Jump to content

Help improve login, session getting lost on android device

lovephp

By lovephp
in PHP Coding Help

 Share

Recommended Posts

lovephp Advanced Member

lovephp

Posted
Posted (edited)

hey all, what am i doing wrong here that on android device when i try to upload a file the session gets lost while browsing through files on the phone. on PC and on latest android devices it seems ok but on some im facing this issue.

 

 

how could i keep the session active for a month if the user does not logout?

 

my login.php codes are

 

 
session_start();
function get_client_ip() {
     $ipaddress = '';
     if ($_SERVER['HTTP_CLIENT_IP'])
         $ipaddress = $_SERVER['HTTP_CLIENT_IP'];
     else if($_SERVER['HTTP_X_FORWARDED_FOR'])
         $ipaddress = $_SERVER['HTTP_X_FORWARDED_FOR'];
     else if($_SERVER['HTTP_X_FORWARDED'])
         $ipaddress = $_SERVER['HTTP_X_FORWARDED'];
     else if($_SERVER['HTTP_FORWARDED_FOR'])
         $ipaddress = $_SERVER['HTTP_FORWARDED_FOR'];
     else if($_SERVER['HTTP_FORWARDED'])
         $ipaddress = $_SERVER['HTTP_FORWARDED'];
     else if($_SERVER['REMOTE_ADDR'])
         $ipaddress = $_SERVER['REMOTE_ADDR'];
     else
         $ipaddress = 'UNKNOWN';

     return $ipaddress;
}
if(isset($_SESSION['LOGGED_IN']) && trim($_SESSION['LOGGED_IN']) == true)
{
    header("Location: index.php");
}
if(isset($_POST["submit"]))
{
$email = mysql_real_escape_string(trim(strip_tags($_POST['email'])));
$password = mysql_real_escape_string(trim(strip_tags($_POST['password'])));

$rs = mysql_query("select userID from users where user_email='$email'");
$duplicates = mysql_num_rows($rs);

$rs1 = mysql_query("select userID,user_email,user_password from users where user_email='$email' AND user_password='".sha1($password)."'");
$maychpass = mysql_num_rows($rs1);

$error = '';

    if($email == "")
    {
        $error = 'E-mail address is required.';
    }elseif(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email)){
        $error = 'E-mail address is invalid.';
    }elseif ($duplicates < 1){
        $error = 'E-mail address not found.';
    }
    elseif($password == "")
    {
        $error = 'Password is required.';
    }elseif(strlen($password) < 6){
        $error = 'Password is too short.<small>(Min 6 Chars)</small>';
    }elseif ($maychpass < 1){
        $error = 'Wrong password.';
    }
    else{    
    
   $qry="select userID,user_full_name,user_email,user_password from users where user_email='$email' AND user_password='".sha1($password)."'";
    $result=mysql_query($qry);
    
    //Check whether the query was successful or not
    if($result) {
        if(mysql_num_rows($result) == 1) {
            //Login Successful
            session_regenerate_id();
            $user = mysql_fetch_assoc($result);
            $_SESSION['LOGGED_IN'] = true;
            $_SESSION['MAT_USER_ID'] = $user['userID'];
            $_SESSION['MAT_USER_FULL_NAME'] = $user['user_full_name'];
            $_SESSION['MAT_USER_EMAIL'] = $user['user_email'];
            $_SESSION['MAT_USER_IP'] = get_client_ip();
            setcookie("matLogged", "".$_SESSION['MAT_USER_EMAIL']."");
            setcookie("matLogged", "".$_SESSION['MAT_USER_EMAIL']."", time()+43200);
            $ip = get_client_ip();
            session_write_close();
            echo("<p align='center'><font color='green' size='5'>Success:</font> Login successful, redirecting to members page.<br/><img src='img/loader.gif' alt='Loader'></p>");    
            mysql_query("UPDATE users SET ip = '".$ip."' WHERE userID = '".$user['userID']."'");
            echo ('<meta http-equiv="refresh" content="5;url=index.php">');    
            exit();
        }else {
            //Login failed
            echo("<p align='center'><font color='red' size='5'>Error:</font> Something went wrong, redirecting to login page.<br/><img src='img/loader.gif' alt='Loader'></p>");    
    echo ('<meta http-equiv="refresh" content="5;url=login.php">');    
            exit();
        }
    
    }
}    
}

 

would really appreciate your help and time

Edited by lovephp
Link to comment
Share on other sites
  • 3 weeks later...
scootstah Member

scootstah

Posted
Posted (edited)

The first example here is a nice starter into cookies.

 

http://www.phpnerds.com/article/using-cookies-in-php/2

Absolutely do not use anything from that article. That's like 12 year old code and is very unsafe. You should never store passwords in a cookie (or any other sensitive information), and you should never use MD5() to store passwords.

 

If I have to implement autologin myself (which, really, you shouldn't have to - use libraries), I will generate a random token and store it in the database, and a cookie. When a user visits the site and does not have an active session, the token from the cookie will look up the user it belongs to and they will be logged in. You can optionally add some additional checks like comparing browsers and IP to attempt to mitigate cookie theft. Make sure to also use HTTP only cookies, and always use HTTPS. You can also add a TTL to the tokens, and/or limit how many tokens can be active for a single user at one time. There's lots of variations here.

Edited by scootstah
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.