Next to suicide: sessions

Elhombrebala

Can anybody tell me where's the fu%#@~~ error?
Whenever I execute it get lost, it does not find validador5.php!!!
3 pages:
1- Form (acceso5.html):

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Documento sin título</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<div align="center">
<p> </p>
<p> </p>
<p> </p>
<p>
<FORM action="validador5.php" method="POST">
Usuario
<input name="Inmo" type="text" id="Inmo">
<br>
Password
<input name="Password" type="password" id="Password">
<br>
<input type="submit" name="Submit" value="Enviar">
</FORM>
</p>
</div>
</body>
</html>

2 - Asking some datas and opening a Session in php (validador5.php):

<?
session_register('usuario');
?>
<?
//conecto con la base de datos
$conn = mysql_connect("mysql.gestionar.info","aa1126","huissen");
//selecciono la BBDD
mysql_select_db("aa3968",$conn);
//Sentencia SQL para buscar un usuario con esos datos
$ssql = "SELECT * FROM Clientes WHERE Inmo='$Inmo' and Password='$Password'";

//Ejecuto la sentencia
$rs = mysql_query($ssql,$conn);

//vemos si el usuario y contraseña es váildo
//si la ejecución de la sentencia SQL nos da algún resultado
//es que si que existe esa conbinación usuario/contraseña
if (mysql_num_rows($rs)!=0){
//usuario y contraseña válidos
//defino una sesion y guardo datos
session_start();
session_register("autentificado");
$autentificado = "SI";
$Sesion=session_id();
$Sesioname=session_name();
$Bothsesiones=$Sesioname."=".$Sesion;
$Fecha = date("Y-d-m h:i:s");
$sql = "INSERT INTO Sesiones ( Fecha, Sesion, Inmo)" .
"VALUES ('$Fecha', '$Sesion', '$Inmo')";
$result = mysql_query($sql) or die(mysql_error().'<p>'.$sql.'</p>');
header ("Location: uploader5.html?$Bothsesiones");
}else {
//si no existe le mando otra vez a la portada
header("Location: acceso5.html?errorusuario=si");
}
mysql_free_result($rs);
mysql_close($conn);
?>

3- The last document (where we suposely wanted to arrived ask if session is seted (uploader5.html):

<?PHP
if (isset($_SESSION['sessionname'])) {
echo "Usuario reconocido";
}
else {
header ("Location: acceso5.php");
}
?>

Drakla

Are you using session_start() in your scripts, and just haven't pasted it in your code snippets? Otherwise it kind of helps.

Please put your code in the php tags as it really helps.

Elhombrebala

Is it OK?

1- Form (acceso5.html):

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> 
<html> 
<head> 
<title>Documento sin título</title> 
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> 
</head> 
<body> 
<div align="center"> 
<p> </p> 
<p> </p> 
<p> </p> 
<p> 
<FORM action="validador5.php" method="POST"> 
Usuario 
<input name="Inmo" type="text" id="Inmo"> 
<br> 
Password 
<input name="Password" type="password" id="Password"> 
<br> 
<input type="submit" name="Submit" value="Enviar"> 
</FORM> 
</p> 
</div> 
</body> 
</html>

2 - Asking some datas and opening a Session in php (validador5.php):

<? 
session_register('usuario'); 
?> 
<? 
//conecto con la base de datos 
$conn = mysql_connect("mysql.gestionar.info","aa1126","huissen"); 
//selecciono la BBDD 
mysql_select_db("aa3968",$conn); 
//Sentencia SQL para buscar un usuario con esos datos 
$ssql = "SELECT * FROM Clientes WHERE Inmo='$Inmo' and Password='$Password'"; 

//Ejecuto la sentencia 
$rs = mysql_query($ssql,$conn); 

//vemos si el usuario y contraseña es váildo 
//si la ejecución de la sentencia SQL nos da algún resultado 
//es que si que existe esa conbinación usuario/contraseña 
if (mysql_num_rows($rs)!=0){ 
//usuario y contraseña válidos 
//defino una sesion y guardo datos 
session_start(); 
session_register("autentificado"); 
$autentificado = "SI"; 
$Sesion=session_id(); 
$Sesioname=session_name(); 
$Bothsesiones=$Sesioname."=".$Sesion; 
$Fecha = date("Y-d-m h:i:s"); 
$sql = "INSERT INTO Sesiones ( Fecha, Sesion, Inmo)" . 
"VALUES ('$Fecha', '$Sesion', '$Inmo')"; 
$result = mysql_query($sql) or die(mysql_error().'<p>'.$sql.'</p>'); 
header ("Location: uploader5.html?$Bothsesiones"); 
}else { 
//si no existe le mando otra vez a la portada 
header("Location: acceso5.html?errorusuario=si"); 
} 
mysql_free_result($rs); 
mysql_close($conn); 
?>

3- The last document (where we suposely wanted to arrived ask if session is seted (uploader5.html):

<?PHP 
if (isset($_SESSION['sessionname'])) { 
echo "Usuario reconocido"; 
} 
else { 
header ("Location: acceso5.php"); 
} 
?>

Drakla

session_register has been deprecated, and it's better to use session_start() and then use the $_SESSION[] superglobal. I can't read spanish so I'm assuming some of the comments are about making checks for things there.

<?
session_start();
$_SESSION['usario']="";	//this doesn't seem to get used, but I'll include it
?>  

<?  

//conecto con la base de datos 
$conn = mysql_connect("mysql.gestionar.info","aa1126","huissen");  

//selecciono la BBDD 
mysql_select_db("aa3968",$conn);  

//Sentencia SQL para buscar un usuario con esos datos 
$ssql = "SELECT * FROM Clientes WHERE Inmo='$Inmo' and Password='$Password'";  

//Ejecuto la sentencia 
$rs = mysql_query($ssql,$conn);  

//vemos si el usuario y contraseña es váildo 
//si la ejecución de la sentencia SQL nos da algún resultado 
//es que si que existe esa conbinación usuario/contraseña 
if (mysql_num_rows($rs)!=0){  

//usuario y contraseña válidos 
//defino una sesion y guardo datos 
$_SESSION['autentificado']="SI";
$Sesion=session_id();  

$Sesioname=session_name();  

$Bothsesiones=$Sesioname."=".$Sesion;
$_SESSION['sessionname']=$sesioname'
$Fecha = date("Y-d-m h:i:s");  

$sql = "INSERT INTO Sesiones ( Fecha, Sesion, Inmo)" .  

"VALUES ('$Fecha', '$Sesion', '$Inmo')";  

$result = mysql_query($sql) or die(mysql_error().'<p>'.$sql.'</p>');  

header ("Location: uploader5.html?$Bothsesiones");  

}else {  

//si no existe le mando otra vez a la portada 
header("Location: acceso5.html?errorusuario=si");  

}  

mysql_free_result($rs);  

mysql_close($conn);  

?>


// you have to start the session before you check

<?PHP  

session_start();
if (isset($_SESSION['sessionname'])) {  

echo "Usuario reconocido";  

}  

else {  

header ("Location: acceso5.php");  

}  

?>

Elhombrebala

I will check this tomorrow morning, thanks a lot!
I will teach you some Spanish in return...

Elhombrebala

There's something I can not understand, does session not change any time I start new session?
Have any sense to do this?

 
<? 
session_start(); 
if (isset($_SESSION['sesionname'])) {   

echo "Usuario reconocido";   

}   

else {   

header ("Location: acceso5.php");   

}   

?>

If I pass via URL the session name and id to next page and in next page I start session, how can I ask for old session started??
By the way, I did today what you suggested me yesterday and (I agree, I'm stupid) but it doesn't work.
What I have now:
1 Form in first page, it doesn't change from yesterday:
(Everyone is invited to go there and check the problem it gives)
www.costa4seasons.com/acceso5.html
2 Php to validate password:

 
<? 
//conecto con la base de datos 
$conn = mysql_connect("mysql.gestionar.info","aa1126","huissen"); 
//selecciono la BBDD 
mysql_select_db("aa3968",$conn); 
//Sentencia SQL para buscar un usuario con esos datos 
$ssql = "SELECT * FROM Clientes WHERE Inmo='$Inmo' and Password='$Password'"; 

//Ejecuto la sentencia 
$rs = mysql_query($ssql,$conn); 

//vemos si el usuario y contraseña es váildo 
//si la ejecución de la sentencia SQL nos da algún resultado 
//es que si que existe esa conbinación usuario/contraseña 
if (mysql_num_rows($rs)!=0){ 
    //usuario y contraseña válidos 
    //defino una sesion y guardo datos 
$_SESSION['autentificado']="SI"; 
$Sesion=session_id();   

$Sesioname=session_name();   

$Bothsesiones=$Sesioname."=".$Sesion; 
$_SESSION['sesionname']=$sesioname; 
$Fecha = date("Y-d-m h:i:s");   

$sql = "INSERT INTO Sesiones ( Fecha, Sesion, Inmo)" .   

"VALUES ('$Fecha', '$Sesion', '$Inmo')";   

$result = mysql_query($sql) or die(mysql_error().'<p>'.$sql.'</p>');   

header ("Location: uploader5.html?$Bothsesiones");   

}else {   

//si no existe le mando otra vez a la portada 
header("Location: acceso5.html?errorusuario=si");   

}   

mysql_free_result($rs);   

mysql_close($conn);   

?>

3- And finally, the destiny page that checks if session is set.

 
<?PHP   

session_start(); 
if (isset($_SESSION['sesionname'])) {   

echo "Usuario reconocido";   

}   

else {   

header ("Location: acceso5.php");   

}   

?>

Drakla

When you do session_start(); if no session currently exists it sets one up, otherwise it uses the one you've been running. You actually have to use session_destroy() later on, if you want the current session to end.

I've got to admit I didn't actually look at the mysql bits of your script fully and just assumed on each page you were:

starting the session - if one is already set (by checking variables you've set) you check the values against the database - if it isn't you send them to the login page.

If you haven't sussed it later I'll do a complete runthough of your code, like I said I only skimmed. At the moment I've got to convince a potential employer he needs me for a bit.

later.

Elhombrebala

If you want to check in the adress I gave you:

User: Laclau
Pass: 435567

Drakla

Sticking with your theme of doing this login system with sessions here's something that works, but is far from bulletproof. You also need something to go clearing all the dead sessions out of the database when they're too old. Either throw in the extra delete query when you check the database, or set up something on a cron job.

This would be your validador5.php

<?
session_start();

//$conn = mysql_connect("mysql.gestionar.info","aa1126","huissen");
$conn= mysql_connect();

//mysql_select_db("aa3968",$conn);  

mysql_select_db("test", $conn);

$Inmo=@$_REQUEST['Inmo'];
$Password=@$_REQUEST['Password'];
$sessid=session_id();

$ssql = "SELECT * FROM Clientes WHERE Inmo='$Inmo' and Password='$Password'";  

$rs = mysql_query($ssql,$conn);  

if (mysql_num_rows($rs)!=0)
{  

	$_SESSION['autentificado']="SI";

$Fecha = date("Y-d-m h:i:s");  

//Use replace instead of INSERT, million to one chance you're going over 
//somebody elses session but I don't case, it gets rid of the error if
//the session is currently in there
$sql = "REPLACE Sesiones ( Fecha, Sesion, Inmo)" .  	
"VALUES ('$Fecha', '$sessid', '$Inmo')";

$result = mysql_query($sql) or die(mysql_error().'<p>'.$sql.'</p>');  
header ("Location: check_page.php");  
}
else
{  //Clear out DB, session and Go back to Login
	$query="DELETE from Sesiones WHERE Sesion='$sessid'";
	mysql_query($query, $conn);

session_destroy();
header("Location: login.htm");  
}  

mysql_free_result($rs);  

mysql_close($conn);  

?>

Then in each of your pages that needs to check just use the function in this. This is check_page.php

<?php
	if ( check_session() )
	{
		//show page stuff here
		echo "YOU ARE LOGGED IN!";
	}
	else
	{
		//they are not logged in
		echo "YOU ARE NOT LOOGGED IN";
	}

function check_session()
{
	session_start();

if ( isset( $_SESSION['autentificado'] ) )
{
	//$conn = mysql_connect("mysql.gestionar.info","aa1126","huissen");
	$conn=mysql_connect() or DIE("NO CONNECT");

	//mysql_select_db("aa3968",$conn);  
	mysql_select_db("test", $conn) or DIE("NO SELECTIO");

	$sessid=session_id();

	$ssql = "SELECT * FROM Sesiones WHERE sesion='$sessid'";
	$rs = mysql_query($ssql,$conn) OR die("QUERY CRAssP".mysql_error() );

	if ( mysql_num_rows($rs) !=0 )
	{  
		$row=mysql_fetch_assoc($rs);

		//check date against login timeout ELSE return 0
		if( $row['Fecha'] ) // DO some date calculation on this
		{
			return 1;
		}
		else
		{
			$query="DELETE from Sesiones WHERE Sesion='$sessid'";
			mysql_query($query, $conn);
		}
	}
}

session_destroy();	
return 0;
}	
?>