*sigh* session problems.... :( help!

sigh session problems.... :( help!

Kinneh

I have a login script, with two usernames in a mysql database.
Username 1 = Bob
Username 2 = Dave.

When bob logs on, he can add news fine via the admin section, but when bob logs out and then dave logs in, dave's name doesn't appear on the admin section.

i have 3 main bits for the login.

The login bit where the user enters his/her username/password.
The login check to see if user and password exist etc then if it does, it will create the proper sessions.
The login check to see if the user is already logged in.

Here's my code for...

The login bit where the user enters his/her username/password.

<?php

if(isset($_SESSION['auth']) <> "true") {
if ($page_sub_link = "") {

echo "<FORM METHOD='POST' ACTION='".$page_link."'>"; }

else {

echo "<FORM METHOD='POST' ACTION='".$page_sub_link."'>";

}

$password = $_POST['password'];
$password = stripslashes($password);

if($password <> "") { echo "<DIV ALIGN='CENTER'><SPAN CLASS='smallText'>login failed.</SPAN></DIV><BR>"; }
?>

<INPUT TYPE="HIDDEN" NAME="login" VALUE="true">
<TABLE>
<TR>
<TD ALIGN="RIGHT">
login
</TD>
<TD>
<INPUT TYPE="TEXT" SIZE="20" NAME="username">
</TD>
</TR>
<TR>
<TD ALIGN="RIGHT">
password
</TD>
<TD>
<INPUT TYPE="PASSWORD" SIZE="20" NAME="password">
</TD>
</TR>
<TR>
<TD COLSPAN="2" VALIGN="BOTTOM" HEIGHT="30" ALIGN="CENTER">
<INPUT CLASS="button" VALUE="login" TYPE="submit">
</TD>
</TR>
</TABLE>
</FORM>

<?

}
else {


if( strstr( $_SESSION['adminlevel'], "n") ) { echo "<A HREF='../login/control_news.php'>Edit News</A><BR>"; }
if( strstr( $_SESSION['adminlevel'], "s") ) { echo "<A HREF='../login/control_schedule.php'>Edit Schedule</A><BR>"; }
if( strstr( $_SESSION['adminlevel'], "r") ) { echo "<A HREF='../login/control_results.php'>Edit Results</A><BR>"; }
if( strstr( $_SESSION['adminlevel'], "d") ) { echo "<A HREF='../login/control_demos.php'>Edit Demos</A><BR>"; }
if( strstr( $_SESSION['adminlevel'], "c") ) { echo "<A HREF='../login/control_column.php'>Edit Column</A><BR>"; }
if( strstr( $_SESSION['adminlevel'], "m") ) { echo "<A HREF='../login/control_members.php'>Edit Members</A><BR>"; } else
			 echo "<A HREF='../login/control_members.php?own=yes'>Edit Info</A><BR>";

if($page_sub_link = "") {
echo "<A HREF='$page_link?logout=true'>Logout</A>"; }
else {
echo "<A HREF='$page_link?logout=true'>Logout</A>";}

}

?>

The login check to see if user and password exist etc then if it does, it will create the proper sessions.

session_start();


if ($logout == "true") {

session_unset();
session_destroy();   // destroy session.

header('Location: ../news/index.php');

}



if($login == "true") {

session_register('adminusername');
session_register('adminemail');
session_register('password');
session_register('adminlevel');
session_register('adminauth');

$_POST['uname'] = addslashes($_POST['uname']);


$password = $_POST['password'];
$password = stripslashes($password);

$check=mysql_query("SELECT * FROM i_members WHERE username='".$_POST['username']."' AND password='$password'") or die (mysql_error());

$numrows = mysql_num_rows($check);

if ($numrows > 0) {
?>
<?
$date = date('m d, Y i:s');

$update_login = mysql_query("UPDATE i_members SET last_login = '$date' WHERE username = '".$_POST['username']."'");

$auth = "true";
$_SESSION['auth'] = $auth;
$row = mysql_fetch_array($check);
$_POST['username'] = stripslashes($_POST['username']);
$_SESSION['username'] = $_POST['username'];
$_SESSION['password'] = $password;
$adminlevel = $row['level'];
$_SESSION['adminlevel'] = $adminlevel;

} else {

$auth = "false";

$_SESSION['auth'] = $auth;
}
}

include "check_login.php";

and finally the code to see if the user is already logged in.

<?php

/* check login script, included in db_connect.php. */

session_start();

if (!isset($_SESSION['username']) || !isset($_SESSION['password']) || !isset($_SESSION['adminlevel']) || !isset($_SESSION['email'])) {
	$logged_in = 0;
	return;
} else {

// remember, $_SESSION['password'] will be encrypted.

if(!get_magic_quotes_gpc()) {
	$_SESSION['username'] = addslashes($_SESSION['username']);
}


// addslashes to session username before using in a query.
$pass = mysql_query("SELECT password FROM i_members WHERE username = '".$_SESSION['username']."'");

if(mysql_num_rows($pass) == 0) {
	$logged_in = 0;
	unset($_SESSION['username']);
	unset($_SESSION['password']);
	// kill incorrect session variables.
}

$db_pass = mysql_fetch_array($pass);

// now we have encrypted pass from DB in
//$db_pass['password'], stripslashes() just incase:

$db_pass['password'] = stripslashes($db_pass['password']);
$_SESSION['password'] = stripslashes($_SESSION['password']);
$adminlevels = $db_pass['level'];
$_SESSION['adminlevels'] = $adminlevels;



//compare:



if($_SESSION['password'] == $db_pass['password']) {
	// valid password for username
	$logged_in = 1; // they have correct info
				// in session variables.
} else {
	$logged_in = 0;
	unset($_SESSION['username']);
	unset($_SESSION['password']);
	unset($_SESSION['adminlevel']);
	unset($_SESSION['email']);
	// kill incorrect session variables.
}
}


// clean up
unset($db_pass['password']);

$_SESSION['username'] = stripslashes($_SESSION['username']);

?>

I know its really, really messy code, but could anyone see if there is a problem with the code and why its losing its sessions, if u log in with username 1, then logout, then login with username2.

also am i doing this the long way round? is there a shorter way to achieve what i want.

thnx.

brad_fears

Perhaps the problem lies in your 'logout' routine. I had trouble with session_destroy() not doing what it was really supposed to do. I had to zero out each session value individually in order for a complete logout to work. You might try that first.

--Brad Fears

minorgod

I'm not sure if this is causing your problem or not, but you do NOT ever need to use session_register() if you are using the new $SESSION syntax. You simply need to call a session_start() before you set any of the superglobal $SESSION vars, and make sure you call it on any subsequent pages that need to access your session vars. Buy setting $SESSION['somevariable']=anything is the same as calling session_register for a standard variable. With $SESSION, the variable is automatically registered when it is first used or declared.

In addition, to kill a session, you could just unset($SESSION) to kill all your session vars. Or you could say $SESSION=NULL. Since $SESSION is just an associative array, you can manipulate your $SESSION array just as you would any other array, including the use of print_r() to dump it to your output for debugging. Here's a bit of code I stick at the end of all my scripts while debugging...

echo "<pre>";
echo "SESSION vars:\n";
print_r($SESSION);
echo "GET vars:\n";
print_r($GET);
echo "POST vars:\n";
print_r($POST);
echo "COOKIE vars:\n";
print_r($COOKIE);
echo "</pre>";

You may need to replace the \n characters with <br> instead if you want pretty formatting, but the <pre> tags should make non-html whitespace print correctly.

In addition, when you're checking the user's submitted login/password, you are using syntax that requires REGISTER_GLOBALS to be turned on. You're better off using the auto superglobal $POST array to retrieve the submitted value. Instead of using $login and $password, use $POST['login'] and $POST['password'] so your code will work on server without register globals. Any form you submit via POST method will show up in the $POST array. $_GET works the exact same way.

You should also remove your $SESSION['password'] from your scripts entirely as this is a potential security hole. Just set some other variable such as $SESSION['authorized']=true if the password is valid. Then you test for $SESSION['username'] and $SESSION['authorized'] to make sure they are logged in on subsequent pages. It's no different than saving the password in a session, except that there's less of a chance for somone to find out the password once the user has logged in.

As an extra measure of protection, you should probably encrypt the passwords before they are stored in the database. Then simply compare the encrypted version of whatever password the user submits, with the encrypted version in the database. It looks like you may already be doing thi(based on your code comments), but I didn't see it in your actual code.

Anyway, I know I didn't exactly answer your questions, but hopefully this helps.

Kinneh

Thanks for your help and explanation.

I had encrypted the passwords using md5(); but i was having some problems with it so i temporarily(sp?) took it out of the script.