SESSION changes username when clicking on a link

[shocker-z]

I have a issue after logging into my site and click a link it changes the username to the last user to log onto the site.. I have deleted the session files but no diffrence.. i have also user diffrent PC's and browsers but same issue! getting me stressed! it's got to be sumet simple im missing but really can't understand!

index.php
[a href=\"http://blucode.sytes.net/ukchat/index.phps\" target=\"_blank\"]http://blucode.sytes.net/ukchat/index.phps[/a]

profiles/login.php
[a href=\"http://blucode.sytes.net/ukchat/profiles/upload.phps\" target=\"_blank\"]http://blucode.sytes.net/ukchat/profiles/upload.phps[/a]

You can test this @ [a href=\"http://blucode.sytes.net/ukchat/\" target=\"_blank\"]http://blucode.sytes.net/ukchat/[/a]
user: test
pass: user

Please let me in on any ideas you have!

Regards
Liam

[shocker-z]

Please help i've no clue on this one and is the sortathing i will get boredof and leave lol any guru's?

[Barand]

The first thing that struck me when I looked at your files was the lack of "session_start()" at the begining.

[shocker-z]

sorry.. that's in the profiles/header.php page that i included at the start..
It oviusly has it else i wouldn't have set any session in the first place, any othe rideas?

[Barand]

[!--quoteo(post=358209:date=Mar 25 2006, 01:59 PM:name=shocker-z)--][div class=\'quotetop\']QUOTE(shocker-z @ Mar 25 2006, 01:59 PM) [snapback]358209[/snapback][/div][div class=\'quotemain\'][!--quotec--]
sorry.. that's in the profiles/header.php page that i included at the start..

[/quote]

Only in one of the files in that case

[Barand]

Where do you set the $_SESSION['username'] ?

[shocker-z]

Sorry my bad i put the upload.phps instead of the actual login.php that deals with the username/password..

[a href=\"http://blucode.sytes.net/ukchat/profiles/login.phps\" target=\"_blank\"]http://blucode.sytes.net/ukchat/profiles/login.phps[/a]

*SLAPS HEAD*

[Barand]

I haven't seen anything obvious yet.

I would change this bit though

[code]if ($password !== $user['password']) {
$error="Password invalid for $username";
header("location: ../index.php");
} [/code]

Remove the header() line. You redirect to index.php at the end of the script. If you do it there then the session error message doesn't get set.

[shocker-z]

ok will do.. i think im gonna have to strip this down and kind of rebuild it because im totaly baffled by how it uses another session after files have been deleted!

[Barand]

After the session_start() in the login page I'd put

[code]$_SESSION['username'] = $_SESSION['logged_in'] = NULL;[/code]

As new values are only set if the login is valid, this should ensure they are cleared if it fails.

[shocker-z]

hmmm any idea how this fixed it? i change $username to $imgusername and now it's all working.. i had noticed that what ever username was in the profiles list on the left hand side thats what username the session changed too... how could setting $username='matthew'; change a $_session['username'] ???