help with session code.

thebaxter

hello. i am currently rewriting and updating my code in regards to having register_globals turned off. the login script consist of three functions all in the same page.

first function is the login form:

function loginForm() {

htmlHeader();
?>
<form method="POST" action="<?php echo $_SERVER[PHP_SELF] ?>"> 
<input type="hidden" name="cmd" value="added">
<table align="center" cellpadding=2 cellspacing=0 border=0> 
	<td class="formText">Username:</td>
	<td>
		<input type="text" name="userid" size=10 class="textBox">
	</td>
	<td class="formText">Password:</td>
	<td>
		<input type="password" name="userpassword" size=10 class="textBox">
	</td>

	<td>&nbsp;</td><td><input type="submit" name="submit" value="log in" class="formButtons"></td> 
</table>
</form>

<?
htmlFooter();
}

the form is then checked with an this:

session_start();

if(!isset($_POST['userid']) && !isset($_POST['userpassword'])) {
	loginForm();
	exit;
}
else {

$_SESSION['userid'] = $_POST['userid'];
$_SESSION['userpassword'] = $_POST['userpassword'];

$loginID = $_POST['userid'];
$loginPassword = $_POST['userpassword'];

$user = authUser($loginID, $loginPassword);
if(!$user) {
	echo "Wrong Password";
	unset($_SESSION['userid']);
	unset($_SESSION['userpassword']);
	loginForm();
	exit;
}
}

and the last bit of code verifies the info in the mysql DB:

function authUser($loginID, $loginPassword) {

global $admintable;

$loginID = $_POST['userid'];
$loginPassword = $_POST['userpassword'];

$linkID = db_connect('guernica');
$result = mysql_query("SELECT count(*) FROM $admintable WHERE userid = '$loginID' AND userpassword = password('$loginPassword')", $linkID);

while($row = mysql_fetch_row($result)) {
	if($row[0] < 0) {
		return 0;
	}
	else {
	if($row[0] > 0) {
		return $row[0];
	}
}

} 
}

everything works fine if the user enters the correct login, it sends them to the admin page, but anytime they click an option like to add a news item it takes them back to the login page. i have no clue what is going on.

so if they wanted to add a news item the address bar would look like this:

domain.com/admin.php?cmd=newsPage&userid=userid

any help would greatly be appreciated!

bastien

session_start needsto be on every page that is using the sessions in the app. Is it there?

thebaxter

the whole script is just one page called "admin.php". everything is stored into functions and what not.

i have session_start(); on the top of admin.php page.

here is the revised code:

session_start();
if(!isset($_POST['userid'])) {
	loginForm();
	echo "<br><br><br>Please Fill Out The Login Form";
	exit();
} else {

global $admintable;



$linkID = db_connect('guernica');
$result = mysql_query("SELECT * FROM $admintable WHERE userid = '$_POST[userid]' AND userpassword = password('$_POST[userpassword]')", $linkID);

if(mysql_num_rows($result) == 1) {
	$loggedIn = 'yes';
}



if($loggedIn != 'yes') {
	echo "incorrect password<br>";
	echo "$_POST[userid]<br>";
	echo "$userID<br>";
	echo "$userPassword<br>";
	echo "$admintable<br>";
	unset($_SESSION['userLoggedID']);
	unset($_SESSION['userLoggedPass']);
	loginForm();
	exit();
} else {
	$session = session_id();
	$_SESSION['userLoggedID'] = $_POST['userid'];
	$_SESSION['userLoggedPass'] = $_POST['userpassword'];
	$_SESSION['login'] = 'yes';

	echo "$_SESSION[userLoggedID]<br>";
	echo "$_SESSION[userLoggedPass]<br>";
	echo "$_SESSION[login]<br>";
	echo "$session";
}

}

and the outcome is still the same they are able to login, but once they click on links like "add a news article" it just takes them back to the login screen.

bastien

Yes, but I'll bet that in the 'add a news article' page you have a check like this

if (!$_SESSION[userLoggedID]){
   header("location:admin.php");
}

This page and any other where this type of check takes place all need the SESSSION_START(); place as the very first line in the file

thebaxter

i do not have that check on the page, only because i didnt know how to use that. everything is stored in one page which is the admin.php page, so there are no other pages.

do you think it's wise to just make seperate pages for the login form then the login check and then the admin?

here is the entire script that i have to work with:

<?php
session_start();
include "./var.inc.php";

/*------------------------------------------------------------------------------------------*/

if(!isset($_POST['userid'])) {
	loginForm();
	echo "<br><br><br>Please Fill Out The Login Form";
	exit();
} else {

global $admintable;



$linkID = db_connect('guernica');
$result = mysql_query("SELECT * FROM $admintable WHERE userid = '$_POST[userid]' AND userpassword = password('$_POST[userpassword]')", $linkID);

if(mysql_num_rows($result) == 1) {
	$loggedIn = 'yes';
}



if($loggedIn != 'yes') {
	echo "incorrect password<br>";
	echo "$_POST[userid]<br>";
	echo "$userID<br>";
	echo "$userPassword<br>";
	echo "$admintable<br>";
	unset($_SESSION['userLoggedID']);
	unset($_SESSION['userLoggedPass']);
	loginForm();
	exit();
} else {
	$session = session_id();
	$_SESSION['userLoggedID'] = $_POST['userid'];
	$_SESSION['userLoggedPass'] = $_POST['userpassword'];
	$_SESSION['login'] = 'yes';

	echo "$_SESSION[userLoggedID]<br>";
	echo "$_SESSION[userLoggedPass]<br>";
	echo "$_SESSION[login]<br>";
	echo "$session";
}

}

/*------------------------------------------------------------------------------------------*/

function htmlHeader() {

?>
<?
session_start();
?>
<html>
<head>
	<title>Guernica</title>
	<link href="../styles/gStyles.css" rel="stylesheet" type="text/css">
</head>
<body class="bgClass">
<?php
}


/*------------------------------------------------------------------------------------------*/

function htmlFooter() {

?>

</body>
</html>
<?
}

/*------------------------------------------------------------------------------------------*/

function loginForm() {

htmlHeader();
?>
<form action="<?php echo $_SERVER[PHP_SELF] ?>" method="POST"> 
<table align="left" cellpadding=2 cellspacing=0 border=0> 
	<td class="formText">Username:</td>
	<td>
		<input type="text" name="userid" size=10 class="textBox">
	</td>
	<td class="formText">Password:</td>
	<td>
		<input type="password" name="userpassword" size=10 class="textBox">
	</td>

	<td>&nbsp;</td><td><input type="submit" name="submit" value="log in" class="formButtons"></td> 
</table>
</form>

<?
htmlFooter();
}

/*------------------------------------------------------------------------------------------*/
function navigation() {

global $PHP_SELF;
?>
<table align="" width="525"  border="0" align="left" cellpadding="3" cellspacing="2">  
	<!-- Front Page -->
	<tr>
		<td class="tr2">
		<?
		echo "<a href=\"$_SERVER[PHP_SELF]\" class=\"main\">$_SESSION[userid]</a>";
		?>
		</td>
	</tr>

	<tr>
		<td class="tr2">
		<?
		echo "<a href=\"$_SERVER[PHP_SELF]\" class=\"main\">Front Page</a>";
		?>
		</td>
	</tr>

	<tr>
		<td class="tr2">
		<?
		echo "<a href=\"$_SERVER[PHP_SELF]?cmd=newsForm&s=$session\" class=\"main\">News Form</a>";
		?>
		</td>
	</tr>

	<!-- Logout -->
	<tr>
		<td class="tr2">
		<?
		echo "<a href=\"_SERVER[PHP_SELF]?cmd=logout\" class=\"main\"> $_SESSION[userLoggedID]</a>";
		?>
		</td>
	</tr>
</table>
<br>
<?
}

/*------------------------------------------------------------------------------------------*/
function newsForm() {


?>
<form method="post" action="<?php echo $PHP_SELF ?>">
<input type="hidden" name="cmd" value="postNews">
<table width="100%" align="left" cellpadding="2" cellspacing="0" border="0">
	<tr>
		<td>
		Subject:
		<br>
		<input type="textfield" name="subject"  class="textFields"></td>
	</tr>

	<tr>
		<td>
		News:
		<br>
		<textarea name="news" rows="15" class="textFields"></textarea>
		</td>
	</tr>

	<tr>
		<td>
		<input type="submit" name="submit" value="Post" class="formButtons">
		<input type="reset" name="clear" value="Clear" class="formButtons">
		</td>
	</tr>

</table>
</form>
<?
}

/*------------------------------------------------------------------------------------------*/



switch($_REQUEST['cmd']) {
	default:
		htmlHeader();
		navigation();
		htmlFooter();
	break;
	case "checkForm":
		htmlHeader();
		checkForm();
		htmlFooter();
	break;
	case "newsForm":
		htmlHeader();
		newsForm();
		htmlFooter();
	break;
}



?>

as you noticed everything is in a function structure and is called via the switch command.

i have not clue what to do with this new update of register_globals being turned off, but once i get the login working i think i can mess with it.

again any help would be greatly appreciated.

bastien

Separate the pages. needed to make the session cookie set right...