Two separate usernames & passwords able to access each other's accounts

[jamesjw]

I have created a client access website for a company I work for with a the same login system used in two different directories in the same domain.  If a user (client) logs in, they can access not only their content, but another client's content in another directory as well.  It has something to do with the way the cookie is being set.  This is obviously a major security issue that needs to be resolved.

 

Note:  The cookie's name is PHPSESSID, and I'm not sure how to change that.

 

Here is the code:

 

include_once("config.php");

include_once("lang/lang_".$lang.".php");

$pml_title = $site_name;

include("htmltop.php");

include_once("connect.php");

 

if(isset($_SESSION['user_id'])) {

header("Location: ".$afterlogin);

}else{

if(isset($_COOKIE['user_id'])) {

  // Read cookie, make session

  $sql = "SELECT id,state,password,active FROM `".$db_tbl."` WHERE id='".$_COOKIE['user_id']."'";

  $query = mysql_query($sql);

  $row = mysql_fetch_object($query);

  $id = htmlspecialchars($row->id);

  $status = htmlspecialchars($row->state);

  $dbpass = htmlspecialchars($row->password);

  $actief = htmlspecialchars($row->active);

  if($dbpass == $_COOKIE['user_password'] AND $actief == 2) {

  $_SESSION['user_id'] = $id;

  $_SESSION['uid'] = 0;

  $_SESSION['user_status'] = $status;

  ?>

  <script language="Javascript" type="text/javascript">

    location.href='<?= $afterlogin ?>';

  </script>

  <?

  }else{

  echo $login_cookiefalse;

  setcookie("user_id", "", time() - 3600);

  setcookie("user_password", "", time() - 3600);

  }

}else{

  if(isset($_POST['submit'])) {

  // Login

  $sql = "SELECT id,name,password,state,active,cookie_pass FROM `".$db_tbl."` WHERE name='".$_POST['user']."'";

  $query = mysql_query($sql);

  $count = mysql_num_rows($query);

  if($count == 1) {

    $row = mysql_fetch_object($query);

    $dbpass = htmlspecialchars($row->password);

    $userpass = md5($_POST['pass']);

    $cookiepass = htmlspecialchars($row->cookie_pass);

    $userid = htmlspecialchars($row->id);

    $userstatus = htmlspecialchars($row->state);

    $useractief = htmlspecialchars($row->active);

    if($dbpass == $userpass) {

    if($useractief == 1) {

      $_SESSION['user_id'] = $userid;

      $_SESSION['user_status'] = $userstatus;

      if($_POST['cookie'] == "do") {

      if($cookiepass == "") {

        $cookiecode = mt_srand((double)microtime()*100000);

        while(strlen($cookiecode) <= 10) {

        $i = chr(mt_rand (0,255));

        if(eregi("^[a-z0-9]$", $i)) {

        $cookiecode = $cookiecode.$i;

        }

        }

        $sql = "UPDATE `".$db_tbl."` SET cookie_pass = '".$cookiecode."' WHERE name = '".$_POST['user']."' LIMIT 1";

        mysql_query($sql);

        $cookiepass = $cookiecode;

      }

      setcookie("cookie_id", $userid, time() + 365 * 86400);

      setcookie("cookie_pass", $cookiepass, time() + 365 * 86400);

      }

      echo $loginsucces;

      ?>   

 

Many thanks in advance for the much needed assistance.

[mpharo]

I would create another cookie variable and then when you are in the directories just do a check for that variable, if it is equal to 1 allow if 0 deny access...

[jamesjw]

NM. I fixed this issue by placing session_name(" ") in the configuration file.