Session Problems

move3rd

I using sessions to mange user on my site. For some reason once logged in I'm able to access other users info!!

Here is my login script:
<?

/ start login							 
if ($_POST['a'] == 'login'){

$sql_select = mysql_query( "SELECT * FROM `store_category` WHERE `user` = '".$_POST['user']."' LIMIT 1");

// Check to see that a row was found
$row_count = mysql_num_rows($sql_select);

// if nothing found dislay a message
if($row_count == 0){
   $content = "<table align=\"center\"><tr><td align=\"center\">";
   $content .= "<b>Incorrect username</b>";
   $content .="</td></tr><tr><td align=\"center\"><br>
   <a href=\"/members/\">Please try again<a>";
    $content .= "</td></tr></table>";

                     }else{
while ($row = mysql_fetch_array($sql_select))
	{
	 // if the password enterd matches the password the the db set session 'user' 
      $md5_pass = md5($pass); 	
	if($md5_pass == $row['password'])
		{
		$_SESSION['artist'] = $row['category']; // 1 category per user
		$_SESSION['member'] = $row['user'];

	}else{
		  $content = "<table align=\"center\"><tr><td align=\"center\">";
	      $content .= "<b>Incorrect password</b>";
		  $content .="</td></tr><tr><td align=\"center\"><br><a href=\"/members/\">Please try again<a>";
		  $content .= "</td></tr></table>";

		     }		
	}//end while				
			                              } // end else
				   }// End login

Then I use $SESSION['artist'] in my sql querys to make sure the user can only retreive there info from the ~DB.

<? if(isset($_SESSION['artist'])){

$query = "SELECT id,title,newstext,artist," . 
   "DATE_FORMAT(postdate, '%d-%m-%Y') as postdate " . 
   "FROM news WHERE artist = '".$_SESSION['artist']."' ORDER BY postdate DESC limit $offset, $limit";  
$result = mysql_query($query);  
                               }
?>

This above works fine but when I leave the members area go to another page on my site and then go back again (by typing in the url /members) I'm then viewing another users info?
How is this possible?😕 😕

I dont use $_session['artist'] anywhere else on the site.

shamly

Do you maintain the session when u switch from member area to another page on u r site? check if the session id generated after comming back to the members area is the same as the one when user was in the members area previously.

move3rd

Originally posted by shamly
Do you maintain the session when u switch from member area to another page on u r site? check if the session id generated after comming back to the members area is the same as the one when user was in the members area previously.

The session before leaving the members area:
55f83433d15166cbb261ec046622293b

The session when returning to the members are:
55f83433d15166cbb261ec046622293b

They are the same

shamly

well another way that you can check whats happening in the session is to print all data thats in the session on each page and check where it is going wrong ( Not the prettiest method :-) ) or u could open the php session cookie and check the values that are in it after each page load.

move3rd

I echoed $_SESSION['artist']; on the memebers page while logged in as 'joe'.

Then I left members.php and went to anthor page on the site which does not set and any sessions.

When I go back to members.php I'm logged in as a dif user?

$_SESSION['artist'] outputs 'some other user' when it should output 'joe'

:bemused: 😕 :bemused:

shamly

Well something is definitely changing the value in the session. check and see what the value is before you assign it to $_SESSION['artist'] in both instances. I think is where the problem occurs.

:-)