[RESOLVED] Login Logic

benracer

Hi,

I am trying to get this login system working. I have the session id and ip address stored in a db at login when the username is correct though i cannot seem to get the script to work where it checks the login session id against the one recorded at login.

$sessid = session_id();
$ip = $_SERVER['REMOTE_ADDR'];

$sql = mysql_query("SELECT * FROM login WHERE sessid='$sessid'");
$login = mysql_fetch_array($sql);

if($check_login != "no"){
    if(!($ip == $login['ip']) && !($_SESSION['admin'] == "admin")){
        echo "NOT LOGGED IN - Redirect to login form etc..."; die(); 
        }
  }  

?>

If i echo the variables i get the same result in the db as in the variables...

IP: 90.xxx.xx.xx
IP On DB: 90.xxx.xx.xx
Session ID: 1b124fcef4a3b2765bc0c615abxxxxxx
Session ID On DB: 1b124fcef4a3b2765bc0c615abxxxxxx

NogDog

This...

if(!($ip == $login['ip']) && !($_SESSION['admin'] == "admin"))

...is equivalent to this...

if($ip != $login['ip'] && $_SESSION['admin'] != "admin")

Is that what you intended?

benracer

Hey,

thanks, i did try that and it didnt work so i found that alternative in another post of your and i still couldnt get it to run correctly.

Forsome reason it will not function correctly...
The check login...

if($_POST['id'] == "login"){
    if($_POST['password'] == "xxx"){
	    $_SESSION['admin'] = "admin";
		$_SESSION['attemps'] = 5;
		mysql_query("INSERT INTO login (sessid,ip)VALUES('$sessid','$ip')") or die(mysql_error());
		header("location:index.php");
		die();
	    }else{
		    if(empty($_SESSION['attemps'])){
			    $_SESSION['attemps'] = 5;
				}
		$_SESSION['attemps'] = $_SESSION['attemps'] - 1;
   		header("location:login.php?error=1");
		die();
        }    

    }

Confirm session id is in db, return the ip that is on the same row as the sessid.

Check the session exists and the sessid is the same as the current one, if not redirect..

    if($ip != $login['ip'] && $_SESSION['admin'] != "admin"){ 
        echo "Logged Out";
        }else{
		echo "Logged In";
		}

If i empty the db it still shows as signed on even after a refresh??

benracer

Sorted, i needed to use or instead of and...

oh well an hour wasted ! LOL :p

NogDog

How are the two things (the IP and the "admin" setting) related to each other? must both pairs of values match to be considered logged in? If so, then try:

if($ip != $login['ip'] || $_SESSION['admin'] != 'admin')
{
   // not logged in
}
else
{
   // logged in
}

benracer

Thanks any way, that would have done it. Cheers (Y)