problems with sessions and login.php
 

For some strange reason I am having problems with sessions, ainly in safari I believe which is wierd considering php is a server-side programming language. anyways, when a person goes to /cp (control panel) for example, it redirects them to login.php?url=/cp. then they login, the sessions are created, and then it redirects them to /cp. but for some strange reason if there is $_GET['url'], the session is only set for the pages in the /cp directory, even if the $_GET['url'] is in the same directory as login.php. Its strange. can anyone help me out?

Login.php

<?

ob_start();

session_start();

include ("config.php");



?>



<html>



<head>

<title>login</title>

<LINK REL=StyleSheet HREF="/style.css" TITLE="main" TYPE="text/css">

</head>



<body background="bg.bmp">









<?require 'header.php';?>

<h2>Login</h2>



<?

if ($logged_in){

echo "you are already logged in!";

}else

{



if ($_POST['username'] || $_POST['password'])

{

$dbh=mysql_connect($host, $user, $pass) or die ('I cannot connect to the database because: ' . mysql_error());

mysql_select_db($database, $dbh); 



$result=mysql_query("SELECT * FROM `members` WHERE `username`='".$_POST['username']."' AND `password`='".$_POST['password']."'") or die ("error in login.php" . mysql_error());





if (!$_POST['username'] || !$_POST['password']){

echo "<div id='error'>Please fill in all fields</div>";

}



else if (mysql_num_rows($result)==0){

echo "<div id='error'>That username/password you entered is incorrect</div>";

}

else

{

if(isset($_POST['rememberme'])){

      setcookie("username", $_POST['username'], time()+60*60*24*100, "/");

      setcookie("password", $_POST['password'], time()+60*60*24*100, "/");

   }

$_SESSION['username']=$_POST['username'];

$_SESSION['password']=$_POST['password'];

session_write_close();

header("location:".$_GET['url']);

exit;

}

}

if (!$_GET['url'])

$_GET['url']="/cp";

?>

Please enter your username and password to continue

<form method="post" action="/login.php?url=<?echo $_GET['url']?>">

<table border="0">

<tr><td>Username:</td><td><input type="text" name="username" size="20"></td></tr>

<tr><td>Password:</td><td><input type="password" name="password" size="20"></td></tr>



<tr><td></td><td><input type="checkbox" name="rememberme">Remember me?</td></tr>

<tr><td></td><td><input type="submit" value="login"></td></tr>

<tr><td></td><td><a href="/forgot.php">forgot password?</a></td></tr>

<tr><td></td><td><a href="/register.php">not registered?</a></td></tr>

</table>

</form>



<?

}

include('footer.php');?>

</body>



</html>

<?ob_end_flush();?>

config.php

<?

 $host=""; //host

 $user=""; //username

$pass=""; //password

$database=""; //db



function confirmUser($username, $password){

 global $host;

 global $user;

global $pass;

global $database;





   if(!get_magic_quotes_gpc()) {

        //$username = addslashes($username);

   }



$dbh=mysql_connect($host, $user, $pass) or die ('I cannot connect to the database because: ' . mysql_error());

mysql_select_db($database, $dbh); 



   $q = "SELECT `password` FROM `members` WHERE `username`= '".$username."'";

   $result = mysql_query($q) or die("error in config.php".mysql_error());

   if(!$result || (mysql_num_rows($result) < 1)){

      return 1; //Indicates username failure

   }



   $dbarray = mysql_fetch_array($result);

   $dbarray['password']  = stripslashes($dbarray['password']);

   $password = stripslashes($password);



   /* Validate that password is correct */

   if($password == $dbarray['password']){

      return 0; //Success! Username and password confirmed

   }

   else{

      return 2; //Indicates password failure

   }

}



function checkLogin(){

   /* Check if user has been remembered */

   if(isset($_COOKIE['username']) && isset($_COOKIE['password'])){

      $_SESSION['username'] = $_COOKIE['username'];

      $_SESSION['password'] = $_COOKIE['password'];

   }



   /* Username and password have been set */

   if(isset($_SESSION['username']) && isset($_SESSION['password'])){

      /* Confirm that username and password are valid */

      if(confirmUser($_SESSION['username'], $_SESSION['password']) != 0){

         /* Variables are incorrect, user not logged in */

         unset($_SESSION['username']);

         unset($_SESSION['password']);

         return false;

      }

      return true;

   }

   /* User not logged in */

   else{

      return false;

   }

}

global $logged_in;

$logged_in = checkLogin();

function checkAccess(){

if (checkLogin()==true){

 global $host;

 global $user;

global $pass;

global $database;

$dbh=mysql_connect($host, $user, $pass) or die ('I cannot connect to the database because: ' . mysql_error());

mysql_select_db($database, $dbh); 

$result=mysql_query("SELECT `access` FROM `members` WHERE `username`='".$_SESSION['username']."' AND `access`=1") or die (mysql_error());

if (mysql_num_rows($result)==0){

return false;

echo "<script>alert('not enough access')</script>";

}

else{

return true;

}



}

else{

return false;

echo "not logged in";

}

}

global $check_access;

$check_access=checkAccess();

?>

Re: problems with sessions and login.php
 

Hello I do not know the answer to your problem but I noticed you are outputting HTML to the browser before calling the header(); function.

You may get errors doing that.

Re: problems with sessions and login.php
 

Hi cjm771,

In your login form, you're setting the action of the form to:

/login.php?url=<?echo $_GET['url']?>

The form sends its data to the server via HTTP POST and you have a URI string that would usually be sent via a HTTP GET.
It usually works, but maybe Safari isn't sending the url param for some reason?
What you could do is use a hidden field instead of appending it to the url.
<input type="hidden" name="url" value="<?php echo $_POST['url']; ?>" />

Isnt sessions limited only by domain? It doesnt matter which directory is it.

The frequent problem is if you redirect to say: http://www.example.com/ when you set the session for http://example.com
Browsers treat www.example.com as a different domain from example.com

Its a bit hard to read your code, I suggest you seperate the database connection into a seperate class or function. Maybe just calling functions instead of making database calls in login.php (so that all the functions that call the database are in config.php or a seperate file). Just a suggestion.