Wierd!! Script with a mind of it's own!

move3rd

Hi,

I have a login script that checks my db for user info and adds $user and $user_group to the session. If $user_group is admin I'm redirected to the admin area. If $user_group is user I'm redirected to the user area.

Last night I added some code to my admin area pages which will print "you do not have permission to access this page" if the $user_group is not admin. I uploaded the my modified poges and tested them. Everthing worked correctly.

I tried to login this morning and I was denied access to my pages. The script was not recignising that I was in $user_group "admin". I reviewed my code and could not find any problems. My head was batterd so I left it alone for a few hours and had a brake!

I've just tried logging in again and the script is now working correctly! I havent changed any of the code. How can this be?

It's extreamly worrying for me as I'm new to php. Does anyone know why somthing like this might happen?

Thanks

HalfaBee

Probably something to do with cookies or sessions.

move3rd

Thanks for taking the time to read my prob!

I like your signiture! I'd love to believe it's true... I normaly take my time and think things over. somtimes I worry I dont do enough actual work but I gues thinking is working!

I dont see how it could be a sessions problem. I did try closing my browser and re-loggin in when it wasnt working but it's didnt help.

HalfaBee

Netscape is a bit loose with sessions.
Not knowing what how you are doing makes it hard to make any other suggestion.

Q. Who invented the Shotgun?
A. The lazy rifleman.

move3rd

The same thing just happened again. I logged in but when forwarded to the admin page I was denied access.

Here is my code:

Header.php

<? 
// Check yo see if the user is logged-in
if ($_SESSION['user_group'] == NULL)
 {include "login.php"; 
  // Register session username as guest (if not logged-in)
  $_SESSION['user_group'] = "guest";
 } else {
          if ($_SESSION['user_group'] == guest)
		       { // Display log-in form if user is not logged-in
			   include "login.php";
			   } else {// Show welcome message and log-out link if logged-in
		               echo "Welcome $_SESSION[username] <a href=\"/$install_dir"; echo "logout.php\"> Log-out</a>";
				      }
        } 
?>

post_login.php (the script that proccesses the login form)

<?php 
// start the session 
session_start(); 
header("Cache-control: private"); //IE 6 Fix 

// Get the user's input from the login form 
   $name = $_POST['username']; 
   $pass = $_POST['password']; 

// Register session with the inputed value 
   $_SESSION['username'] = $name;     

// Invalid username or password message
   $try_again = "Incorrect \"username\" or \"password\"";
// Asign member area paths
   $artist_area = "artists/";
   $admin_area = "admin/";

// Adslashes to cencel out possible input of " " ''   

   addslashes($name);

// Include Datatbase connection
   include "db.php";

$sql = "SELECT DISTINCT * FROM `users` WHERE `user` = '$name'";

$result = mysql_query($sql);

if (!$result) {
   echo "Could not successfully run query ($sql) from DB: " . mysql_error();
   exit;
              }
// If no rows are found display invalid username or password message
if (mysql_num_rows($result) == 0) {
    $_SESSION['username'] = FALSE; //Clear session
	echo "<h4 align=center>$try_again</h4><br>
         <div align=center><a href='login.php'>Try Again</a></div>";  

    exit;                         }

while ($row = mysql_fetch_array($result)){
    extract($row);

if (!isset($_POST['submit'])) 
    { 
    echo "There is a problem please contact the webmaster and quote this ref number (1)";
    } 
//check if username and passwords are correct 
  else { 
    if ($name == $user && $pass == $PASSWORD)
          {           

//If user is admin forward to the admin directory
if ($user_group == admin){
$_SESSION['user_group'] = admin; //Add user group to session
$_SESSION['user_id'] = $ID; //Add user ID to the session
header("Location: $admin_area"); //Redirect browser
exit;                    

					     } else {
						 if ($user_group == artist){
						 $_SESSION['artist_name'] = $artist; //Add artist name to session
						 $_SESSION['user_group'] = artist; //Add user group to session
						 $_SESSION['user_id'] = $ID; //Add user ID to the session
						 header("Location: $artist_area"); //Redirect browser
						 exit;                     }  //end IF $user_group == artist
						        }
          }//end IF $user && $pass   

//If invalid username and/or password do the following
        else { 

//Clear Session Varibles
    $_SESSION['username'] = FALSE;
	$_SESSION['artist_name'] = FALSE;
	$_SESSION['user_group'] = FALSE;

//Print try again
    echo "<h4 align=center>$try_again</h4><br>
	<div align=center><a href='login.php'>Try Again</a></div>"; 
              }
}//End else if $user && $pass 
                                         }//End While extract $row
mysql_free_result($result);

mysql_close($conn);
?>

Admin Area index.php

<?
$page_title = "Admin Area"; //Page Title
include "../../config.php";
include "../../header.php";
include "../../db.php";

// Start -- Hide this page from guests and users
if ($_SESSION['user_group'] == guest){
echo "$no_access"; 
exit;
                                     }
if ($_SESSION['user_group'] == user){
echo "$no_access"; 
exit;
                                    }
if ($_SESSION['user_group'] == artist){
echo "$no_access"; 
exit;
                                      }
?>

HalfaBee

You need
session_write_close();

before

header("Location: $admin_area"); //Redirect browser

move3rd

Thanks HalfaBee

Why is that? I dont understand.

HalfaBee

It has something to do with the way cookies are sent.
I assume it is because when you do the header() the cookies are then set after the header, which means they are not available until after the next page load.
I assume it fixed the problem. 🙂

move3rd

Ye, it working correctly now. 😃

Thanks!