SitePoint Sponsor

User Tag List

Results 1 to 16 of 16
  1. #1
    SitePoint Wizard bronze trophy Tailslide's Avatar
    Join Date
    Feb 2006
    Location
    Bedford, UK
    Posts
    1,687
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Login Problem - always logged in.

    Hi all

    Got a problem with a login script and not sure what's going wrong.

    It appears that whatever I try I'm always logged in.

    The login bit at the top of the page:

    PHP Code:
    $password=clean($_POST['password']);
    $email=clean($_POST['email']);

    $sql="SELECT  id,  password FROM  users  WHERE  password='$password'   LIMIT 1";

    $result=mysql_query($sql) or die(mysql_error());
    // If result matched $username a table row must be 1 row
    if( 1==mysql_num_rows($result)) {

       
    $rows mysql_fetch_assoc($result);

       
    $_SESSION['loggedIn'] = 1;
       
    $_SESSION['userId'] = $rows['id'];
       
    $_SESSION['unique'] = $_POST['password'];



    Further down the page it checks to see if the person is logged in and if so displays one thing or if not, another.

    PHP Code:
    if (isset($_SESSION['loggedIn'])) {
       echo 
    '<a href="/checklinks.php?supplier_id=3">logged in link</a></p>' ;
          } else {
             echo 
    '<p>You are not logged in</p>' ;

    Little Blue Plane Web Design
    Blood, Sweat & Rust - A Land Rover restoration project

  2. #2
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    How are you attempting to logout?

    You'd want something like this as your logout code:
    PHP Code:
    session_start(); //at the top of the page, if it isn't already
    unset($_SESSION['loggedIn']);
    unset(
    $_SESSION['userId']);
    unset(
    $_SESSION['unique']); 
    I'd recommend putting login stuff in an array inside session, that way logging out would be as simple as:
    PHP Code:
    unset($_SESSION['login']); 
    And Logging in would be:
    PHP Code:
    $_SESSION['login']['id'] = $rows['id'];
    $_SESSION['login']['password'] = $_POST['password']; 
    Checking for login:
    PHP Code:
    if(array_key_exists('login'$_SESSION)){


    By splitting your session into sub-arrays, you will allow for easy removal of a certain area, i.e. logging out or clearing a cart.
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  3. #3
    SitePoint Enthusiast
    Join Date
    Apr 2009
    Location
    Ljubljana, Slovenia
    Posts
    36
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    PHP Code:
    $sql="SELECT  id,  password FROM  users  WHERE  password='$password'   LIMIT 1"
    I believe some kind of username is missing here.

    You need logout button and also
    Code:
    else{
    session_unset();
    session_destroy();
    }
    on the end of the first code.
    Gregor Grajzar, web developer
    http://xweblabs.com
    http://grajzar.info

  4. #4
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by gregor171 View Post
    You need logout button and also
    Code:
    else{
    session_unset();
    session_destroy();
    }
    on the end of the first code.
    Not a good idea, at all.

    The session isn't only for storing user details. What if, at a later point, you want to put in other session values? Upon logging out, they will all be lost.

    Besides, adding that would be pointless as, if the if() statement equated to false, the session wouldn't be set anyway.
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  5. #5
    SitePoint Wizard bronze trophy Tailslide's Avatar
    Join Date
    Feb 2006
    Location
    Bedford, UK
    Posts
    1,687
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi chaps

    There is no username as such.

    This is the logout script

    PHP Code:
    <?php
    session_start
    ();

    $_SESSION['loggedIn'] = 0;
    $_SESSION['userId'] = 0;

    unset(
    $_SESSION['loggedIn']);
    unset(
    $_SESSION['userId']);

    ?>
    Little Blue Plane Web Design
    Blood, Sweat & Rust - A Land Rover restoration project

  6. #6
    SitePoint Enthusiast
    Join Date
    Apr 2009
    Location
    Ljubljana, Slovenia
    Posts
    36
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Looks ok, but you have to unset Session if no results are returned in your sql query.
    Gregor Grajzar, web developer
    http://xweblabs.com
    http://grajzar.info

  7. #7
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    And why on earth would you need to do that?

    Anyway, @TailSlide your logout script looks perfectly fine. Are you sure it's being run, and before you check if they're logged in?
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  8. #8
    SitePoint Wizard bronze trophy Tailslide's Avatar
    Join Date
    Feb 2006
    Location
    Bedford, UK
    Posts
    1,687
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hmmm...

    I stuck this within the body of my logout page:

    PHP Code:
     <?php if (isset($_SESSION['loggedIn'])) {
                 echo 
    '<p>Nope you are still logged in</p>' ;
                  } else {

                      echo 
    '<p>Yep, Logged out!</p>';
                  }
                  
    ?>
    And it says Yep logged out... but soon as I go back to one of the pages with the previous chunk of code on it... I'm logged in.
    Little Blue Plane Web Design
    Blood, Sweat & Rust - A Land Rover restoration project

  9. #9
    SitePoint Enthusiast
    Join Date
    Apr 2009
    Location
    Ljubljana, Slovenia
    Posts
    36
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Besides, adding that would be pointless as, if the if() statement equated to false, the session wouldn't be set anyway.
    if it wasn't set before.
    Anyway, I don't know about the rest of the code, but I like to destroy sessions:
    http://phpsec.org/projects/guide/4.html
    http://www.tizag.com/phpT/phpsessions.php

    The session isn't only for storing user details.
    Why do you need a session if you are not logged in?
    Gregor Grajzar, web developer
    http://xweblabs.com
    http://grajzar.info

  10. #10
    SitePoint Wizard cranial-bore's Avatar
    Join Date
    Jan 2002
    Location
    Australia
    Posts
    2,634
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Is there a cookie set which you're using to authenticate the user? If so revisiting the page may be initiating a new login automatically (from the cookie).

  11. #11
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by gregor171 View Post
    Why do you need a session if you are not logged in?
    Not all session data needs to be login specific. For example, shopping carts - what if the user fills their shopping cart but realises they're in the wrong account!

    As for clearing the session upon unsuccessful login - it isn't needed. If you're logged in, then you won't see that login page in the first place. Even if you did submit the login form, why should you be logged out of your initial account? Seems like you're trying to make the decisions for the user.

    Of course, it depends on what kind of system you're using; However destroying the session isn't the right thing to do. Destroy relevant parts, sure, but not the whole thing. By doing that, you may undo other parts of the application and lower usability.
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  12. #12
    SitePoint Wizard bronze trophy Tailslide's Avatar
    Join Date
    Feb 2006
    Location
    Bedford, UK
    Posts
    1,687
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    (just watch me make a fool of myself here!!)

    There is a cookie in my browser cache... far as I was aware I was just using sessions rather than a cookie to store password etc. Thought that it might just be a session cookie so tried logging out and leaving the site then coming back but I'm still logged in...
    Little Blue Plane Web Design
    Blood, Sweat & Rust - A Land Rover restoration project

  13. #13
    SitePoint Wizard cranial-bore's Avatar
    Join Date
    Jan 2002
    Location
    Australia
    Posts
    2,634
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you're using Firefox you can go Tools > Options> Privacy > Show Cookies to see what you've got and easily delete cookies for debugging purposes.

    If you're developing on your local machine you can also open a session file in a text editor to see how it changes as different code is run.

  14. #14
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Tailslide, is register_globals on?

  15. #15
    SitePoint Wizard bronze trophy Tailslide's Avatar
    Join Date
    Feb 2006
    Location
    Bedford, UK
    Posts
    1,687
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi again.

    cranial-bore - yep tried that. Deleted the cookie. Go back to the page and whoops! there it is again!

    crmalibu - register_globals is off.

    Apologies if I don't get straight back to any replies - just found out I'm being taken away today (not by the men in white coats) by my husband for our 10th wedding anniversary. Back Sunday at which point I'll check again.

    Thanks for your patiences and suggestions.
    Little Blue Plane Web Design
    Blood, Sweat & Rust - A Land Rover restoration project

  16. #16
    SitePoint Wizard bronze trophy Tailslide's Avatar
    Join Date
    Feb 2006
    Location
    Bedford, UK
    Posts
    1,687
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Sorted!

    Couldn't figure it out for AGES! Eventually I echoed the session user id and compared it against the table and discovered that somehow there was a blank row in the table and it was comparing against that. Deleted the row and now it's fine!

    Thanks for your help - chaps, as ever.
    Little Blue Plane Web Design
    Blood, Sweat & Rust - A Land Rover restoration project


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •