Cookie + ISS 4

Anon

I have written a script for login with cookie My script works fine for apache server, but I transfered my script to ISS server and my script does not work fine. setcookie is not work. Is it bug.

My script

if ($HTTP_POST_VARS[username] AND $HTTP_POST_VARS[password])
{
$username = $HTTP_POST_VARS[username];
$password = $HTTP_POST_VARS[password];

    /* Checks if user and pass exists in database */
    $strSQL = "SELECT id,username,level FROM $GLOBALS[cfgtablename] WHERE username='$username' AND password='$password'";
    $result = query($strSQL);

echo 'result-------> '.$result;

check_query($result);

    if (!mysql_num_rows($result)) // Wrong username or password
    {
            header("Location: ".$GLOBALS[cfgbaseurl]."error.php?id=2");
            exit;
    }

    $row = mysql_fetch_array($result);

    /* Create a new session id */
    $sesid = md5(microtime());
    setcookie("sesid",$sesid,0,"/");
    $lastaccess = time();
    $strSQL = "UPDATE $GLOBALS[cfgtablename] SET sesid='$sesid',lastaccess=$lastaccess WHERE id=$row[id]";
    $result = query($strSQL);
    check_query($result);

    /* Create a new session cookie */

print " sesid = ".$sesid;

$sesid = $HTTP_COOKIE_VARS[sesid];

print " sesid = ".$sesid;

$GLOBALS[username] = $row[username];
$GLOBALS[level] = $row[level];

print "http= ".$HTTP_COOKIE_VARS[sesid];

include "$cfgpath"."welcome.php";

header("Location: ../dcmenu.php");
exit;
}
elseif ($HTTP_POST_VARS[username] OR $HTTP_POST_VARS[password])
{
header("Location: ".$GLOBALS[cfgbaseurl]."error.php?id=6");
exit;
}
elseif ($HTTP_COOKIE_VARS[sesid])
{

print "Burdayim....";

$sesid = $HTTP_COOKIE_VARS[sesid];

    /* Checks if sesid exists and max idle time isnt expired and level > 0 */
    $strSQL = "SELECT id,sesid,username,lastaccess,level FROM $GLOBALS[cfgtablename] WHERE sesid='$sesid'";

print $strSQL ;

$result = query($strSQL);
check_query($result);

    if (!mysql_num_rows($result)) // sesid doesnt exist in database
    {
            header("Location: ".$GLOBALS[cfgbaseurl]."error.php?id=3");
            exit;
    }

    $row = mysql_fetch_array($result);

    if ($row[lastaccess]+$GLOBALS[cfgidletime]*60 < time()) // max idle time reached
    {
            header("Location: ".$GLOBALS[cfgbaseurl]."error.php?id=4");
            exit;
    }
    elseif ($row[level] <= 0) // User doesnt have privileges
    {
            header("Location: ".$GLOBALS[cfgbaseurl]."error.php?id=5");
            exit;
    }
    else
    {
            $lastaccess = time();
            $strSQL = "UPDATE $GLOBALS[cfgtablename] SET lastaccess=$lastaccess WHERE id='$row[id]'";
            $result = query($strSQL);
            check_query($result);

            $GLOBALS[id] = $row[id];
            $GLOBALS[username] = $row[username];
            $GLOBALS[level] = $row[level];
    }

}
else
{
header("Location: ".$GLOBALS[cfgbaseurl]."error.php?id=10");
exit;
}

Anon

No it's not a bug in PHP, it's a bug in IIS 4-5.

The reason fir this bug to happen is that IIS some how dosn't save the cookie when you have a header location function on the same page.
I actually had the same bug yesterday.

What you need to do is do all the things you normally would do, like redirects when the login is worn etc.
But after a successfull login, you would normally do a header location, but instead you should do a include("filename.php").

Then the cookie will be written, and you will show the correct page.

Afterwards when people click on links the cookie will still be sved and everythingwill be fine 🙂

Michael

Anon

Or instead of header(); use:
<meta http-equiv=\"Refresh\" content=\"0;url=./nextpage.php\">