Login Script only works half the time

drakkon04

I am still sort of new to php and created a login script that uses only cookies to validate log in data against the username and password stored in a mysql database. I had attempted to use sessions but they didn't work correctly, I even tried copying examples directly out of a book with tutorials but it still had trouble carrying sessions from page to page. I had thought it was since php was run as cgi, so I just decided to create the login using cookies.

I broke my script into three parts dbconnect.php, log_in.php, and the main index. I will explain how each part is supposed to work.

db_conn connects to my database, check_user makes sure that it is a valid username, log_pass grabs the password of a username from the database.
--dbconnect.php

<?php
function db_conn()
{
	@ $dbconn = mysql_connect('localhost','myusername', 'mypassword');
	mysql_select_db("fpdb", $dbconn);
	return $dbconn;
}

function check_user($user)
{
	$user = addslashes($user);
	$conn = db_conn();
	$query = "select * from login where usernm = '$user'";
	$result = mysql_query($query);
	$num_rows = mysql_num_rows($result);
	$user = stripslashes($user);

if ($num_rows == 0) {
	$user = "Guest";
}
return $user;
}

function log_pass($user)
{
	$user = addslashes($user);
	$conn = db_conn();
	$query = "select passwd from login where usernm ='$user'";
	$result = mysql_query($query);
	$data = mysql_fetch_array($result);
	$password = $data['passwd'];
	$password = stripslashes($password);

return $password;
}
?>

Login first gets the page the person came from so if they came from the index it will return them there or if they came to login through hitting the 'log in' button on a separate page it will return them to the page that they clicked 'log in' on. If entering from the index it sets a temporary cookie then returns them there. If logging in from another page it sets the temporary cookie then validates the log in data if correct it goes back to the page they came from if incorrect it goes back to the log in page and displays an error.
--log_in.php

<?php
include('/home/fanciersplus/www/dbconnect.php');

$back = $_SERVER['HTTP_REFERER'];
if ($back == "http://www.fanciersplus.com/index.php" ||
 $back == "http://www.fanciersplus.com/"){
	if (isset($_POST['user'])) {
		$user = $_POST['user'];
		$fanciersplus = $_POST['pass'];
		$remember = $_POST['remember'];
		$fanciersplus = md5($fanciersplus);
		$fanciersplus = substr($fanciersplus, 0,15);
		setcookie ("user", $user, time()+200, "/", ".fanciersplus.com"); 
		setcookie ("fanciersplus", $fanciersplus, time()+200, "/", ".fanciersplus.com");
		setcookie ("remember", $remember, time()+200, "/", ".fanciersplus.com");
		header("Location: /index.php");
		die();
	}
}
else{
	if (isset($_POST['user'])) {
		$user = $_POST['user'];
		$fanciersplus = $_POST['pass'];
		$remember = $_POST['remember'];
		$fanciersplus = md5($fanciersplus);
		$fanciersplus = substr($fanciersplus, 0,15);
		setcookie ("user", $user, time()+200, "/", ".fanciersplus.com"); 
		setcookie ("fanciersplus", $fanciersplus, time()+200, "/", ".fanciersplus.com");
		setcookie ("remember", $remember, time()+200, "/", ".fanciersplus.com");
		$checkuser = check_user($user);
		if ($checkuser != "Guest"){
			$password = log_pass($user);
		}
		else{
			header("Location: /login.php");
		}
		if ($password != $fanciersplus){
			header("Location: /login.php");
		}
	}
}
?>
<SCRIPT TYPE="text/javascript"> 
<!-- 
setTimeout("history.go(-2)",50) 
//--> 
</SCRIPT> 
?>

This is the index page, if the a cookie exists but is not set to remember me it and adds 2 more hours before it times out. This is top code is on all pages to continually add time to the cookie until people have left the site for over 2 hours.

The login validation code, which is only on the index and login page is below that to verify if a username and password are correct if they are not it unsets the cookies and displays an error. If the cookies are valid and have the remember me option selected it sets a cookie to last a year, otherwise it sets a 2 hour cookie it also sets loggedin = true to display different menus for logged in users and to hide the log in. The last thing it checks is if a user is logged in as guest if they are it does not allow caching so after a person logs in it doesn't pull a 'Guest' page from cache.

Not shown in the php code is a javascript redirect to take people to the log in page after 2 hours passes and the cookie expires. So people don't idle on one page 2 hours where the cookie would expire then they attempt to use a feature for logged in users.
--index.php

<?php
require_once('/home/www/fanciersplus/dbconnect.php');

if (empty($user)) {
	$user = "Guest";
	$notset = 0;
}

if (isset($_COOKIE['fanciersplus'])) {
	$user = $_COOKIE['user'];
	$pass = $_COOKIE['fanciersplus'];
	$remember = $_COOKIE['remember'];
	$notset = 1;
	if (!isset($_COOKIE['remember'])) {
		setcookie ("user", $user, time()+7200, "/", ".fanciersplus.com"); 
		setcookie ("fanciersplus", $pass, time()+7200, "/", ".fanciersplus.com"); 
		setcookie ("remember", $remember, time()+7200, "/", ".fanciersplus.com");
	}
}
if (empty($user)) {
	$user = "Guest";
}
if ($user != "Guest") {
	$user = check_user($user);
	if ($user == "Guest"){
		$nameset = 1;
	}
}
if ($user != "Guest") {
	$password = log_pass($user);
}
else {
	$wordset = 1;
}
if ($pass == $password && $wordset != 1) {
	if (isset($remember)) {
		setcookie ("user", $user, time()+288*360*300, "/", ".fanciersplus.com"); 
		setcookie ("fanciersplus", $pass, time()+288*360*300, "/", ".fanciersplus.com");
		setcookie ("remember", $remember, time()+288*360*300, "/", ".fanciersplus.com");
	}
	else {
		setcookie ("user", $user, time()+7200, "/", ".fanciersplus.com"); 
		setcookie ("fanciersplus", $pass, time()+7200, "/", ".fanciersplus.com"); 
		setcookie ("remember", $remember, time()+7200, "/", ".fanciersplus.com");
	}
	$loggedin = "True";
}
else {
	if ($user != "Guest") {
		$usererr = "<br><b><span class=\"submenu\">Invalid Password</span></b>
<br><a href=\"forgot.php\"><span class=\"submenu\">Forgot your password?</span></a><br>";
	setcookie ("user", "", time()-3600, "/", ".fanciersplus.com"); 
	setcookie ("fanciersplus", "", time()-3600, "/", ".fanciersplus.com");
	setcookie ("remember", "", time()-3600, "/", ".fanciersplus.com");

}
if ($nameset == 1) {
	$usererr = "<br><b><span class=\"submenu\">Username doesn't exist</span></b><br>
<a href=\"forgot.php\"><span class=\"submenu\">Forgot your username?</span></a><br>";
	setcookie ("user", "", time()-3600, "/", ".fanciersplus.com"); 
	setcookie ("fanciersplus", "", time()-3600, "/", ".fanciersplus.com");
	setcookie ("remember", "", time()-3600, "/", ".fanciersplus.com");

}
$loggedin = "False";
$user = "Guest";
}

if ($user == "Guest"){
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");
}
?>

When posting the code on here I had to edit the header redirects to just /page.php but on my real code my domain is typed out... on this board it kept insisting to add the [URL tag around it which wasn't supposed to happen.

In the database of usernames and passwords I have the username stored as normal text with the password stored as the first 15 characters of an md5 encryption. The log_in.php page encrypts what people type into the log in form with the same way and checks it against what is in the database.

I have checked that cookies were enabled on several of the people that have errors. It was easy to check since I have a color change feature I created that uses cookies aswell and if the color does not change that shows that cookies are not enabled.

My descriptions outline how it is supposed to work, when I use this log in it does work fine with no problems, and it does work for many other people. But shortly after my site opened up I started receiving emails of people saying that when they logged in it would take them back to the page and still show them as guest without any errors being displayed. This has only happened with a few people but I still want to fix this error before it happens to any other users.

The error baffles me since I can use the page just fine and people that have given me their username and password do work when I use them on my computer. But they say they continue to have trouble loggin in. I wish the problem were as simple as I forgot a " somewhere but since it does work for me and others that isn't the case.

Any improvements to my code or insight into what might be causing this error would be appriciated...

Thanks,
drakkon

swr

Is it possible the cookie is being expired prematurely due to incorrect clock setting on the user's PC?

swr

Looking at your post again, you mention color change feature that uses cookies, so it's probably not an expiration problem (unless the color change cookie expiry time is later).

Another possibility is that you are setting too many cookies. Most browsers have a limit, I think it is ten per domain but I'm not sure.