Cross browser sessions

Litninfingers63

Hello,

I set up my first login recently, and it works in internet explorer. I have it so when the user logins, it inserts the session in the database, and also inserts the session vars into cookies.

All is well in IE, as I've said. But in mozilla, it does not work. I really have no idea why. I know it's not as efficient at it could be, but it's my first login, and it will be redefined, but here is the code:

<?php 

$usernamecookie = $_POST['username'];
$passwordcookie = $_POST['password'];
$ip = $_SERVER['REMOTE_ADDR'];

//Grab the Username, Password, and ID of the user attempting to login.
$grabuserinfo = mysql_query("SELECT * FROM member WHERE username='$usernamecookie'");
$row = mysql_fetch_array($grabuserinfo);

$username = $row['username'];
$password = $row['password'];
$id = $row['id'];

//Grab the IP from the member table
$grabip = mysql_query("SELECT * FROM session WHERE ip ='$ip'");
$row2 = mysql_fetch_array($grabip);

$ip2 = $row2['ip'];
$sessionusername = $row2['username'];
$id2 = $row2['id'];

if( $ip == $ip2 && $id !== $id2 ){
	mysql_query("DELETE FROM session WHERE sid ='$session_id'");
	echo "<meta http-equiv='refresh' content='3;URL=$HTTP_REFERER'>Logging in with the same IP and a different username.<br>Security code: ".$session_id;
	session_unset();
	session_destroy();
	exit();
}


if( $usernamecookie == "" or $passwordcookie == ""){

echo "Enter some information.";
session_unset();
session_destroy();
exit();
}

if( $usernamecookie == "$username" && $passwordcookie == "$password"){

$session_id = session_id();
session_register("usernamecookie");
session_register("passwordcookie");
session_register("session_id");
$time = time();
$timeout = $time + 500;

$insertsession = "INSERT INTO session( sid, id, username, password, ip, timeout, lastclick ) values( '$session_id', '$id', '$username', '$password', '$ip', '$timeout', '$time' )";
mysql_query($insertsession) or die ("WTF - ".mysql_error());


echo "<meta http-equiv='refresh' content='3;URL=$HTTP_REFERER'>
Verifying your login information. Please wait.";
}
else{
echo "Your username or password was incorrect. Please input the right information.";
exit();
}

?>

And I will post the header in my next post (to break it up into two posts, instead of one huge one)

Litninfingers63

<? 
$dbh = mysql_connect ("localhost", "serverse_servers", "<password-removed>") or die ('I cannot connect to the database because: ' . mysql_error());
mysql_select_db ("serverse_rateme"); 


    //common vars
session_start();
$session_id = session_id();
$rooturl = "http://mysite";


$sql = mysql_query("SELECT password FROM member WHERE username = '$usernamecookie'");
$fetch_em = mysql_fetch_array($sql);
$numrows = mysql_num_rows($sql);

if($numrows != "0" & $passwordcookie == $fetch_em["password"]) {
$validate = true;
}
else {
$validate = false;
}


$time_update = time();
$sessionid_update = $_GET['sid'];
mysql_query("UPDATE session SET lastclick = '$time_update' WHERE sid = '$sessionid_update'");

?>

crimaniak

help() faied: too many errors
🙂

Please first read php manual about security ans sessions than try to redesign code. First you insert POST data direct to SQL query - never do this. Use AddSlashes() for string constants and (int) for integer. Second, you don't need to store session data to cookies or database usually.