[RESOLVED] What's wrong with this code?

wkilc

I've been using a session login script for several weeks... and now I'm trying to add a checkbox for "keep me logged in".

I've added <input type="checkbox" name="remember">
to my form and these two lines of code to my login script:

   $_POST['user'] = stripslashes($_POST['txt_user']);
   $_SESSION['user'] = $_POST['txt_user'];      

   if(isset($_POST['remember'])){
      setcookie("cookname", $_SESSION['user'], time()+60*60*24*100, "/");

And now my login script works, but only if the "keep me logged in" box is checked... if I leave the box unchecked, the session is not set, when I submit the login form, I'm right back at the login again. In theory, I'd like the cookie set only if the username and password check out.

Here's the entire login code:

<?php
// we must never forget to start the session

session_set_cookie_params (0, '/', '.domain.com');

session_start();


MySQL_connect("localhost", '****', '*****'); MySQL_select_db("users");


$errorMessage = '';
if (isset($_POST['txt_user']) && isset($_POST['txt_pass'])) {

$user   = $_POST['txt_user'];
$pass = $_POST['txt_pass'];

// check if the user id and password combination exist in database
$sql = "SELECT user
        FROM users
        WHERE user = '$user' AND pass = PASSWORD('$pass')";

$result = mysql_query($sql) or die('Query failed. ' . mysql_error());

}

   /* Username and password correct, register session variables */
   $_POST['user'] = stripslashes($_POST['txt_user']);
   $_SESSION['user'] = $_POST['txt_user'];      

   if(isset($_POST['remember'])){
      setcookie("cookname", $_SESSION['user'], time()+60*60*24*100, "/");

if (mysql_num_rows($result) == 1) {
    // the user id and password match,
    // set the session
    $_SESSION['logged_in'] = true;

    // after login we move to the main page
if ($_GET['redir']) {
header('Location: '.$_GET['redir']); 
}   else  {
        header('Location: welcome.php'); 
    exit;
    }
} else { 
    $errorMessage = 'Sorry, not a valid combination - please see below'; 
  } 
}
?>

Am I missing something as simple somewhere? Remember, I'm a nOOb.

Thank you.

~Wayne

Roger_Ramjet

It's a problem with your iFs - everything after the set session vars is inside the second one so you go nowhere unless the remember me is true.

With a remember-me system, the first thing you should do is to look for the cookie. Do that every time. If the cookie is there then validate the username in it, otherwise present the user with the login form and validate their input.

cyberlew15

Dude this is one of those things we all hate your probably tired change code to read

<?php 
// we must never forget to start the session 

session_set_cookie_params (0, '/', '.rimea.org'); 

session_start(); 


MySQL_connect("localhost", '****', '*****'); MySQL_select_db("users"); 


$errorMessage = ''; 
if (isset($_POST['txt_user']) && isset($_POST['txt_pass'])) { 

$user   = $_POST['txt_user']; 
$pass = $_POST['txt_pass']; 

// check if the user id and password combination exist in database 
$sql = "SELECT user 
        FROM users 
        WHERE user = '$user' AND pass = PASSWORD('$pass')"; 

$result = mysql_query($sql) or die('Query failed. ' . mysql_error()); 

} 

   /* Username and password correct, register session variables */ 
   $_POST['user'] = stripslashes($_POST['txt_user']); 
   $_SESSION['user'] = $_POST['txt_user'];       

   setcookie("cookname", $_SESSION['user'], time()+60*60*24*100, "/"); 

if (mysql_num_rows($result) == 1)  
    // the user id and password match, 
    // set the session 
    $_SESSION['logged_in'] = true; 

    // after login we move to the main page 
if ($_GET['redir']) { 
header('Location: '.$_GET['redir']);  
}   else  { 
        header('Location: welcome.php');  
    exit; 
    } 
} else {  
    $errorMessage = 'Sorry, not a valid combination - please see below';  
  }  

?>

Just a matter of removing the logout box.

Furthermore some suggestions for checking you could add hash to the cookie that acts like an auth code for each user this could stop unwanted break-ins to your code :evilgrin:

wkilc

Thanks very much for replying... I've been messing around with this for over a week.

When I manually removed that line:

   if(isset($_POST['remember'])){
}

Gives me this error when loading the page:
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource

If I copy and paste cyberlew's code, I get and error, "unexpected } on line 46"... it seems I have four {'s and five }'s... so I remove the } after "exit"... before the final "else"... and then it gives me "unexpected T_ELSE on line 46".

I also tried simply moving the cookie lines to earlier in the script, but had no luck with that, either:

   /* Username and password correct, register session variables */
   $_POST['user'] = stripslashes($_POST['txt_user']);
   $_SESSION['user'] = $_POST['txt_user'];      

   if(isset($_POST['remember'])){
      setcookie("cookname", $_SESSION['user'], time()+60*60*24*100, "/");

The login script functions perfectly without these "remember" feature (the previous four lines of code).

~Wayne

wkilc

Me again... I re-read Roger's reply, I think I understand the logic, but I am still confused about what to do.

I also tried moving the setCookie lines down to after the session is set...

<?
 session_set_cookie_params (0, '/', '.domain.org');
session_start();

MySQL_connect("localhost", '******', '******'); MySQL_select_db("users");


$errorMessage = '';
if (isset($_POST['txt_user']) && isset($_POST['txt_pass'])) {

$user   = $_POST['txt_user'];
$pass = $_POST['txt_pass'];

// check if the user id and password combination exist in database
$sql = "SELECT user
        FROM users
        WHERE user = '$user' AND pass = PASSWORD('$pass')";

$result = mysql_query($sql) or die('Query failed. ' . mysql_error()); 

if (mysql_num_rows($result) == 1) {
    // the user id and password match,
    // set the session
    $_SESSION['logged_in'] = true;  }

   $_POST['user'] = stripslashes($_POST['txt_user']);
   $_SESSION['user'] = $_POST['txt_user'];      

   if(isset($_POST['remember'])){
      setcookie("cookname", $_SESSION['user'], time()+60*60*24*100, "/");

    // after login we move to the main page
if ($_GET['redir']) {
header('Location: '.$_GET['redir']); 
}   else  {
        header('Location: welcome.php'); 
    exit;
    }
} else { 
    $errorMessage = 'Sorry, not a valid combination - please see below'; 
} 
}
?>

This logs me in, even without the checkbox checked, but still sends me back to the login page rather than the welcome.php.

And if I move the set cookie to after the redirect, the cookie will never be set, becasue I'll be on the other page before it happens, no?

And if I move it BEFORE I validate the username and password, that would allow the cookie to be set with any old username someone puts in, no?

I'm very confused. :bemused:

~Wayne

wkilc

Think I solved it... this seems to work:

<?php
// we must never forget to start the session

session_set_cookie_params (0, '/', '.domain.org');

session_start();


MySQL_connect("localhost", '********', '********'); MySQL_select_db("users");

   $_POST['user'] = stripslashes($_POST['txt_user']);
   $_SESSION['user'] = $_POST['txt_user'];      



$errorMessage = '';
if (isset($_POST['txt_user']) && isset($_POST['txt_pass'])) {

$user   = $_POST['txt_user'];
$pass = $_POST['txt_pass'];

// check if the user id and password combination exist in database
$sql = "SELECT user
        FROM users
        WHERE user = '$user' AND pass = PASSWORD('$pass')";

$result = mysql_query($sql) or die('Query failed. ' . mysql_error()); 

if (mysql_num_rows($result) == 1) {
    // the user id and password match,
    // set the session
    $_SESSION['logged_in'] = true; 

    // after login we move to the main page

   if(isset($_POST['remember'])){
      setcookie("cookname", $_SESSION['user'], time()+60*60*24*100, "/");
}
	if ($_GET['redir']) {
	header('Location: '.$_GET['redir']); 
    }   else  {
            header('Location: welcome.php'); 
        exit;
        }
    } else { 
        $errorMessage = 'Sorry, not a valid  combination - please see below'; 
    } 
}
?>

The only thing left to do would be to add "hash" the cookie to make it more secure. Of course, I have no idea... this is something to do with encrypting the user name in the cookie using something like "md5"?

But then again, if it's encrypted, how can I verify the username against the DB later?

Anyone care to shove me in the right direction?

Thanks for reading!

~Wayne