I'm having a bit of bad luck with sessions. In the past they have worked fine for me, but this time around I'm having terrible luck. Basically, I made the crappiest login system ever. I'm using sessions to store three bits of information: 1) metadata which consists of the username, password, and salt; 2) database row id; 3) username.
Here is my code to login/out the user:
<?php
/**
* Copyright 2009 Steven
*/
session_start();
session_regenerate_id();
define('IN_VOCAB',true);
require('init.php');
// Get POST values
foreach( $_POST as $key => $value )
{
$$key = clean($value,true);
}
switch( $_SERVER['QUERY_STRING'] )
{
case 'login':
// MD5 password
$password = md5($password);
// Validate user exists
$user_val_query = $db->query("SELECT * FROM `users` WHERE `username`='{$username}' AND `password`='{$password}' LIMIT 1");
if( mysql_num_rows($user_val_query) > 0 )
{
// User exists; set sessions
$salt = substr(md5(date('F')),8);
$user = mysql_fetch_assoc($user_val_query);
$_SESSION['steven_vocab.user.meta'] = $username.$password.$salt;
$_SESSION['steven_vocab.user.id'] = $user['id'];
$_SESSION['steven_vocab.user.name'] = $user['username'];
// Logged in
echo message('You have been successfully logged in as '.$username.'!','success');
echo '<a href="',$site_url,'">Go to main site</a>.';
show('footer.php');
}
else
{
fatal_error('Incorrect username and/or password. <a href="'.$site_url.'">Please try again</a>.');
}
break;
case 'logout':
// Make sure user is logged in
require($sys_inc_path.'user_check.php');
// Unset session vars
unset($_SESSION['steven_vocab.user.meta'],$_SESSION['steven_vocab.user.id'],$_SESSION['steven_vocab.user.name']);
echo message('You have been successfully logged out.','success');
echo '<a href="',$site_url,'">Go to main site</a>.';
show('footer.php');
break;
default:
fatal_error('Invalid request.');
}
?>
And here is my code to check and validate the user:
<?php
/**
* Copyright 2009 Steven
*/
if( !defined('IN_VOCAB') )
{
echo 'Direct access to this file is not allowed.';
exit;
}
// Check for session
if( !isset($_SESSION['steven_vocab.user.meta']) || !isset($_SESSION['steven_vocab.user.id']) || !isset($_SESSION['steven_vocab.user.name']) )
{
show('login_form.html',null,true);
}
// Session exists; validate
$salt = substr(md5(date('F')),8);
$id = $_SESSION['steven_vocab.user.id'];
$meta = $_SESSION['steven_vocab.user.meta'];
$user_info_query = $db->query("SELECT * FROM `users` WHERE `id`='{$id}' LIMIT 1");
if( mysql_num_rows($user_info_query) > 0 )
{
// User exists, check username and password
$user = mysql_fetch_assoc($user_info_query);
if( ($user['username'].$user['password'].$salt) != $meta )
{
// User invalid; unset session and exit
unset($_SESSION['steven_vocab.user.meta'],$_SESSION['steven_vocab.user.id'],$_SESSION['steven_vocab.user.name']);
fatal_error('Invalid session metadata. <a href="'.$site_url.'">Please login again</a>.');
}
}
else
{
// User invalid; unset session and exit
unset($_SESSION['steven_vocab.user.meta'],$_SESSION['steven_vocab.user.id'],$_SESSION['steven_vocab.user.name']);
fatal_error('User cannot be found. <a href="'.$site_url.'">Please login again</a>.');
}
// The user is logged in and validated; check IP address
$user_ip = $_SERVER['REMOTE_ADDR'];
$check_ip_query = $db->query("SELECT `ip` FROM `users` WHERE `id`='{$user['id']}' LIMIT 1");
if( mysql_num_rows($check_ip_query) > 0 )
{
$stored_ip = mysql_result($check_ip_query,0,'ip');
// Check if empty
if( empty($stored_ip) )
{
// Update IP
$ip_update_query = $db->query("UPDATE `users` SET `ip`='{$user_ip}' WHERE `id`='{$user['id']}' LIMIT 1");
}
else
{
// Check if current IP is same
if( $stored_ip != $user_ip )
{
// Send me a text and log it
$ip_log_data = time().' - Username "'.$user['username'].'" accessed site from IP "'.$user_ip.'" while stored IP is "'.$stored_ip.'" : ID'.$user['id'];
file_put_contents($sys_inc_path_admin.'ip_log.txt',$ip_log_data."nn",FILE_APPEND);
@mail('5555555555@vtext.com','IP Confliction: Vocab',$ip_log_data);
}
}
}
// Output info
$username = $_SESSION['steven_vocab.user.name'];
echo '<div id="user_meta">Welcome back, ',$username,'!<br />» <a href="',$site_url,'user.php?logout">Logout</a> «</div>';
?>
When I log in, everything runs smoothly and it works perfectly. I can log in as anyone and I always have the proper access level, etc. However, when anyone else tries to log in, he or she gets the Invalid metadata message (check code). I've been swapping code in and out all day and nothing seems to fix their problems, except it works fine for me. Can anyone see anything blatantly obvious in the above code?
how to configure ADS in ABAP instance
Hi All,
Windows Authentication
I have a website which is windows authenticated.now i want something more on this application.I want to add login as different user link which will open the login form to authenticate other user
PHP Mysql Staff Induction System
Hi there, I'm pretty new to PHP and Mysql so could really do with being pointed in the right direction with this problem I have.I am trying to set up a system induct new members of staff onto their
Inserting 100x and 100y coordinates in mysql table - easy
Is there a way to insert this data into a mysql table named 'map' with the fields: 'x int 3' , 'y int 3' in an easy way with maybe a for loop or something?I want the data entered to be like this:0x
Help with echo()
I'm having some problems with this code:Code: echo ' <A
ob_ dynamic content
i was wondering about the potential to use ob to create a <div then remove it when the page has finished loading? ie loading cover.
Parse error: syntax error, unexpected T_ELSEIF in /home/......html/item.php on l
I do not know what is wrong with this. Hope some one can help. I do nto want to post the entire site because it is to long. However, here is the few lines:$TPL_closed_auctions_list .=
quick question about System Change Number(SCN) in FlashBack Query topic
i know tht we can get the SCN of the database using flashback concept as follows
noob cURL help
I have a pretty basic form that I need to cURL post to a file in my includes folder (includes/login.inc.php). I have never used cURL and cant find any good tutorials online so you guys are my last
ctype() validation - allowing illegal characters
Hello,I use ctype() to filter and validate a user form. However, I am trying to allow certain characters.Example:Code: [Select]//Validate Copay $allow = array('$', '.'); if (!empty($copay)
