i will post my code and results:
this first one is the file i am accessing directly, username and password are supplied to it via URL (thats not how i plan to do it in the end its just for testing purposes)
Code: Select all
<?php
foreach (glob("core/*.php") as $filename)
{
require_once($filename);
}
$conn = dbconn::connect();
$nick = $_GET['nick'];
$pass = $_GET['pass'];
if (!$nick)
{
$message = 'you must specify a nick!';
die($message);
}
if (!$pass)
{
$message = 'you must specify a password!';
die($message);
}
auth::login($nick, $pass);
echo "session id:".$_SESSION['id'];
echo "status: ";
if(auth::login_check())
{
echo "You are logged in\n";
} else {
echo "You are not logged in\n";
}
?>Code: Select all
auth::login($nick, $pass);this is my login function, what it does is checks to make sure the username and password match those in the database, i wont show that function as it just returns boolean and it works. if the information is good then inserted into the database is the users nick, the session id, the time of login, the users ip, this information is used to compare against later to make sure a user is logged in. at this stage a session is also created using the shown function. the session id is echo'd just for testing purposes, it echos the $_SESSION['id'] just fine, and returns it, which is then put into the database just fine
Code: Select all
public function login($nick, $pass)
{
$nick = mysql_real_escape_string($nick);
$pass = mysql_real_escape_string($pass);
//get users IP
if($_SERVER['HTTP_X_FORWARD_FOR'])
{
$ip = $_SERVER['HTTP_X_FORWARD_FOR'];
} else {
$ip = $_SERVER['REMOTE_ADDR'];
}
//prune old users
$query = "DELETE FROM logged_in WHERE ltime < UNIX_TIMESTAMP()-(15*60)";
$result = mysql_query($query);
//compare the supplied username and password against those in the database
if (auth::comparePass($nick, $pass))
{
//if the comparison is good then they are ok to log in, their info gets stored in the database
$info = array( nick => $nick,
ltime => time(),
ip => $ip,
//create the session for the user and store the sid in the database
sid => auth::login_session($nick));
if(dbconn::insert($info, 'logged_in'))
{
//return true once the session information is stored in the database
return true;
}
else
{
dbconn::update($info, 'logged_in', "nick='".$nick."'");
return true;
}
}
//our passwords did not match, we return false.
return false;
}
/**
* creates the session for the user
* @param $nick nickname to create session for.
* @return session id
*/
public function login_session($nick)
{
if(!isset($_SESSION['id']))
{
session_start();
$_SESSION['id'] = session_id();
}
$_SESSION['nick'] = $nick;
$_SESSION['loggedin'] = 1;
echo "session id:".$_SESSION['id'];
return $_SESSION['id'];
}
at this stage the user is logged in, returning now to my first code, which is the file that i am accessing, it runs the function login_check immediately after performing the login.
the code for that function is as follows
Code: Select all
/**
* checks if a user is logged in and valid.
* this is accomplished by:
* 1) pruneing out of date users
* 2) checking users session is set and logged in
* 3) getting users nick from the session variables
* 4) getting users ip
* 5) selecting the sessions in the database for that nick
* 6) compareing the ip and session id (sid) to make sure they match
* what is in the database
* 7) if they dont match then the session in the database is removed
* .
* @return boolean if user is logged in ok
*/
public function login_check()
{
$query = "DELETE FROM logged_in WHERE ltime < UNIX_TIMESTAMP()-(15*60)";
$result = mysql_query($query);
if(isset($_SESSION['id']) && $_SESSION['loggedin'] == 1)
{
$nick = mysql_real_escape_string($_SESSION['nick']);
if($_SERVER['HTTP_X_FORWARD_FOR'])
{
$ip = $_SERVER['HTTP_X_FORWARD_FOR'];
} else {
$ip = $_SERVER['REMOTE_ADDR'];
}
$query = "SELECT * FROM logged_in WHERE nick='".$nick."'";
$results = dbconn::dbQuery($query);
foreach($results as $result)
{
if($result['ip'] == $ip && $_SESSION['id'] == $result['sid'])
{
return true;
} else {
$query = "DELETE FROM logged_in WHERE nick='".$nick."' and ip='".$result['ip']."'";
mysql_query($query);
}
}
}
else {
echo "session id not set\n";
}
return false;
}
}so thats my problem in a nutshell, $_SESSION information is lost between one page and the other, my login script is forced to run every page and create the session but it is my understanding that the $_SESSION should remain active between pages
any tips or pointers?