Absolutely, User.User is defined as INT PRIMARY KEY AUTO_INCREMENT. I've adjusted line 14 to be more explicit:
Code: Select all
$_SESSION["msg"] = "<p>You've been signed in as \"$res\". Welcome back!</p>\n";
It produces the expected result (right now anyway).
I've replaced all database-related instances of addslashes() with a cleanForSQL() function abstracted in my database layer and implemented in the MySQL DB layer with mysqli_real_escape_string().
I agree regarding the IP check, it's really a desperate measure to try to eliminate this session overlap problem - though if the issue is with signing in rather than sessions, I should be able to safely drop it. I'll leave it in for now, then back it out when the bigger problem goes away. You say "If the IP has changed too much;" is it the case, then, that an AOL user may change saw, the second or third byte but that I should expect the first two to remain unchanged? Or perhaps I should see if the IP falls in a range assigned to AOL, and be more lenient if so?
I've posted these various tweaks, but the problem remains. Just now I pulled up the site, found that I'm not logged in (of course). I signed in, and line 14 above reported "You've been signed in as Jonathan, welcome back". Clicked on a members-only page, got "Hello, Judith...!" I've signed me/her out, signed back in, and got the same result. Adding the browser, IP, and user name to the page footer, temporarily, it reports my correct information but not my correct user name. Even in another browser, where the browser check should sever my session, I still get this Judith user's info immediately after signing in.
That seems to put the problem somewhere in this stretch:
Code: Select all
//SignInVerification.php
$_SESSION["msg"] = "<p>You've been signed in as \"$res\". Welcome back!</p>\n"; // $res is Jonathan
$_SESSION["user"] = $res;
$return = getValue($_SESSION, "bookmark", "Inventory.php");
if ($return == "Main.php") $return = "Inventory.php";
// Verified $_SESSION["user"] is still as it should be here
header("location:$return");
exit;
// On the $return page, in this case Main.php, $_SESSION["user"] is "Judith", or rather a User object representing that user
I can verify $_SESSION["user"] is correct at the beginning of the Main.php page, but by the time it gets to the end it has somehow changed? The only other reference to $_SESSION anywhere else in the page uses another key: $_SESSION["msg"]. Hmm, it's a lead, I'll investigate further this evening. Thanks for your help, this has been and remains a real puzzler! I'm slightly relieved to hear that I haven't made some obvious newbie mistake... though maybe it's too soon to say that.
Jonathan