$_SESSION woes

Count

Hi, first time poster, long time lurker.

I have a problem with session variables that i can't seem to solve. I have a login script that works absolutely perfectly, SQL statements with the session variables retreive and store data properly, the session variables are updated and modified properly and all comparisons are being performed correctly. The file is being require() in the first line of each page that the login is being required on. The only problem is, i can't get the $_SESSIOn variables to output to the browser.

I have tried using the classic echo $SESSION['foobar'] and printf('%s', $SESSION['foobar']) but they both output null. And when echoing data from the check_login file, it refuses to output anything for the $_SESSION variables, even when echoing the sprintf SQL query, it shows the query EXCEPT for the session variable it's seeking, but the query performs properly retreiving the correct data.

Can someone help me out with this problem?

Here's a snippet of my check_login.php code:

<?php
session_start();

if (!isset($_SESSION['username']) || !isset($_SESSION['password'])) 
{
	$logged_in = 0;
	return;
} 
else 
{
	if(!get_magic_quotes_gpc()) 
	{
		$_SESSION['username'] = addslashes($_SESSION['username']);
	}

$query = sprintf('SELECT username, password, rank FROM users WHERE username =\'%s\'', $_SESSION['username']);
$result = mysql_query($query);

if(!$result || mysql_num_rows($result) == 0)
{
	$logged_in = 0;
	unset($_SESSION['username']);
	unset($_SESSION['password']);
}

$row = mysql_fetch_row($result);

$row[1] = stripslashes($row[1]);
$_SESSION['password'] = stripslashes($_SESSION['password']);

if($_SESSION['password'] == $row[1]) 
{ 
	$logged_in = 1;
} 
else 
{
	$logged_in = 0;
	unset($_SESSION['username']);
	unset($_SESSION['password']);
}
}


$_SESSION['username'] = stripslashes($_SESSION['username']);
echo $row[0];
unset($row[0]);
?>

bpat1434

And where are you outputting to the browser? I see you outputting $row[0], but no $_SESSION variable....

~Brett

Count

i didnt for the purpose of this code, but normally i put it just before the variables unset. the output is usually called in the file that "requires()" this at the start of the page. The problem is, as well, none of the variables are being output here. I can output the $logged_in value and that's it. even "echo row[0]"; returns nothing.

bpat1434

So, what does the $logged_in value have?

~Brett

Count

when i log in, it has 1 when i am not logged in, it has 0. The php is performing all the checking functions it requires and is doing exactly what it's supposed to, its just not letting me see any of the variables it's using, whether here or in the page that requires() it.

bpat1434

Huh.... seems to me everything should be working. Have you done a var_dump($_SESSION) to see if that gives you anything?

~Brett

Count

no, i'll try that and see what comes up. The damnest thing is that it is working, it just wont return any variables to the browser.

Count

array(2) { ["password"]=> string(0) "" ["username"]=> string(0) "" }

that's all that was returned when the var dump was called. it suggests there's nothing in there. but there is?

bpat1434

Well, here's what I'm thinking (and bear with me if it seems odd...):
You may have a security hole that you don't mean to exploit. I think, that by some odd twist of fate, your code is finding that an empty session variable is the same as an empty row. So if $row[0] is empty, and $row[1] is empty, then you'd validly log in. That's what it seems to have happening. It's like you created a login script that no matter what, you log in!! Intersting.....

Have you tried other logins? I mean, does it work for any login user/pass combo? Or not? Does it work for incorrect logins? I'm pretty sure that there's something awry with your code, and it's just out of my sight right now...

~Brett

Count

Yea, thats what lead me to believe that the code is working fine. If i log in with my test account "Count" it will fail to log me in with the wrong password/username, and will fail to log me in if i dont enter all the correct details.

The server will also fail to log me in if i enter a username password combo that doesnt exist on the server, it calls a 'die()' and sods off.

bpat1434

Well, I'm at a loss... it shoudl be working....

~Brett

Count

Could there be something wrong with my login code instead? i mean that check_login might function perfectly, but login.php may not be passing everything correctly. (check_login is require() in dbConnect.php)

<?php
require 'dbConnect.php';

if($logged_in == 1) 
{
	header('Location: home.php');
}

if (isset($_POST['submit'])) 
{
	if(!$_POST['username'] | !$_POST['password']) 
	{
		die('You did not fill in a required field.');
	}

if (!get_magic_quotes_gpc()) 
{
	$_POST['username'] = addslashes($_POST['username']);
}

$query = sprintf('SELECT username, password FROM users WHERE username = \'%s\'', $_POST['username']);
$result = mysql_query($query);

if (!$result || mysql_num_rows($result) == 0) 
{
	die('That username does not exist in our database.');
}

$row = mysql_fetch_row($result);

$_POST['password'] = stripslashes($_POST['password']);
$row[1] = stripslashes($row[1]);
$_POST['password'] = md5($_POST['password']);

if ($_POST['password'] != $row[1]) 
{
	die('Incorrect password, please try again.');
}

$date = date('d.m.y@H:i');
$IP = $_SERVER['REMOTE_ADDR'];

$updatequery = sprintf('UPDATE users SET LastLogin = \'%s\', LastIPAddr = \'%s\' WHERE username = \'%s\'', $date, $IP, $_POST['username']);
mysql_query($updatequery);

$_POST['username'] = stripslashes($_POST['unserame']);
$_SESSION['username'] = $_POST['username'];
$_SESSION['password'] = $_POST['password'];
mysql_close($db);

$nick = $_SESSION['username'];
?>

<h1>Logged in</h1>
<p>Welcome back <?php echo $_SESSION['username']; ?>, you are logged in.</p>

<?php

} else {	// if form hasn't been submitted

?>
<h1>Login</h1>
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
<table align="center" border="1" cellspacing="0" cellpadding="3">
<tr><td>Username:</td><td>
<input type="text" name="username" maxlength="40">
</td></tr>
<tr><td>Password:</td><td>
<input type="password" name="password" maxlength="50">
</td></tr>
<tr><td colspan="2" align="right">
<input type="submit" name="submit" value="Login">
</td></tr>
</table>
</form>
<?php
}
?>
</body>
</html>

EDIT: Heh, i found the problem as soon as i posted this, i feel like a freaking moron for not picking up on it sooner. it was sending a "Null" value to the check_login after you logged in. But it did highlight that exploit in the code. Thanks for your help!