Is my PHP just lazy?

appliance

Hello,

I've been building a client log-in for my site and I seem to have everything working except that I need to log-in twice to make the authentication go through properly. I've got my PHP code from my page that does the log-in posted below, but I will explain the whole process first and what I think is going wrong. I hope someone can tell me where I've messed up.

My client log-in is pretty standard, but I wanted to take a shot at building it myself so I can learn from the experience and so it does everything I need it to do. The process starts with a simple HTML page containing a form that POSTs a username and password to a page called login.php.

The login.php page receives the variables, queries the database, and retrieves some info about a user if the username and password match up with the info in the database. I need to be able to pass one of these variables ("company") onto subsequent pages using PHP sessions.

The first time I start a browser and use my log-in, it doesn't work. I get kicked back to my log-in screen because the "protected" page has checked the "company" variable against whatever company I have specified on that page.

But, if I reenter the same exact information in my client log-in a second time, the whole thing works fine. For some reason, the second time the information is entered in, the info that was pulled from the database gets recorded into my $company variable. The first time around it is not stored in the variable.

Once I've logged in successfully, I can use my logout.php page and destroy my session. To re-authenticate myself, I thought I would have to reenter my information twice again on my client log-in, but for some reason, I only need to log-in once. I don't get kicked back again.

Here's my thought at what's wrong: I have to have another step between querying the database and trying to store the variable in a session variable. But I don't know how to do that now or if that's even the problem.

Here's my code. Any help would be appreciated. Thanks. - John

<?php require_once('myConnectInfo.php');
$username=$_POST["username"];
$password=md5($_POST["password"]);
mysql_select_db($database_myConnectInfo, $myConn);
$query_login = "SELECT username, password, gotoURL, company FROM mytable
WHERE username= '$username' and password= '$password'";
$login = mysql_query($query_login, $myConn) or die(mysql_error());
$row_login = mysql_fetch_assoc($login);
$totalRows_login = mysql_num_rows($login);
if($totalRows_login >=1) {
$path = $row_login["gotoURL"];
$company = $row_login["company"];
session_start();
session_register("company");
// user gets directed to the path from the database
header("Location: $path");
exit;
} else {
// if username and password didn't work, goes back to login
header("Location: index.php");
exit;
}
?>

-John 😕

CaptianChaos

I don't like this, even though it should work:

session_register("company");

Do this instead:

$_SESSION['company'] = $company;

Also, you may try putting:

session_start();

at the top of your file, before the require line, instead of in the middle. The problem may be the first time you run session_start(), the browser won't accept it, because you have passed something to the client prior to the session cookie.... but it works the second time? I don't know exactly what the problem is, these are gueses for you to try.

appliance

Thanks for the suggestion. I changed the login.php like you suggested, but it still operates like it did before. The first time through, no dice, the second time through, it works fine. Any other thoughts?

keith73

I don't see much wrong with your authenticate code. Have you verified the information in the database?

You should use $_SESSION instead of session_register.

Also, it doesn't matter where in your code you have the session_start(), just as long as nothing is being sent to the browser before it's called. If that was the problem, PHP would give you an error about it.
Are you using cookies or URL sessions?

Here's your code below, with a few changes.

<?php
require_once('myConnectInfo.php');
$username=$_POST["username"];
$password=md5($_POST["password"]);
mysql_select_db($database_myConnectInfo, $myConn);
$query_login = "SELECT username, password, gotoURL, company FROM mytable WHERE username= '$username' and password= '$password'";
$login = mysql_query($query_login, $myConn) or die(mysql_error());
$row_login = mysql_fetch_assoc($login);
$totalRows_login = mysql_num_rows($login);
print "rows: " . $totalRows_login . "<br>";
exit;
if($totalRows_login >=1) {
	$path = $row_login["gotoURL"];
	session_start();
	$_SESSION[''] = $row_login["company"];
	// user gets directed to the path from the database
	header("Location: $path");
	exit;
} else {
	// if username and password didn't work, goes back to login
	header("Location: index.php");
	exit;
}

?>

Just outputting the number of rows. This will cause an error when you call session_start which is why I put the exit after it. Just for testing purposes.

Your if statement is checking for 1 or more rows, which is odd. the username should be unique and if you get more than 1 row returned, then your database is the problem. username should be a unique field, or primary key and you should not have duplicates.

keith

appliance

Thanks for the code, I've tried it, but it still is acting the same way. 🙁

I tried adding some other things to my pages to see what's going on. On the "protected" page, I check to even see if the company is a session variable. The first time through, it's not returning a "true" value, so I know it's not being registered for some reason on my login.php page in the earlier posts. The second time through, it returns the correct company name and is a registered session variable.

I know the data is being retrieved from the database on the first time through though, because that's how it knows to go to this page in the protected folder in the first place. And, as was pointed out above, I now only check to see if I have one row returned in the login.php.

Here's the code from my "protected" page. Maybe I've messed up here.

<?php 
session_start();
#if($company != "acme") {
#header("Location: loginstart.php");
#exit;
#}
?>
<html>
<head>
<title>Protected</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<h3>This area would be protected.</h3>
<p>company=
  <?php echo $company?>
</p>
<p> If session is registered a 1 will appear here: <?php echo session_is_registered('company'); ?></p>
</body>
</html>

Thanks for your help so far.

appliance

I appreciate the help on this problem. I've figured out the problem and I want to share what was going on.

I was using subdomain as my client log in area, i.e. login.mysite.com, which basically took someone to http://mysite.com/secretclientarea, but not keeping my client folders underneath that directory.

I was keeping my client directories on an equal level of my client log in. So, I was using an absolute URL in my header location redirect. That basically means that the session that was started for login.mysite.com didn't carryover to http://mysite.com/acmecompany on the first go around because I was basically having two different sessions going on.

So the solution is to keep my client folders under the client area. Simple, right? Doh!

Does this make sense? I hope so. If not, I'm happy to try to explain it some more. Thanks again for the help I've gotten here. It made me think about my code over and over again until I figured it out.

-John :p

keith73

actually, there are 2 solutions.

your suggestion, to put all files under the same domain, OR to allow your session cookie to accessible by *.youromain.com

session_set_cookie_params will allow you to do this. call it before session_start() on every page that calls session_start.

session_set_cookie_params ( int lifetime [, string path [, string domain [, bool secure]]])

This allows you to set the expiration of the cookie, path, domain, etc.

session_set_cookie_params(60*60*24,"/","mydomain.com",FALSE);
session_start();

best thing to do is put your session code in an include file and call the include file in every page.

http://www.php.net/manual/en/function.session-set-cookie-params.php

keith