I'm having a bit of bad luck with sessions. In the past they have worked fine for me, but this time around I'm having terrible luck. Basically, I made the crappiest login system ever. I'm using sessions to store three bits of information: 1) metadata which consists of the username, password, and salt; 2) database row id; 3) username.
Here is my code to login/out the user:
<?php
/**
* Copyright 2009 Steven
*/
session_start();
session_regenerate_id();
define('IN_VOCAB',true);
require('init.php');
// Get POST values
foreach( $_POST as $key => $value )
{
$$key = clean($value,true);
}
switch( $_SERVER['QUERY_STRING'] )
{
case 'login':
// MD5 password
$password = md5($password);
// Validate user exists
$user_val_query = $db->query("SELECT * FROM `users` WHERE `username`='{$username}' AND `password`='{$password}' LIMIT 1");
if( mysql_num_rows($user_val_query) > 0 )
{
// User exists; set sessions
$salt = substr(md5(date('F')),8);
$user = mysql_fetch_assoc($user_val_query);
$_SESSION['steven_vocab.user.meta'] = $username.$password.$salt;
$_SESSION['steven_vocab.user.id'] = $user['id'];
$_SESSION['steven_vocab.user.name'] = $user['username'];
// Logged in
echo message('You have been successfully logged in as '.$username.'!','success');
echo '<a href="',$site_url,'">Go to main site</a>.';
show('footer.php');
}
else
{
fatal_error('Incorrect username and/or password. <a href="'.$site_url.'">Please try again</a>.');
}
break;
case 'logout':
// Make sure user is logged in
require($sys_inc_path.'user_check.php');
// Unset session vars
unset($_SESSION['steven_vocab.user.meta'],$_SESSION['steven_vocab.user.id'],$_SESSION['steven_vocab.user.name']);
echo message('You have been successfully logged out.','success');
echo '<a href="',$site_url,'">Go to main site</a>.';
show('footer.php');
break;
default:
fatal_error('Invalid request.');
}
?>
And here is my code to check and validate the user:
<?php
/**
* Copyright 2009 Steven
*/
if( !defined('IN_VOCAB') )
{
echo 'Direct access to this file is not allowed.';
exit;
}
// Check for session
if( !isset($_SESSION['steven_vocab.user.meta']) || !isset($_SESSION['steven_vocab.user.id']) || !isset($_SESSION['steven_vocab.user.name']) )
{
show('login_form.html',null,true);
}
// Session exists; validate
$salt = substr(md5(date('F')),8);
$id = $_SESSION['steven_vocab.user.id'];
$meta = $_SESSION['steven_vocab.user.meta'];
$user_info_query = $db->query("SELECT * FROM `users` WHERE `id`='{$id}' LIMIT 1");
if( mysql_num_rows($user_info_query) > 0 )
{
// User exists, check username and password
$user = mysql_fetch_assoc($user_info_query);
if( ($user['username'].$user['password'].$salt) != $meta )
{
// User invalid; unset session and exit
unset($_SESSION['steven_vocab.user.meta'],$_SESSION['steven_vocab.user.id'],$_SESSION['steven_vocab.user.name']);
fatal_error('Invalid session metadata. <a href="'.$site_url.'">Please login again</a>.');
}
}
else
{
// User invalid; unset session and exit
unset($_SESSION['steven_vocab.user.meta'],$_SESSION['steven_vocab.user.id'],$_SESSION['steven_vocab.user.name']);
fatal_error('User cannot be found. <a href="'.$site_url.'">Please login again</a>.');
}
// The user is logged in and validated; check IP address
$user_ip = $_SERVER['REMOTE_ADDR'];
$check_ip_query = $db->query("SELECT `ip` FROM `users` WHERE `id`='{$user['id']}' LIMIT 1");
if( mysql_num_rows($check_ip_query) > 0 )
{
$stored_ip = mysql_result($check_ip_query,0,'ip');
// Check if empty
if( empty($stored_ip) )
{
// Update IP
$ip_update_query = $db->query("UPDATE `users` SET `ip`='{$user_ip}' WHERE `id`='{$user['id']}' LIMIT 1");
}
else
{
// Check if current IP is same
if( $stored_ip != $user_ip )
{
// Send me a text and log it
$ip_log_data = time().' - Username "'.$user['username'].'" accessed site from IP "'.$user_ip.'" while stored IP is "'.$stored_ip.'" : ID'.$user['id'];
file_put_contents($sys_inc_path_admin.'ip_log.txt',$ip_log_data."nn",FILE_APPEND);
@mail('5555555555@vtext.com','IP Confliction: Vocab',$ip_log_data);
}
}
}
// Output info
$username = $_SESSION['steven_vocab.user.name'];
echo '<div id="user_meta">Welcome back, ',$username,'!<br />» <a href="',$site_url,'user.php?logout">Logout</a> «</div>';
?>
When I log in, everything runs smoothly and it works perfectly. I can log in as anyone and I always have the proper access level, etc. However, when anyone else tries to log in, he or she gets the Invalid metadata message (check code). I've been swapping code in and out all day and nothing seems to fix their problems, except it works fine for me. Can anyone see anything blatantly obvious in the above code?
Multiple upload and Resize
I would like some help on my script I have the for my index.php////<html><head><!-- Include the javascript --><script
The IE or FF detector
Hello Friends,Problem of today ( we seek for php help ) as following ,we know all that PNG images not shown well on IE6 and some "css'ers" given us a solution --> fine 1but if that
There was a problem with the request. (Code: 0)
Any Idea what could cause this? I get it randomly at best. But with both IE and FF. It derives from an AJAX banner rotation script I am attempting to implement. Well have implemented it... And the
PHP/Database issue
My friend is helping me make a database where you go to a certain webpage of my site and the page will use code to pull information from a database and display it on the page in a formatted way.Code:
Allegro crashes when running load_bitmap. Why?
I can not get Allegro to load any BMP images. Here is a section of test code. The picture is in the working directory:BITMAP *my_pic; my_pic = load_bitmap("kirby.bmp", NULL); if(!my_pic)
styling a RadioButtonList
HiI need to have a radio button and close to it, its lable, then a space then another set of those. I have the relevent html but not able to come up with the css. please helpthxview plaincopy to
Multithreading in Oracle (Java, SQLJ, Pro*C,??) on 10g
I am investigating how to run a Java stored procedure in multithread mode.I know that if I change the program to be multithreaded, the Database runs it fine, but it will not show any concurrency
upload only text files
hi guys i want to upload only text like like (pdf,note pad and ofiice files) so can any one please tell me how can i restrict that
Displaying image pathname instead of image
HelloIm trying to upload and then display images from a mysql database - Its only basic and i only need one pic per user on the database hence why using mysqlI really need osme help as ive been going
How do I know when getBounds Method is ready to be called.
I have an application that changes out stylesheets client side. Once I change stylesheet the browser changes immediately but there is a lag until the Sys.UI.DomElement.getBounds method will return
