European Experts Exchange (EEE.org) :: Free Experts PHP MySql Oracle Microsoft Web SQL Delphi


Languages :: PHP :: Login w/ Sessions - Requires multiple attempts
By: meotaras	Date: 02/10/2003 00:00:00	Points: 300	Status: Answered Quality : Excellent
I have a login script, which I believe functions correctly. Below is the login script. For some reason it requires multiple attempts of logging in before it finally authenticates. Then it will sporatically dump the session while i'm browsing the admin side and require me to login in again. Below is also the code at the top of each page that starts the session and redirects if the session isn't registered, preventing someone from typing a direct pathname to enter the administrator side. Open to suggestions for complete code re-write or any errors that you can see identified. Just really need this to function smoothly. ================= login.php ================== <? /* This file will be used to check the login of the user and see if it is valid or not. If the login is valid, it will create a session for them, and send them into the admin side otherwise it will give them an error. / $wrongPassUser = false; $submit = $_REQUEST['login']; session_start(); include("Mysql.php"); //include the class file if($submit) { $mysql = new Mysql(); //instantiate the new class $username = $_REQUEST['username']; //get username and password $password = $_REQUEST['password']; $mysql->connectTo(); //connect to mysql $query = "SELECT FROM users WHERE username= '".$username."'"; $result = $mysql->query($query); //get the result $mysql->closeLink(); //close the connection to mysql if($row = mysql_fetch_array($result)) { if($password == $row['password']) { $_SESSION['logged'] = true; //user is logged in $_SESSION['username'] = $username; //write their username to the session if($_SESSION['logged'] == true) { //if they're logged, send them in header("Location: index.php"); } }//end if else { //otherwise set the flag to true $wrongPassUser = true; } } } ?> ============== index.php =============== <? session_start(); /** Starts session and allows login if valid **/ if($_SESSION['logged'] != true) { header("Location: oursite.com/login.php"); } ?>
By: VGR	Date: 02/10/2003 04:34:00		Type : Comment
sorry, I never use classes, but trivially, you don't even test the $result value before doing the mysql_fetch_array()... the rest is overly complicated (sophisticated, in the proper sense)

By: meotaras	Date: 02/10/2003 04:40:00		Type : Comment
Class just contains connection string info w/ usernames/passwords etc. Doesn't really make much of a difference in regards to the rest of the code.

By: VGR	Date: 02/10/2003 04:44:00		Type : Comment
not to my eyes 8-) it's unreadable as it is now, sorry :D for instance you do : $mysql->closeLink(); //close the connection to mysql if($row = mysql_fetch_array($result)) is it allowed to close the link AND THEN perform nevertheless some fetch_array() calls ? What does then do the closelink() ? you see ? Your coding is unknown to me, so I can't undertand fully what your code does...

By: inq123	Date: 02/10/2003 06:05:00		Type : Comment
I've had similar problem before until I finally tracked it down. It might applies to your problem too. Anyway I found that for example, the login page has this URL: "<A HREF="http://www.mydomain.com/login.php">http://www.mydomain.com/login.php</a>", and then I log in, browse around, and one page on my site actually uses a URL like "<A HREF="http://123.456.7.8/whatever.php">http://123.456.7.8/whatever.php</a>", then suddenly I'm required to login again! Without checking in detail, it's rather obvious that php session handling by default recorded the url info for the session, and if you change to another style, even if that IP address corresponds to <A HREF="http://www.mydomain.com">www.mydomain.com</a>, you'll be asked to log in again. If the first page after login.php uses a different URL, you'll find that you'll immediately be asked to login again after you already logged in! What I did to fix this problem is to use relative links in all pages after login, relative to site root (doesn't need to be apache root) that is. Never had to login twice again.

By: VGR	Date: 02/10/2003 06:09:00		Type : Comment
oh yes : sessions are domain-specific :D

By: meotaras	Date: 02/10/2003 06:15:00		Type : Comment
Yes, we never leave the domain...actually it appears as though after moving the $mysql->closeLink(); to the bottom portion of the script as VGR stated I am able to login consitently on the first attempt. However I am still getting kicked out randomly. All pages are under the "Admin" folder, then within sub folders. Example: Admin/Maintenance/index.php, Admin/AdministrationTools/index.php, Admin/DatabaseTools/index.php...etc. All use same domain. is there anything that I should be checking that I'm not within this code that redirects the user if not valid session id? ============== index.php =============== <? session_start(); /** Starts session and allows login if valid **/ if($_SESSION['logged'] != true) { header("Location: oursite.com/login.php"); } ?>

By: VGR	Date: 02/10/2003 06:35:00		Type : Answer
I don't know, but Booleans are used this way : <? session_start(); /** Starts session and allows login if valid **/ if(! $_SESSION['logged']) header("Location: oursite.com/login.php"); ?> my suggestion : create a test page containing this code : <?php session_start(); echo 'you are '.(($_SESSION['logged'])?'':'not').' logged in '; ?> open it using Ctrl-N when browsing your domain, after successful first login. navigate a bit, refresh the secondary page after each link following or action this way you'll perhaps see WHEN (and thus WHY) you lose your session it must be something in the same vein as the closeLink() story above

By: meotaras	Date: 02/10/2003 06:35:00		Type : Comment
Yeah, nevermind...moving the closelink() didn't help any...

By: inq123	Date: 02/10/2003 06:37:00		Type : Comment
interesting. that means you closed the connection in ->closeLink and probably crashed script when mysql_fetch_array's called, but sometimes you still could log in? BTW, How long does it take for you to be randomly logged out? Is it just the cookie timed out?

By: meotaras	Date: 02/10/2003 06:40:00		Type : Comment
I get logged out very sporatically, anywhere from 5 seconds - 3 or 4 minutes. I believe the config file is set up for at least 20 minutes so I don't think that is it. I can always log in, it just sometimes takes multiple attempts. Sometimes just 1 though.

By: inq123	Date: 02/10/2003 06:42:00		Type : Comment
back to the domain thing: even if you're always on the same domain, but if you have domain shorthand (like for example your machine's setup to add suffix automatically) and full domain name mixed, you'd be kicked out too. Anyway, it might still not be the cause, and cookie's not the problem if it's so frequently kicked out. Is there any cron job cleaning your /tmp directory frequently?

By: VGR	Date: 02/10/2003 06:46:00		Type : Comment
also a possibility : are you running on a FAT16 volume ?

By: meotaras	Date: 02/10/2003 06:48:00		Type : Comment
We are useing a hosting service, I have talked to them about the session variables being dropped and they have assured me that other people have no problems...which you can't entirely believe but with no access to the config file it's hard to tell, I guess I just have to trust that everything is correct and it's me. And i guess i don't 100% understand your in regards to teh suffix, or coding the domain shorthand. Do you feel we should always use the full domain...<A HREF="http://www.domainname.com/Admin/Maintenance/index.php">http://www.domainname.com/Admin/Maintenance/index.php</a> over ..Admin/Maintenance/index.php? Also all navigation is in a header file that we include. It is quite possible that this could be causing conflicts.

By: VGR	Date: 02/10/2003 06:53:00		Type : Comment
noooo but try my idea of the "session surveillance" page. It will react BEFORE you are thrown out. An other possibility : don't do the header("Location: ...") in case the session isn't set (temporarily) but print out a message, for instance dumping the $_SESSION[] array. The page you came from is the culprit

By: inq123	Date: 02/10/2003 07:06:00		Type : Comment
what I meant by domain shorthand is that for example, you have a machine with domain name mydomain.mycompany.com, type in <A HREF="http://mydomain">http://mydomain</a> (a shorthand) into your browser, it might just work simply because your machine was configured to automatically add mycompany.com to the shorthand. And PHP for session purpose would regard mydomain.mycompany.com and mydomain as different names, and different authentications. This also means that PHP is probably using some simple server variables for session purpose instead of getting domain name from the server machine or configuration. But this might not be the problem for your session. The reason I asked for cron job cleaning is that session stores info in /tmp unless configured differently. And if your web server for fear that /tmp might be stuffed up by user's tmp files, they might run something to clean /tmp frequently and get rid of your session info.

By: VGR	Date: 03/10/2003 03:17:00		Type : Comment
it would be a grande première for me to see some process cleaning the /tmp directory... :D

Do register to be able to answer

©2010 These pages are served without commercial sponsorship. (No popup ads, etc...). Bandwidth abuse increases hosting cost forcing sponsorship or shutdown. This server aggressively defends against automated copying for any reason including offline viewing, duplication, etc... Please respect this requirement and DO NOT RIP THIS SITE.
Please DO link to this page! Post to Plurk Post to Yahoo Buzz Post to Delicious Post to Digg Post to MySpace Post to Ping.fm Post to Reddit Post to StumbleUpon

Contact

page generated in 826.912880 milliseconds

Why Google AdSense ads ?

New Improved Search!