SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Enthusiast
    Join Date
    May 2009
    Posts
    59
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Making a Login Work After Cache, Cookies, etc. Have Been Cleared

    Hello,

    I am using the code below for a user login. The first I try to login after cache / cookies, etc. have been cleared, the browser refreshes and the user name is not logged in. After that, logging in works fine.

    Any idea how I can make it work the first time?

    Thanks in advance,

    John

    index.php:

    PHP Code:
    <?php 


            
    if($_SERVER['REQUEST_METHOD'] == "POST"){header('Location: http://www...com/.../index.php?username='.$username.'&password='.$password.'');} 



             require_once 
    "header.php"
             include 
    "login.php";
             require_once 
    "footer.php";

            
    ?>
    login.php:

    PHP Code:
    <?php
    if (!isLoggedIn())
    {
        if (isset(
    $_POST['cmdlogin']))
        {
            if (
    checkLogin($_POST['username'], $_POST['password']))
            {
                
    show_userbox();


            } else
            {
                echo 
    "Incorrect Login information !";
                
    show_loginform();
            }
        } else
        {

            
    show_loginform();
        }

    } else
    {

        
    show_userbox();


    }



    ?>
    show_loginform function:

    PHP Code:
    function show_loginform($disabled false)
    {

        echo 
    '<form name="login-form" id="login-form" method="post" action="./index.php?'.$_SERVER['QUERY_STRING'].'"> 

        <div class="usernameformtext"><label title="Username">Username: </label></div> 
        <div class="usernameformfield"><input tabindex="1" accesskey="u" name="username" type="text" maxlength="30" id="username" /></div> 


        <div class="passwordformtext"><label title="Password">Password: </label></div> 
        <div class="passwordformfield"><input tabindex="2" accesskey="p" name="password" type="password" maxlength="15" id="password" /></div> 


        <div class="registertext"><a href="http://www...com/.../register.php" title="Register">Register</a></div> 
        <div class="lostpasswordtext"><a href="http://www...com/.../lostpassword.php" title="Lost Password">Lost password?</a></div> 

      <p class="loginbutton"><input tabindex="3" accesskey="l" type="submit" name="cmdlogin" value="Login" '
    ;
        if (
    $disabled == true)
        {
            echo 
    'disabled="disabled"';
        }
        echo 
    ' /></p></form>';




    header.php includes this:


    PHP Code:
    session_start(); 

    here are the login credential check functions I'm using:

    PHP Code:
    <?php

    #### Login Functions #####


    function isLoggedIn()
    {

        if (
    session_is_registered('loginid') && session_is_registered('username'))
        {
            return 
    true// the user is loged in
        
    } else
        {
            return 
    false// not logged in
        
    }

        return 
    false;

    }

    function 
    checkLogin($u$p)
    {
    global 
    $seed// global because $seed is declared in the header.php file

        
    if (!valid_username($u) || !valid_password($p) || !user_exists($u))
        {
            return 
    false// the name was not valid, or the password, or the username did not exist
        
    }

        
    //Now let us look for the user in the database.
        
    $query sprintf("
            SELECT loginid 
            FROM login 
            WHERE 
            username = '%s' AND password = '%s' 
            AND disabled = 0 AND activated = 1 
            LIMIT 1;"
    mysql_real_escape_string($u), mysql_real_escape_string(sha1($p $seed)));
        
    $result mysql_query($query);
        
    // If the database returns a 0 as result we know the login information is incorrect.
        // If the database returns a 1 as result we know  the login was correct and we proceed.
        // If the database returns a result > 1 there are multple users
        // with the same username and password, so the login will fail.
        
    if (mysql_num_rows($result) != 1)
        {
            return 
    false;
        } else
        {
            
    // Login was successfull
            
    $row mysql_fetch_array($result);
            
    // Save the user ID for use later
            
    $_SESSION['loginid'] = $row['loginid'];
            
    // Save the username for use later
            
    $_SESSION['username'] = $u;
            
    // Now we show the userbox
            
    return true;
        }
        return 
    false;
    }

    ?>

  2. #2
    SitePoint Zealot
    Join Date
    Jan 2006
    Location
    Gold Coast, Australia
    Posts
    123
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What? You are setting a session, which in turn stores little file on the users computer. Your script through the function 'session_is_registered('loginid')' checks if this 'file' exists and matches the data you have provided.

    So, when the user clears their cookies, this little file is gone. Thus, you have no 'little file' to indicate the existence of a cookie, therefore your function 'isLoggedIn()' returns it as false.

  3. #3
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,748
    Mentioned
    72 Post(s)
    Tagged
    0 Thread(s)
    A session doesnt store a file on the user's computer. A session lives on the server.
    A -cookie- is a file on the user's computer.

    Clearing the browser's cache will always cause this problem - you're manually destroying the session id (which is what gets stored in the cookie), so the server has to treat the user as a new user.

    The only way around this would to do IP-based sessions, which you should not ever do. Ever. Period.

  4. #4
    SitePoint Zealot
    Join Date
    Jan 2006
    Location
    Gold Coast, Australia
    Posts
    123
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    There are numerous sources on the web that suggest that Sessions do store a small cookie client side.

    "Sessions still use a small cookie - this cookie simply holds a value that uniquely identifies the client to the server" - TuxRadar

    "Most sessions set a cookie on your computer to uses as a key... it will look something like this: 350401be75bbb0fafd3d912a1a1d5e54." About

    PHP sessions can use cookies depending on how you configure them. Have a look at these settings:

    session.use_cookies (boolean): specifies whether the module will use cookies to store the session id on the client side. Defaults to 1 (enabled).

    session.use_only_cookies (boolean): specifies whether the module will only use cookies to store the session id on the client side. Enabling this setting prevents attacks involved passing session ids in URLs. This setting was added in PHP 4.3.0. Defaults to 1 (enabled) since PHP 5.3.0.

    If you disable session cookies, a GET parameter is used instead

  5. #5
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,748
    Mentioned
    72 Post(s)
    Tagged
    0 Thread(s)
    Sessions do use cookies when they can - but it's important to note that a session itself is not stored on the user's computer, only the identifier. That's why it's relatively safe to store things in the $_SESSION array without worrying about a user getting access to it - they dont have the data itself on their computer (as opposed to the user's computer pushing things into $_COOKIE)


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •