Web Analytics Made Easy -
StatCounter Session problem - CodingForum

Announcement

Collapse
No announcement yet.

Session problem

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Session problem

    Hi guys,

    I've a problem, and it's driving me nuts!
    I want to make a login form, when you enter the correct password and username you 'll get see the content of that page.
    I thought I'll do this with sessions, but when I enter the correct username and password, the session wont start!
    Can someone figure out what goes wrong?

    header.php (the head of the page):
    PHP Code:
    #the id's below are the pages that are personal
    if ($_GET['id'] == || $_GET['id'] == || $_GET['id'] == 5
    {
        if (!isset(
    $_SESSION['login'])) 
        {
            
    header("Location: login.php");
        }

    login.php:
    Code:
    <div id="content">
        <h1>Login vereist!</h1>
    
        <form action="includes/auth.php" method="post">
            <input type="text" name="usr" class="usrbg" /><br />
            <input type="password" name="passwd" class="passwdbg" /><br />
            <input type="submit" name="submit" value="submit" class="submit" title="Login" accesskey="s"/>
        </form>
    
    </div>
    auth.php:
    PHP Code:
    <?php
    if (isset($_POST['submit'])) 
    {
        require(
    "../conf/db.php");
        
    $usr $_POST['usr'];
        
    $passwd $_POST['passwd'];
        
        
    $selectUsr "
        SELECT * 
        FROM " 
    GEBRUIKERS_TABLE 
        WHERE username = '
    $usr
        AND hash = '
    $passwd'";
        
        
    $getUsr mysql_query($selectUsr) or die(mysql_error());
        
        if(
    mysql_num_rows($getUsr) > 0)
        {
            
    session_start();
            
    $_SESSION['login'] = true;
            
    header("Location: ../index.php");
        }
        else
        {
            
    header("Location: login.php");
        }
    }    
    ?>
    When I enter session_start(); at the top of the header then I'm always logged in. You're only logged in when you enter the correct username and password.
    Do you Ubuntu?
    Mozilla Firefox!

  • #2
    are you destroy session when you loging out?
    Free php image upload script
    Personal web developing blog

    Comment


    • #3
      Originally posted by kreoton View Post
      are you destroy session when you loging out?
      No, I don't call session_destroy(); (there's no logout link at the site).
      At the top of the page I've to call session_start() to start the session, but if I do that then I'm always logged in, and you only get the session when you enter the correct username and password.
      Do you Ubuntu?
      Mozilla Firefox!

      Comment


      • #4
        first of, the
        PHP Code:
        if (!isset($_SESSION['login'])) 
        doesn't look right to me.
        i would replace it with
        PHP Code:
        if (!$_SESSION['login']) 
        and then inside your authentication script, put this at the very top of your script
        PHP Code:
        session_start();
        $_SESSION['login'] = False
        this will force everyone that request/posts the login form, to be logged out.

        then your select statement
        PHP Code:
        $selectUsr "
            SELECT * 
            FROM " 
        GEBRUIKERS_TABLE 
            WHERE username = '
        $usr
            AND hash = '
        $passwd'"
        the hash = '$passwd'";looks strange to me --> don't you need to hash the $_POST['passwd'] first? or are you storing the passwords as plain text?
        are you sure that you are getting a row returned with that condition.

        also, you are expecting only one row to be returned, so use
        PHP Code:
        if(mysql_num_rows($getUsr) == 1
        which will automatically prevent some sql-injection attacks --> you should do some extra validation on the username and password to prevent sql-attacks...
        Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

        Comment


        • #5
          hey buddy - having session trouble are we?

          well I created a script that is put on my website... it uses sessions and works on only like 2-3 files.... and doesn't use a mysql but still allows unlimited users...it basically authenticates & redirects... you just put a snippet on every page you want protected.... if you are interested...

          http://qscriptz.abshost.net/scripts_myadmin.php

          good luck

          P.S. the script doesn't include any user editing capabilities or whatnot - you just edit the files manually.
          Everyone hears what you say, friends listen to what you say, best friends listen to what you don't say.
          Radio DJ Panel v3 - It's Here!

          Comment


          • #6
            Originally posted by raf View Post
            then your select statement
            PHP Code:
            $selectUsr "
                SELECT * 
                FROM " 
            GEBRUIKERS_TABLE 
                WHERE username = '
            $usr
                AND hash = '
            $passwd'"
            the hash = '$passwd'";looks strange to me --> don't you need to hash the $_POST['passwd'] first? or are you storing the passwords as plain text?
            are you sure that you are getting a row returned with that condition.
            At this point, the password is plain text and if I'm login it goes right, but still the session wont start at all.

            The SQl injections I know, I'll fix that later.

            The problem remains, this is my code now.

            header.php:
            PHP Code:
            <?php
            if ($_GET['id'] == || $_GET['id'] == || $_GET['id'] == 5
            {
                if (!
            $_SESSION['login'])
                {
                    
            header("Location: login.php");
                }
            }
            ?>
            auth.php
            PHP Code:
            <?php
            session_start
            ();
            $_SESSION['login'] = false;  
            if (isset(
            $_POST['submit'])) 
            {
                require(
            "../conf/db.php");
                
            $usr $_POST['usr'];
                
            $passwd $_POST['passwd'];
                
                
            $selectUsr "
                SELECT * 
                FROM " 
            GEBRUIKERS_TABLE 
                WHERE username = '
            $usr
                AND hash = '
            $passwd'";
                
                
            $getUsr mysql_query($selectUsr) or die(mysql_error());
                
                if (
            mysql_num_rows($getUsr) == 1)
                {
                    
            session_start();
                    
            $_SESSION['login'] = true;
                    
            header("Location: ../index.php");
                }
                else
                {
                    
            header("Location: ../login.php");
                }
            }    
            ?>
            Do you Ubuntu?
            Mozilla Firefox!

            Comment


            • #7
              @scriptz:
              Thanks, but I prefer to make one myself
              Do you Ubuntu?
              Mozilla Firefox!

              Comment


              • #8
                Allright, I've fixed it!
                If add this line in the header.php:
                PHP Code:
                <?php
                #the line below I added
                session_start();
                if (
                $_GET['id'] == || $_GET['id'] == || $_GET['id'] == 5
                {
                    if (!
                $_SESSION['login'])
                    {
                        
                header("Location: login.php");
                    }
                }
                ?>
                I did that earlier but then I didn't work, but now it does. Thanks raf for your replies.
                Do you Ubuntu?
                Mozilla Firefox!

                Comment


                • #9
                  you're welcome.
                  and you of course need to put the session_start() before the first call to a session-variable
                  Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

                  Comment


                  • #10
                    Originally posted by raf View Post
                    you're welcome.
                    and you of course need to put the session_start() before the first call to a session-variable
                    Yeah true, it's quite embarrassing...(sigh). But it is working now.
                    Do you Ubuntu?
                    Mozilla Firefox!

                    Comment

                    Working...
                    X