Sessions work for me and not others?
Posted on
16th Feb 2014 07:03 pm by
admin
I'm having a bit of bad luck with sessions. In the past they have worked fine for me, but this time around I'm having terrible luck. Basically, I made the crappiest login system ever. I'm using sessions to store three bits of information: 1) metadata which consists of the username, password, and salt; 2) database row id; 3) username.
Here is my code to login/out the user:
<?php
/**
* Copyright 2009 Steven
*/
session_start();
session_regenerate_id();
define('IN_VOCAB',true);
require('init.php');
// Get POST values
foreach( $_POST as $key => $value )
{
$$key = clean($value,true);
}
switch( $_SERVER['QUERY_STRING'] )
{
case 'login':
// MD5 password
$password = md5($password);
// Validate user exists
$user_val_query = $db->query("SELECT * FROM `users` WHERE `username`='{$username}' AND `password`='{$password}' LIMIT 1");
if( mysql_num_rows($user_val_query) > 0 )
{
// User exists; set sessions
$salt = substr(md5(date('F')),8);
$user = mysql_fetch_assoc($user_val_query);
$_SESSION['steven_vocab.user.meta'] = $username.$password.$salt;
$_SESSION['steven_vocab.user.id'] = $user['id'];
$_SESSION['steven_vocab.user.name'] = $user['username'];
// Logged in
echo message('You have been successfully logged in as '.$username.'!','success');
echo '<a href="',$site_url,'">Go to main site</a>.';
show('footer.php');
}
else
{
fatal_error('Incorrect username and/or password. <a href="'.$site_url.'">Please try again</a>.');
}
break;
case 'logout':
// Make sure user is logged in
require($sys_inc_path.'user_check.php');
// Unset session vars
unset($_SESSION['steven_vocab.user.meta'],$_SESSION['steven_vocab.user.id'],$_SESSION['steven_vocab.user.name']);
echo message('You have been successfully logged out.','success');
echo '<a href="',$site_url,'">Go to main site</a>.';
show('footer.php');
break;
default:
fatal_error('Invalid request.');
}
?>
And here is my code to check and validate the user:
<?php
/**
* Copyright 2009 Steven
*/
if( !defined('IN_VOCAB') )
{
echo 'Direct access to this file is not allowed.';
exit;
}
// Check for session
if( !isset($_SESSION['steven_vocab.user.meta']) || !isset($_SESSION['steven_vocab.user.id']) || !isset($_SESSION['steven_vocab.user.name']) )
{
show('login_form.html',null,true);
}
// Session exists; validate
$salt = substr(md5(date('F')),8);
$id = $_SESSION['steven_vocab.user.id'];
$meta = $_SESSION['steven_vocab.user.meta'];
$user_info_query = $db->query("SELECT * FROM `users` WHERE `id`='{$id}' LIMIT 1");
if( mysql_num_rows($user_info_query) > 0 )
{
// User exists, check username and password
$user = mysql_fetch_assoc($user_info_query);
if( ($user['username'].$user['password'].$salt) != $meta )
{
// User invalid; unset session and exit
unset($_SESSION['steven_vocab.user.meta'],$_SESSION['steven_vocab.user.id'],$_SESSION['steven_vocab.user.name']);
fatal_error('Invalid session metadata. <a href="'.$site_url.'">Please login again</a>.');
}
}
else
{
// User invalid; unset session and exit
unset($_SESSION['steven_vocab.user.meta'],$_SESSION['steven_vocab.user.id'],$_SESSION['steven_vocab.user.name']);
fatal_error('User cannot be found. <a href="'.$site_url.'">Please login again</a>.');
}
// The user is logged in and validated; check IP address
$user_ip = $_SERVER['REMOTE_ADDR'];
$check_ip_query = $db->query("SELECT `ip` FROM `users` WHERE `id`='{$user['id']}' LIMIT 1");
if( mysql_num_rows($check_ip_query) > 0 )
{
$stored_ip = mysql_result($check_ip_query,0,'ip');
// Check if empty
if( empty($stored_ip) )
{
// Update IP
$ip_update_query = $db->query("UPDATE `users` SET `ip`='{$user_ip}' WHERE `id`='{$user['id']}' LIMIT 1");
}
else
{
// Check if current IP is same
if( $stored_ip != $user_ip )
{
// Send me a text and log it
$ip_log_data = time().' - Username "'.$user['username'].'" accessed site from IP "'.$user_ip.'" while stored IP is "'.$stored_ip.'" : ID'.$user['id'];
file_put_contents($sys_inc_path_admin.'ip_log.txt',$ip_log_data."nn",FILE_APPEND);
@mail('5555555555@vtext.com','IP Confliction: Vocab',$ip_log_data);
}
}
}
// Output info
$username = $_SESSION['steven_vocab.user.name'];
echo '<div id="user_meta">Welcome back, ',$username,'!<br />» <a href="',$site_url,'user.php?logout">Logout</a> «</div>';
?>
When I log in, everything runs smoothly and it works perfectly. I can log in as anyone and I always have the proper access level, etc. However, when anyone else tries to log in, he or she gets the Invalid metadata message (check code). I've been swapping code in and out all day and nothing seems to fix their problems, except it works fine for me. Can anyone see anything blatantly obvious in the above code?
No comments posted yet
Your Answer:
Login to answer
62 
36 
Other forums
Problem with PHP code- simple contact form
Hi Folks,
I'm relativily new to PHP; I know HTML and CSS stuff but I have a problem- I have a co
Hit counter updating once per IP - IP HIT COUNTER
I have a hit counter, for the amount of views on a tutorial.
It'll do the query and then do..
How a counter of users ? such as ---> (231 Viewing)
I want to count how many users are actually viewing the page, How is that possible?
Thank you guy
UL and LI Add Form
The idea I want here is when the user click on a character name from the drop down select bar at the
Got A Free Server :(
So I was given a free server
http://shopping.yahoo.com/p:Compaq%20ProLiant%201500%20Server:1
Coding Critique
I was hoping someone could take a second and look down my code and see if they see any problems with
Error In Syntax
I got this error:
Code: Parse error: syntax error, unexpected '>' in /home/bucket/publ
parsing error
can anyone explain this syntax error:
Parse error: syntax error, unexpected T_IF
The e
How to make a mail Form secure?
I want to create an email Form on my web site. How can I make the Form secure so the submitted info
MS are the best!!!
Visit http://www.microsoft.com/australia/windows/default.aspx?h=watch-a-demo and click the massive '
