Sessions work for me and not others?

Posted on 16th Feb 2014 07:03 pm by admin

I'm having a bit of bad luck with sessions. In the past they have worked fine for me, but this time around I'm having terrible luck. Basically, I made the crappiest login system ever. I'm using sessions to store three bits of information: 1) metadata which consists of the username, password, and salt; 2) database row id; 3) username.

Here is my code to login/out the user:

<?php
/**
* Copyright 2009 Steven
*/

session_start();
session_regenerate_id();

define('IN_VOCAB',true);
require('init.php');

// Get POST values
foreach( $_POST as $key => $value )
{
$$key = clean($value,true);
}

switch( $_SERVER['QUERY_STRING'] )
{
case 'login':
// MD5 password
$password = md5($password);

// Validate user exists
$user_val_query = $db->query("SELECT * FROM `users` WHERE `username`='{$username}' AND `password`='{$password}' LIMIT 1");
if( mysql_num_rows($user_val_query) > 0 )
{
// User exists; set sessions
$salt = substr(md5(date('F')),8);

$user = mysql_fetch_assoc($user_val_query);

$_SESSION['steven_vocab.user.meta'] = $username.$password.$salt;
$_SESSION['steven_vocab.user.id'] = $user['id'];
$_SESSION['steven_vocab.user.name'] = $user['username'];

// Logged in
echo message('You have been successfully logged in as '.$username.'!','success');
echo '<a href="',$site_url,'">Go to main site</a>.';
show('footer.php');
}
else
{
fatal_error('Incorrect username and/or password. <a href="'.$site_url.'">Please try again</a>.');
}
break;

case 'logout':
// Make sure user is logged in
require($sys_inc_path.'user_check.php');

// Unset session vars
unset($_SESSION['steven_vocab.user.meta'],$_SESSION['steven_vocab.user.id'],$_SESSION['steven_vocab.user.name']);
echo message('You have been successfully logged out.','success');
echo '<a href="',$site_url,'">Go to main site</a>.';
show('footer.php');
break;

default:
fatal_error('Invalid request.');
}

?>


And here is my code to check and validate the user:

<?php
/**
* Copyright 2009 Steven
*/
if( !defined('IN_VOCAB') )
{
echo 'Direct access to this file is not allowed.';
exit;
}

// Check for session
if( !isset($_SESSION['steven_vocab.user.meta']) || !isset($_SESSION['steven_vocab.user.id']) || !isset($_SESSION['steven_vocab.user.name']) )
{
show('login_form.html',null,true);
}

// Session exists; validate
$salt = substr(md5(date('F')),8);
$id = $_SESSION['steven_vocab.user.id'];
$meta = $_SESSION['steven_vocab.user.meta'];

$user_info_query = $db->query("SELECT * FROM `users` WHERE `id`='{$id}' LIMIT 1");
if( mysql_num_rows($user_info_query) > 0 )
{
// User exists, check username and password
$user = mysql_fetch_assoc($user_info_query);
if( ($user['username'].$user['password'].$salt) != $meta )
{
// User invalid; unset session and exit
unset($_SESSION['steven_vocab.user.meta'],$_SESSION['steven_vocab.user.id'],$_SESSION['steven_vocab.user.name']);
fatal_error('Invalid session metadata. <a href="'.$site_url.'">Please login again</a>.');
}
}
else
{
// User invalid; unset session and exit
unset($_SESSION['steven_vocab.user.meta'],$_SESSION['steven_vocab.user.id'],$_SESSION['steven_vocab.user.name']);
fatal_error('User cannot be found. <a href="'.$site_url.'">Please login again</a>.');
}

// The user is logged in and validated; check IP address
$user_ip = $_SERVER['REMOTE_ADDR'];
$check_ip_query = $db->query("SELECT `ip` FROM `users` WHERE `id`='{$user['id']}' LIMIT 1");
if( mysql_num_rows($check_ip_query) > 0 )
{
$stored_ip = mysql_result($check_ip_query,0,'ip');

// Check if empty
if( empty($stored_ip) )
{
// Update IP
$ip_update_query = $db->query("UPDATE `users` SET `ip`='{$user_ip}' WHERE `id`='{$user['id']}' LIMIT 1");
}
else
{
// Check if current IP is same
if( $stored_ip != $user_ip )
{
// Send me a text and log it
$ip_log_data = time().' - Username "'.$user['username'].'" accessed site from IP "'.$user_ip.'" while stored IP is "'.$stored_ip.'" : ID'.$user['id'];
file_put_contents($sys_inc_path_admin.'ip_log.txt',$ip_log_data."nn",FILE_APPEND);
@mail('5555555555@vtext.com','IP Confliction: Vocab',$ip_log_data);
}
}
}

// Output info
$username = $_SESSION['steven_vocab.user.name'];
echo '<div id="user_meta">Welcome back, ',$username,'!<br />&raquo; <a href="',$site_url,'user.php?logout">Logout</a> &laquo;</div>';

?>


When I log in, everything runs smoothly and it works perfectly. I can log in as anyone and I always have the proper access level, etc. However, when anyone else tries to log in, he or she gets the Invalid metadata message (check code). I've been swapping code in and out all day and nothing seems to fix their problems, except it works fine for me. Can anyone see anything blatantly obvious in the above code?

Your Answer:

Login to answer

Other forums

Having problemswith multithreading and prime numbers
I have an assignment when I'm suppose to do the following:

Write a multithreaded Java, Pt

How do I use a global footer..?
If my index.php has a bole bunch of if functions and exit's in them

Pop-up Banner
Hello Friends,I need to use banner in our client site.Example: www.example.com if i enter this site

Help please - How to validate from 2 possible answers
Hi

I hope somebody can help me with what will probably be really simple, I'm pulling my hair

WS-Security PL/SQL Forms
Oracle Database 10g Enterprise Edition Release 10.2.0.2.0 - Prod
PL/SQL Release 10.2.0.2.0 - P

Find occurences of unicode characters in string
I need to prohibit filenames with everything but English characters and numbers but regexp and strin

problem in program for counting no of chars using pointers
Hi all, I was trying to make a program which counts number of chars in a string using concpt of poin

quick question about System Change Number(SCN) in FlashBack Query topic
i know tht we can get the SCN of the database using flashback concept as follows

SQL>

need help to creat database
Hello Team, please guys i am stuck from three days with paypal issue for IPN but no luck yet now i w

Newb advice
Hi all,

I'm a flash front end designer and I've taken on a project that needs some back end p