session problem???

qrt123

Hi there

I am getting very confused/desperate!!!

I have madae a quite simple login system on my website.
I have tried several different approaches, but it all ends up in the same manner.
It works with sessions, and the user/password is checked via a MySql database.
Now, the thing is, that when I type the right user/password I still get redirected to the login page.
I have to submit the empty form first, THEN, when I sub´mit the right user/passeord everything woks perfectly.

It works Ok on my own computer Win XP Pro/IIS PHP 4.2.3
But on the server(PHP 4.2.3) by my Hostmaster I have this annoying problem.
Is it a browser/cache problem, IE6???

Please help me someone😕

milind24

can you submit that code which register session variable and where u check values , are u doing in same page or diff. page ??

qrt123

this is the loginscript:

<?
session_start();
header("Cache-control: private");

$user = @$POST['user'];
$pass = @$POST['pass'];

$md5pass = md5($pass);

$conn = mysql_connect ("xxx", "xxx", "xxx");
mysql_select_db("xxx");

$result = mysql_query("SELECT bruger, brugerpassword, level FROM brugere WHERE bruger='$user' AND brugerpassword='$md5pass'");

$num = mysql_num_rows($result);

if($num=="1"){

$_SESSION['acces']= "admin";
header("Location: redigerlinks.php");

}
else
{
echo "<SCRIPT>alert(\"Uregistreret brugernavn eller password. Prøv igen!\");history.go(-1)</SCRIPT>";
}
?>

and this is on top of the restricted pages:

<?
session_start();
header("Cache-control: private");

if (!isset($_SESSION['acces'])) {

header("Location:../test.php");

}

milind24

just check in the same page
insted of redirecting to other page just include that file ,
try using follwoing code , may string comparison of mysql_num_rows giving proble :

if(mysql_num_rows($result)){ 

$_SESSION['acces']= "admin"; 
//header("Location: redigerlinks.php"); 
include "./redigerlinks.php";

} 
else 
{ 
echo "<SCRIPT>alert(\"Uregistreret brugernavn eller password. Prøv igen!\");history.go(-1)</SCRIPT>"; 
}

qrt123

Sorry, but that didn't help me.

But I seem to have found out that it has something to do with passing the session ID from the loginpage to the protected page.

if I link like this: header ("location: protectedpage.php?SID");

everything works perfectly. But isn't that a insecure way of doing it?

Can this be done in a kind of invissible manner?

sincerely
kurt

suntra

How do you encrypt the password in the database when you register a new user ? Do you use PHP md5() function or MySQL password() function ? If you use MySQL password(), you always should use it when you query the database. I don't think this is the error, but give it a try.

Also, if you echo the username and the password, do you see them ?

qrt123

No problems there.
I can echo the user and password.

But is there a way I can transfer the SID without showing it in the adresssbar in the browser?

suntra

Well, the only way would be to always submit using POST method...

qrt123

Well Suntra, the only way I can get this to work, is by transferring the SID via the url.

I can't figure out though if it is a secure or insecure method?
And I can't figure out any other way to do it.

Didn't catch the meaning by submitting by POST method...???