Login Script Strangeness

earthlingzed

I have a login feature in a project I am working on that is behaving strangely. The symptom is that when a person tries to log in with the correct info, they are kicked out to the login page again. They enter their stuff a second time and they then can get in. The funny thing is, that in my code, nowhere to I have a conditional to kick the user back tot he login page, just to give errors or let them in. My code as it stands is below:

<?php

if((!$username)|(!$password)){
echo "Information Was Not Entered";
echo "<a href='index.php'>Try login again</a>";
echo "If you have forgotten your password, use the link below to have the password sent to the instructor email address. <a href='send_pass.php'> email password to instructor address</a>";
echo"</td>
<td width='15%' class='sides'><img src='../images/shim.gif' width='5' height='700' border='0'></td>
</tr>
</table>
</body>
</html>";
exit;

}

#encrypt password
$password=crypt($password,'xx');

#grab user name if it is there
$username_result = mysql_query("SELECT log FROM $prefix"."_instructor where log= '$username'",$db);
$username_row = mysql_fetch_row($username_result);
$correct_username = $username_row[0];
$log_num = mysql_num_rows($username_result);

if($log_num == "1") {

#grab pass to compare
$pass_result = mysql_query("SELECT pass FROM $prefix"."_instructor where log= '$correct_username'",$db);
$pass_row = mysql_fetch_row($pass_result);
$correct_pass = crypt($pass_row[0],'xx');

if($password == $correct_pass) {

begin session, register user name

session_start();
session_register("username");

#redirect
header("Location:".$admin_path."admin_home.php");

}

else {
echo "Password Incorrect";
echo "<a href='index.php'>Try login again</a>";
echo "If you have forgotten your password, use the link below to have the password sent to the instructor email address. <a href='send_pass.php'> email password to instructor address</a>";

}
}

else {

echo "User Name Incorrect";
echo "<a href='index.php'>Try login again</a>";
echo "If you have forgotten your password, use the link below to have the password sent to the instructor email address. <a href='send_pass.php'> email password to instructor address</a>";

}

I am stumped and would appreciate any insight.

Thanks

bernouli

what is this line suppose to be?

if((!$username)|(!$password)){

earthlingzed

if((!$username)|(!$password)){

That line is to check to see if they did not enter a user name or pasword and then hit the submit button.

bernouli

should that mean

if((!$username)||/B){

earthlingzed

Yeah, that is most certainly a bug. Let me see if that makes a difference.

earthlingzed

I made that change, but I am still seeing the same symptoms. I have heard from some people using the login feature that they try 4 time before getting in!

bernouli

try replace this

header("Location:$admin_path.admin_home.php");

but i see, you will get problem with the header, because header already sent

earthlingzed

I think the access check script may have somethign to do witht the kick out to the login page. Upon success ful login, a session should be registered that would then be checked by an access check script on all interior pages. That script looks like this:

<?php

session_start();

if(session_is_registered("username")) {

$logged = "".$username." logged in";

}
else
{
header("Location:".$admin_path."index.php");
}

Ass you can see, this goes back to the index page (the log in page) if the username session var is not registered. I am guessing that what is happening is, the user enters their info, that goes to the script that will access the databse for stored log an pass and do the comparisson, then either let them in or echo an error. So they get past the login check and are sent into the administrative home page where the sccess check script runs (preventing someone from just jumping stright into restricted areas) and this script is the one redirecting back to the index where they have to log in again. With that said, how could this be changed to prevent the problem?

bernouli

this should solve the problem

<?php 
session_register('username'); 

if ($username){ 

$logged = "<span style='text-transform:capitalize'>".$username." </span>logged in"; 
} 

else 
{ 
header("Location:".$admin_path."index.php"); 
} 

?>

lsager

Did you figure out how to fix your login problem? We are having the exact same problem with our login. We are using the php_lib_login. The first time i log in, i get failed message. The second time it works fine. We suspect it has something to do with the order in which the session variables are created. It is as if the information is created on the first try and is maintained on the second try. Anyway, I was curious if you had fixed yours so maybe what you did could help us. We are thinking of doing a login behind the scenes and then when the user logs in it will actually be the second login and will work.

Thanks in advance for your help.

levi_501_dehaan

Do you have session_start(); in your login file?
your problem is i dont see you registering your user on the login page, that would be a major error, and maybe you are registering them on the second page, that is why they have to log in more than once 🙂

to fix this either do this:

<?php
session_start(); //start session

$loginstr="$username"."$password";
$loginstrlen=strlen($loginstr);
//make sure the login is not under 1 char
if ($loginstrlen<2)
{
//sends user back if the login is under 1 char
//using error = 1; this will allow you to display an error
//message on your login page if error=1, 2, 3 ect...
Header("Location: index.php", replace);
        $error = 1;
        session_register("error");
}
if (@$username && @$password) {
    $res = @mysql_query("SELECT username,password FROM users WHERE username='$username' AND password='$password'");
    if(@mysql_num_rows($res) != 0) 
		{
//the page you want to send them to once user is authenticated
        Header("Location: pageone.php", replace);
        $verified_user = $username;
        $verified_userpw = $password;
//what this does is register the users, once they have been validated in the database
        session_register("verified_user");
        session_register("verified_userpw");
        setcookie("time",$PHPSESSID,time()+600,"/College/Authentication/","cs5",0);
        }
else {
Header("Location: index1.php", replace);
        $error = 1;
        session_register("error");
	  }

}

which is what i use
or you can just session_register("verified_user");
on your main page if when mysql authenticates username it will register the user.
try that 😉
-=levi=-

lsager

Thanks Levi_501. Your Session Start suggestion worked like a charm. We are able to login on the first try now.

Thanks for taking the time to help.

🙂