User Authentication System

middleman666

Hey people,

im having trouble, i think with sessions.

I have the following script (member.php):

<?php

session_start();

$mysql_database="dbname";
$mysql_username="user";
$mysql_password="pass";

$dbconnect = mysql_connect("localhost",$mysql_username,$mysql_password) or die ("Unable to connect to SQL server");
mysql_select_db($mysql_database,$dbconnect) or die ("Unable to select database");

//create short variable names
$username = $_POST['username'];
$password = $_POST['password'];

// they have just tried logging in
if ($username && $password) {

  // check if username is unique
  $result = mysql_query("select * from users where username='$username' and password=sha1('$password')")
          or die ("Could not log you in.");

  if (mysql_num_rows($result)) {
    $_SESSION['valid_user'] = $username;
  }
  else {
	echo 'Login Failed. <br />[<a href=login.php>login</a>]';
   	exit; 
  }
}

echo 'Logged in as '.$_SESSION['valid_user'];

$user = $_SESSION['valid_user'];

$encPass = sha1($password); 

$result = mysql_query("select * from users where username='$user'")
      or die ("Couldn't Connect to Database.");

// now display the results returned
$row= mysql_fetch_array($result);

//Set result character limits
  echo '<br><br><a href="'.$row['sitedir'].'/Admin/">Continue to '.$row['sitename'].'s Admin Area</a><br><br>';

include('member-menu.php');

?>

the script, makes sure the user is in the database and has the correct password and then it writes a link to that users admin area.

the page that the link takes the user to has a check on it to see if a session is open. this page is in a different directory to member.php.

I have the same check on a page which is in the same directory as member.php. - the trouble is this check works on this page but doesnt work on the page in the other directory.

this is my check code:

<?php

session_start();

$mysql_database="dbname";
$mysql_username="user";
$mysql_password="pass";

$dbconnect = mysql_connect("localhost",$mysql_username,$mysql_password) or die ("Unable to connect to SQL server");
mysql_select_db($mysql_database,$dbconnect) or die ("Unable to select database");

  // check valid user
  if (isset($_SESSION['valid_user'])) {
      echo '<table width="250" cellpadding="2" cellspacing="1" bgcolor="#CCCCCC">
            <tr><td width="75"><b>User Status: </b></td>
                <td bgcolor="#FFFFFF">Logged in as '.$_SESSION['valid_user'].'.</td>
            </tr>
            </table>';
  }
  else {
      echo '<table width="250" cellpadding="2" cellspacing="1" bgcolor="#CCCCCC">
            <tr><td width="75"><b>User Status: </b></td>
                <td bgcolor="#FFFFFF">You are not logged in.<br />[<a href=login.php>login</a>]</td>
            </tr>
            </table>';
      exit;
  } 
?>

is there something that stops sessions working across directories?

any help is welcome,
Thanks.

Rodney_H_

Here is a simplified rendition of your code:


<?php
session_start();

// if login attmept is incomplete:
if(!isset($_POST['username']) || !isset($_POST['password']))
{
	echo 'Please go back and enter your username and password.';
	exit;
}

// else, process the login request:
else
{
	// connect to db:
	$connect = mysql_connect("localhost",'user','pass') or die ("SQL unavailable.");

$db = mysql_select_db('dbname',$connect) or die ("Unable to select database");

$query = "SELECT `username`
		 FROM `users`
		 WHERE `username` = '".mysql_real_escape_string($_POST['username'])."'
		 AND `password` = '". sha1($_POST['password']) . "'
		 LIMIT 1";

$result = mysql_query($query) or die ("Could not run query.");

// if they are NOT found:
if (mysql_num_rows($result) == 0) 
{
	echo 'Login Failed. <br />[<a href=login.php>login</a>]';
	exit;
}

// else, successful login:
else
{
	$_SESSION['valid_user'] = $_POST['username'];
	echo 'Logged in as ' . $_SESSION['valid_user'];

	// etc....
  }
}
?>

After that, the value assigned to $_SESSION['valid_user'] should be accessible on other pages of your site as long as you are starting a session prior to attempting to access that value.

(side notes: for the SELECT query, you don't have to return ALL rows (*), but only one value to ensure there is a match for the values passed.

Also, you may LIMIT your query to ONE distinct match as well, using a LIMIT clause.)

Hope it helps...

middleman666

hey, thanks for the reply,

it helped simple it out, but im still having trouble keeping my session active in different directories.

I have the following code in a file (here.php):

<?php
session_start();

$mysql_database="dbname";
$mysql_username="user";
$mysql_password="pass";

$dbconnect = mysql_connect("localhost",$mysql_username,$mysql_password) or die ("Unable to connect to SQL server");
mysql_select_db($mysql_database,$dbconnect) or die ("Unable to select database");

  // check valid user
  if (isset($_SESSION['valid_user'])) {
      echo 'Logged in as '.$_SESSION['valid_user'];
  }
  else {
      echo 'You are not logged in.';
      exit;
  } 

?>

this works and the user is still logged in when the here.php is placed in the same directory as the member.php file, but if i move this file to a different directory it doesn't work and the user is no longer logged in.

do you know why that might be?
thanks.

bogu

Try a simple test.

Create a file named 001.php and add this code into it:

<?php
	session_start();
	$_SESSION['favcolor'] = 'green';
	$redirect = "002.php";
	header("Location: {$redirect}");
	die("If the page doesn't redirect click <a href='{$redirect}'>here</a>");
?>

Create another file named 002.php and add this code into it:

<?php
	session_start();
	echo "<pre>",print_r($_SESSION,1),"</pre>";
	session_destroy();
?>

If your session are set correctly u should see on your output something like this:

Array
(
    [favcolor] => green
)

middleman666

ok, I done the test and yes it returns what you said it would.

but then I changed the test so 002.php was in a different directory to 001.php and it returned:

Array
(
)

Do you know why this is?

thanks.

bogu

Check your php.ini for this:

; The path for which the cookie is valid.
session.cookie_path = /

and set it like this so your session will be knowen in all of your subfolders ...
if u dont have access to your php.ini then this can be set in your script by using ini_set

middleman666

hey,

thanks for that, it does appear to be the problem.
my host allows creation of custom php.ini files so ive added the code you gave me to the directory with member.php in.

it appears to for subfolders, but I'd like it to work for folders before the current directory.

for example:
member.php is in this directory:

/sites/users/login/member.php

but the page I want to foward to is in this directory:

/sites/sitename/admin/index.php

ive tried adding:
session.cookie_path = ../../

to the ini file, but it doesn't seem to work.

is there a way to allow this to work?

thanks