problems with sessions and login.php

Expand Post »

For some strange reason I am having problems with sessions, ainly in safari I believe which is wierd considering php is a server-side programming language. anyways, when a person goes to /cp (control panel) for example, it redirects them to login.php?url=/cp. then they login, the sessions are created, and then it redirects them to /cp. but for some strange reason if there is $_GET['url'], the session is only set for the pages in the /cp directory, even if the $_GET['url'] is in the same directory as login.php. Its strange. can anyone help me out?

Login.php

PHP Syntax (Toggle Plain Text)
<?
ob_start();
session_start();
include ("config.php");
 
?>
 
<html>
 
<head>
<title>login</title>
<LINK REL=StyleSheet HREF="/style.css" TITLE="main" TYPE="text/css">
</head>
 
<body background="bg.bmp">
 
 
 
 
<?require 'header.php';?>
<h2>Login</h2>
 
<?
if ($logged_in){
echo "you are already logged in!";
}else
{
 
if ($_POST['username'] || $_POST['password'])
{
$dbh=mysql_connect($host, $user, $pass) or die ('I cannot connect to the database because: ' . mysql_error());
mysql_select_db($database, $dbh); 
 
$result=mysql_query("SELECT * FROM `members` WHERE `username`='".$_POST['username']."' AND `password`='".$_POST['password']."'") or die ("error in login.php" . mysql_error());
 
 
if (!$_POST['username'] || !$_POST['password']){
echo "<div id='error'>Please fill in all fields</div>";
}
 
else if (mysql_num_rows($result)==0){
echo "<div id='error'>That username/password you entered is incorrect</div>";
}
else
{
if(isset($_POST['rememberme'])){
      setcookie("username", $_POST['username'], time()+60*60*24*100, "/");
      setcookie("password", $_POST['password'], time()+60*60*24*100, "/");
   }
$_SESSION['username']=$_POST['username'];
$_SESSION['password']=$_POST['password'];
session_write_close();
header("location:".$_GET['url']);
exit;
}
}
if (!$_GET['url'])
$_GET['url']="/cp";
?>
Please enter your username and password to continue
<form method="post" action="/login.php?url=<?echo $_GET['url']?>">
<table border="0">
<tr><td>Username:</td><td><input type="text" name="username" size="20"></td></tr>
<tr><td>Password:</td><td><input type="password" name="password" size="20"></td></tr>
 
<tr><td></td><td><input type="checkbox" name="rememberme">Remember me?</td></tr>
<tr><td></td><td><input type="submit" value="login"></td></tr>
<tr><td></td><td><a href="/forgot.php">forgot password?</a></td></tr>
<tr><td></td><td><a href="/register.php">not registered?</a></td></tr>
</table>
</form>
 
<?
}
include('footer.php');?>
</body>
 
</html>
<?ob_end_flush();?>
<?
ob_start();
session_start();
include ("config.php");

?>

<html>

<head>
<title>login</title>
<LINK REL=StyleSheet HREF="/style.css" TITLE="main" TYPE="text/css">
</head>

<body background="bg.bmp">




<?require 'header.php';?>
<h2>Login</h2>

<?
if ($logged_in){
echo "you are already logged in!";
}else
{

if ($_POST['username'] || $_POST['password'])
{
$dbh=mysql_connect($host, $user, $pass) or die ('I cannot connect to the database because: ' . mysql_error());
mysql_select_db($database, $dbh); 

$result=mysql_query("SELECT * FROM `members` WHERE `username`='".$_POST['username']."' AND `password`='".$_POST['password']."'") or die ("error in login.php" . mysql_error());


if (!$_POST['username'] || !$_POST['password']){
echo "<div id='error'>Please fill in all fields</div>";
}

else if (mysql_num_rows($result)==0){
echo "<div id='error'>That username/password you entered is incorrect</div>";
}
else
{
if(isset($_POST['rememberme'])){
      setcookie("username", $_POST['username'], time()+60*60*24*100, "/");
      setcookie("password", $_POST['password'], time()+60*60*24*100, "/");
   }
$_SESSION['username']=$_POST['username'];
$_SESSION['password']=$_POST['password'];
session_write_close();
header("location:".$_GET['url']);
exit;
}
}
if (!$_GET['url'])
$_GET['url']="/cp";
?>
Please enter your username and password to continue
<form method="post" action="/login.php?url=<?echo $_GET['url']?>">
<table border="0">
<tr><td>Username:</td><td><input type="text" name="username" size="20"></td></tr>
<tr><td>Password:</td><td><input type="password" name="password" size="20"></td></tr>

<tr><td></td><td><input type="checkbox" name="rememberme">Remember me?</td></tr>
<tr><td></td><td><input type="submit" value="login"></td></tr>
<tr><td></td><td><a href="/forgot.php">forgot password?</a></td></tr>
<tr><td></td><td><a href="/register.php">not registered?</a></td></tr>
</table>
</form>

<?
}
include('footer.php');?>
</body>

</html>
<?ob_end_flush();?>

config.php

PHP Syntax (Toggle Plain Text)
<?
 $host=""; //host
 $user=""; //username
$pass=""; //password
$database=""; //db
 
function confirmUser($username, $password){
 global $host;
 global $user;
global $pass;
global $database;
 
 
   if(!get_magic_quotes_gpc()) {
	//$username = addslashes($username);
   }
 
$dbh=mysql_connect($host, $user, $pass) or die ('I cannot connect to the database because: ' . mysql_error());
mysql_select_db($database, $dbh); 
 
   $q = "SELECT `password` FROM `members` WHERE `username`= '".$username."'";
   $result = mysql_query($q) or die("error in config.php".mysql_error());
   if(!$result || (mysql_num_rows($result) < 1)){
      return 1; //Indicates username failure
   }
 
   $dbarray = mysql_fetch_array($result);
   $dbarray['password']  = stripslashes($dbarray['password']);
   $password = stripslashes($password);
 
   /* Validate that password is correct */
   if($password == $dbarray['password']){
      return 0; //Success! Username and password confirmed
   }
   else{
      return 2; //Indicates password failure
   }
}
 
function checkLogin(){
   /* Check if user has been remembered */
   if(isset($_COOKIE['username']) && isset($_COOKIE['password'])){
      $_SESSION['username'] = $_COOKIE['username'];
      $_SESSION['password'] = $_COOKIE['password'];
   }
 
   /* Username and password have been set */
   if(isset($_SESSION['username']) && isset($_SESSION['password'])){
      /* Confirm that username and password are valid */
      if(confirmUser($_SESSION['username'], $_SESSION['password']) != 0){
         /* Variables are incorrect, user not logged in */
         unset($_SESSION['username']);
         unset($_SESSION['password']);
         return false;
      }
      return true;
   }
   /* User not logged in */
   else{
      return false;
   }
}
global $logged_in;
$logged_in = checkLogin();
function checkAccess(){
if (checkLogin()==true){
 global $host;
 global $user;
global $pass;
global $database;
$dbh=mysql_connect($host, $user, $pass) or die ('I cannot connect to the database because: ' . mysql_error());
mysql_select_db($database, $dbh); 
$result=mysql_query("SELECT `access` FROM `members` WHERE `username`='".$_SESSION['username']."' AND `access`=1") or die (mysql_error());
if (mysql_num_rows($result)==0){
return false;
echo "<script>alert('not enough access')</script>";
}
else{
return true;
}
 
}
else{
return false;
echo "not logged in";
}
}
global $check_access;
$check_access=checkAccess();
?>
<?
 $host=""; //host
 $user=""; //username
$pass=""; //password
$database=""; //db

function confirmUser($username, $password){
 global $host;
 global $user;
global $pass;
global $database;


   if(!get_magic_quotes_gpc()) {
	//$username = addslashes($username);
   }

$dbh=mysql_connect($host, $user, $pass) or die ('I cannot connect to the database because: ' . mysql_error());
mysql_select_db($database, $dbh); 

   $q = "SELECT `password` FROM `members` WHERE `username`= '".$username."'";
   $result = mysql_query($q) or die("error in config.php".mysql_error());
   if(!$result || (mysql_num_rows($result) < 1)){
      return 1; //Indicates username failure
   }

   $dbarray = mysql_fetch_array($result);
   $dbarray['password']  = stripslashes($dbarray['password']);
   $password = stripslashes($password);

   /* Validate that password is correct */
   if($password == $dbarray['password']){
      return 0; //Success! Username and password confirmed
   }
   else{
      return 2; //Indicates password failure
   }
}

function checkLogin(){
   /* Check if user has been remembered */
   if(isset($_COOKIE['username']) && isset($_COOKIE['password'])){
      $_SESSION['username'] = $_COOKIE['username'];
      $_SESSION['password'] = $_COOKIE['password'];
   }

   /* Username and password have been set */
   if(isset($_SESSION['username']) && isset($_SESSION['password'])){
      /* Confirm that username and password are valid */
      if(confirmUser($_SESSION['username'], $_SESSION['password']) != 0){
         /* Variables are incorrect, user not logged in */
         unset($_SESSION['username']);
         unset($_SESSION['password']);
         return false;
      }
      return true;
   }
   /* User not logged in */
   else{
      return false;
   }
}
global $logged_in;
$logged_in = checkLogin();
function checkAccess(){
if (checkLogin()==true){
 global $host;
 global $user;
global $pass;
global $database;
$dbh=mysql_connect($host, $user, $pass) or die ('I cannot connect to the database because: ' . mysql_error());
mysql_select_db($database, $dbh); 
$result=mysql_query("SELECT `access` FROM `members` WHERE `username`='".$_SESSION['username']."' AND `access`=1") or die (mysql_error());
if (mysql_num_rows($result)==0){
return false;
echo "<script>alert('not enough access')</script>";
}
else{
return true;
}

}
else{
return false;
echo "not logged in";
}
}
global $check_access;
$check_access=checkAccess();
?>

Similar Threads

Setting up a form in PHP in PHP
Trying to create a login system in PHP
Php Syntax Error in PHP
question about connecting odbc to sql through php script in PHP

cjm771

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

10 posts
since Nov 2004

Permalink

Sep 1st, 2006

Re: problems with sessions and login.php

Hello I do not know the answer to your problem but I noticed you are outputting HTML to the browser before calling the header(); function.

You may get errors doing that.

Barnz

Reputation Points: 10

Solved Threads: 0

Junior Poster in Training

Offline

53 posts
since Jan 2006

Permalink

Sep 1st, 2006

Re: problems with sessions and login.php

Hi cjm771,

In your login form, you're setting the action of the form to:

/login.php?url=<?echo $_GET['url']?>

The form sends its data to the server via HTTP POST and you have a URI string that would usually be sent via a HTTP GET.
It usually works, but maybe Safari isn't sending the url param for some reason?
What you could do is use a hidden field instead of appending it to the url.
<input type="hidden" name="url" value="<?php echo $_POST['url']; ?>" />

Quote ...

but for some strange reason if there is $_GET['url'], the session is only set for the pages in the /cp directory, even if the $_GET['url'] is in the same directory as login.php.

Isnt sessions limited only by domain? It doesnt matter which directory is it.

The frequent problem is if you redirect to say: http://www.example.com/ when you set the session for http://example.com
Browsers treat www.example.com as a different domain from example.com

Its a bit hard to read your code, I suggest you seperate the database connection into a seperate class or function. Maybe just calling functions instead of making database calls in login.php (so that all the functions that call the database are in config.php or a seperate file). Just a suggestion.

digital-ether

Moderator

Reputation Points: 457

Solved Threads: 101

Nearly a Posting Virtuoso

Offline

1,250 posts
since Sep 2005

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.

Previous Thread in PHP Forum Timeline: unexpected T_STRING

Next Thread in PHP Forum Timeline: Classes In Php

DaniWeb Message

Cancel Changes

User Name
Password