-login-system-doesnt-log-me-in/#findComment-1433321 Share on other sites More sharing options...
dannon Posted May 31, 2013 Author Share Posted May 31, 2013 (edited) What happens further in that __construct (), when the user is on a session? Nothing. I just use it to log the user in. The User class is initiated in my Model class. The Model is loaded before my Controller class which collects all of the information and then renders it using the View class. Should I post the whole User class for you? I don't really want to because I think it's badly coded and I don't want to burn your eyes. Edited May 31, 2013 by dannon Quote Link to comment https://forums.phpfreaks.com/topic/278576-login-system-doesnt-log-me-in/#findComment-1433322 Share on other sites More sharing options...
jazzman1 Posted May 31, 2013 Share Posted May 31, 2013 No, that tells me that you don't have a problem with sessions. Let me see your .htaccess file. Quote Link to comment https://forums.phpfreaks.com/topic/278576-login-system-doesnt-log-me-in/#findComment-1433324 Share on other sites More sharing options...
dannon Posted May 31, 2013 Author Share Posted May 31, 2013 (edited) php_flag display_errors on php_value error_reporting 9999 RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-l RewriteRule ^(.+)$ index.php?url=$1 [QSA,L] I make it so the url is like this: example.com/controller/controller_function Edited May 31, 2013 by dannon Quote Link to comment https://forums.phpfreaks.com/topic/278576-login-system-doesnt-log-me-in/#findComment-1433325 Share on other sites More sharing options...
jazzman1 Posted May 31, 2013 Share Posted May 31, 2013 Hm....not able to help you on this without a real data, maybe someone else ....sorry for that. Quote Link to comment https://forums.phpfreaks.com/topic/278576-login-system-doesnt-log-me-in/#findComment-1433326 Share on other sites More sharing options...
dannon Posted May 31, 2013 Author Share Posted May 31, 2013 Hm....not able to help you on this without a real data, maybe someone else ....sorry for that. Ah, that's fine. What do you mean by real data? What kind of data do you need? Quote Link to comment https://forums.phpfreaks.com/topic/278576-login-system-doesnt-log-me-in/#findComment-1433327 Share on other sites More sharing options...
jazzman1 Posted May 31, 2013 Share Posted May 31, 2013 Ah, that's fine. What do you mean by real data? What kind of data do you need? your project b/s it's a MVC Not have a time to do that. Quote Link to comment https://forums.phpfreaks.com/topic/278576-login-system-doesnt-log-me-in/#findComment-1433328 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.