Sessions work for me and not others?


Posted on 16th Feb 2014 07:03 pm by admin

I'm having a bit of bad luck with sessions. In the past they have worked fine for me, but this time around I'm having terrible luck. Basically, I made the crappiest login system ever. I'm using sessions to store three bits of information: 1) metadata which consists of the username, password, and salt; 2) database row id; 3) username.

Here is my code to login/out the user:

<?php
/**
* Copyright 2009 Steven
*/

session_start();
session_regenerate_id();

define('IN_VOCAB',true);
require('init.php');

// Get POST values
foreach( $_POST as $key => $value )
{
$$key = clean($value,true);
}

switch( $_SERVER['QUERY_STRING'] )
{
case 'login':
// MD5 password
$password = md5($password);

// Validate user exists
$user_val_query = $db->query("SELECT * FROM `users` WHERE `username`='{$username}' AND `password`='{$password}' LIMIT 1");
if( mysql_num_rows($user_val_query) > 0 )
{
// User exists; set sessions
$salt = substr(md5(date('F')),8);

$user = mysql_fetch_assoc($user_val_query);

$_SESSION['steven_vocab.user.meta'] = $username.$password.$salt;
$_SESSION['steven_vocab.user.id'] = $user['id'];
$_SESSION['steven_vocab.user.name'] = $user['username'];

// Logged in
echo message('You have been successfully logged in as '.$username.'!','success');
echo '<a href="',$site_url,'">Go to main site</a>.';
show('footer.php');
}
else
{
fatal_error('Incorrect username and/or password. <a href="'.$site_url.'">Please try again</a>.');
}
break;

case 'logout':
// Make sure user is logged in
require($sys_inc_path.'user_check.php');

// Unset session vars
unset($_SESSION['steven_vocab.user.meta'],$_SESSION['steven_vocab.user.id'],$_SESSION['steven_vocab.user.name']);
echo message('You have been successfully logged out.','success');
echo '<a href="',$site_url,'">Go to main site</a>.';
show('footer.php');
break;

default:
fatal_error('Invalid request.');
}

?>


And here is my code to check and validate the user:

<?php
/**
* Copyright 2009 Steven
*/
if( !defined('IN_VOCAB') )
{
echo 'Direct access to this file is not allowed.';
exit;
}

// Check for session
if( !isset($_SESSION['steven_vocab.user.meta']) || !isset($_SESSION['steven_vocab.user.id']) || !isset($_SESSION['steven_vocab.user.name']) )
{
show('login_form.html',null,true);
}

// Session exists; validate
$salt = substr(md5(date('F')),8);
$id = $_SESSION['steven_vocab.user.id'];
$meta = $_SESSION['steven_vocab.user.meta'];

$user_info_query = $db->query("SELECT * FROM `users` WHERE `id`='{$id}' LIMIT 1");
if( mysql_num_rows($user_info_query) > 0 )
{
// User exists, check username and password
$user = mysql_fetch_assoc($user_info_query);
if( ($user['username'].$user['password'].$salt) != $meta )
{
// User invalid; unset session and exit
unset($_SESSION['steven_vocab.user.meta'],$_SESSION['steven_vocab.user.id'],$_SESSION['steven_vocab.user.name']);
fatal_error('Invalid session metadata. <a href="'.$site_url.'">Please login again</a>.');
}
}
else
{
// User invalid; unset session and exit
unset($_SESSION['steven_vocab.user.meta'],$_SESSION['steven_vocab.user.id'],$_SESSION['steven_vocab.user.name']);
fatal_error('User cannot be found. <a href="'.$site_url.'">Please login again</a>.');
}

// The user is logged in and validated; check IP address
$user_ip = $_SERVER['REMOTE_ADDR'];
$check_ip_query = $db->query("SELECT `ip` FROM `users` WHERE `id`='{$user['id']}' LIMIT 1");
if( mysql_num_rows($check_ip_query) > 0 )
{
$stored_ip = mysql_result($check_ip_query,0,'ip');

// Check if empty
if( empty($stored_ip) )
{
// Update IP
$ip_update_query = $db->query("UPDATE `users` SET `ip`='{$user_ip}' WHERE `id`='{$user['id']}' LIMIT 1");
}
else
{
// Check if current IP is same
if( $stored_ip != $user_ip )
{
// Send me a text and log it
$ip_log_data = time().' - Username "'.$user['username'].'" accessed site from IP "'.$user_ip.'" while stored IP is "'.$stored_ip.'" : ID'.$user['id'];
file_put_contents($sys_inc_path_admin.'ip_log.txt',$ip_log_data."nn",FILE_APPEND);
@mail('5555555555@vtext.com','IP Confliction: Vocab',$ip_log_data);
}
}
}

// Output info
$username = $_SESSION['steven_vocab.user.name'];
echo '<div id="user_meta">Welcome back, ',$username,'!<br />&raquo; <a href="',$site_url,'user.php?logout">Logout</a> &laquo;</div>';

?>


When I log in, everything runs smoothly and it works perfectly. I can log in as anyone and I always have the proper access level, etc. However, when anyone else tries to log in, he or she gets the Invalid metadata message (check code). I've been swapping code in and out all day and nothing seems to fix their problems, except it works fine for me. Can anyone see anything blatantly obvious in the above code?

No comments posted yet

Your Answer:

Login to answer
62 Like 36 Dislike
Previous forums Next forums
Other forums

Comma seperated implode & modifying returned string.
I have a PHP post form that posts up to 4 variables. I need whatever variables are passed to be comb

How do I send data using an html link
Hi

If I have
<a href="main_file.php">

How do I send data t

Binding 2 UDP sockets on same port, connected to different destinations, 1 receives
Hello,
My application wants to send/recv data to 2 different UDP ports on a remote computer, us

function to return url
Hi,

Can you guys help me giving a function that takes all the contents in a particular field

Extending Exception to contain method name
I was wondering, if there's a way to extend Exception in such a way, that it would contain name of a

How to have a log of all the status a VIM document had been ?
Hi guys,

I’m using SAP Invoice Management plugin and the /OPT/VIM_ANALYTICS transa

 formating when pulling data from a mysql database 
Ok so Im not to sure if this is the right thread to post in but here is my catch 22 issue.

I

Baffled by Undefined Index in Simple Array: Please Help!
Hello. I have a form which posts an array to this script. However, I can't seem to access the values

sendmail code suddenly not working
Hi Guys, I maintain 3 sites (including my own) I use the following code from a french webmaster that

How to restrict the display of report variants
Hello All,

I want t know how to restrict the display of report variants.
I mean, whe

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash