Page 1 of 1

Cookies and sessions not working...

Posted: Thu Nov 09, 2006 11:27 am
by munkifisht
feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


There seems to be some problem with this script. When I log in the first time the authuser variable gets set to true. But then when I reture to the page, the cookies and sessions are dead and the wrong elements are displayed. I think that the sessions and cookies are not getting set properly.

I am using XAMPP.

Code: Select all

<?php
	//Open Active Sessions
	session_start();
  ob_start();
	//set authuser to false, reset to true if all conditions are satisified
	$authuser = false;
	//
	/*
	if the $authuser is false then the form will be used.
	If the form is filled in and submitted then set the variables and 
	check the stuff
	*/
	//
	// Check for the login form and set variables to values for login
	$login = STRTOUPPER($_POST["txt_name"]);
	$loginlen = strlen($login);
	$password = $_POST["txt_password"];
	//
	// set password error to true to be reset to false if all conditions are staisfied
	$password_error = true;
	//		
	//check for stay logged in box, if ticked use cookies not sessions
	if ( $_POST["bake_cookie"] == STRTOUPPER("BAKE_AT_100") )
	{
		$bake_cookie = true;
	}
	else
	{
		$bake_cookie = false;
	}
	//find the user name for lenght and that if it exists
	if ($loginlen > 0)
	{
		$query = "
		SELECT
		`users`.`password`,
		`users`.`authcode`
		FROM
		`users`
		WHERE
		ucase(`users`.`login`) =  '$login'
		";
		$openquery = mysql_query($query, $connection) or die("error opening user database 1");	
		if (mysql_num_rows($openquery) > 0)
		{
			// the name exists, set variables to db password
			$password_check = mysql_result($openquery, 0, "password");
			// check if entered password is equal to the stored password
			if (!strcmp($password_check, $password))
			{
				//if true set password_error to false, allowing login
				$password_error = FALSE;
			}
			//if the password error has been set to false, then the user should be able to login.
			if ($password_error == FALSE)
			{
				//create cookies to allow login if requested
				if ($bake_cookie == true)
				{ 
					setcookie("cookieon", TRUE, 0);
					setcookie("user", $login, 0);
					// also set variables for later checks
					$cookieon_check = true;
					$login_check = $login;
					$authuser = true;
          echo"cookie";
				}
				//if bake_cookie is not on then create sessions for login
				//this should be more secure
				else
				{
					$_SESSION["sessionon"] = TRUE;
					$_SESSION["user"] = $login;
				}
			}
		}
	}

	//check for session start
	if ($_SESSION["sessionon"] == TRUE)
	{
		$sessionon_check = true;
		$login_check = $_SESSION["user"];
		$authuser = true;
	}
	//check for cookie start
	if ($_COOKIE["cookieon"] == TRUE)
	{
		$cookieon_check = true;                
		$login_check = $_COOKIE["user"];
		$authuser = true;
	}

	//check for logout 
	if ($_POST["Logout"] == "Logout")
	{
		session_destroy();
		$_SESSION["sessionon"] = FALSE;           
		setcookie ("user", "", time() - 3600);
		setcookie ("cookieon", "", time() - 3600);
		$sessionon_check = false;
		$cookieon_check = false;               
		$login_check = "";
		$authuser = false;		
	}
	
	//enter forms, either login, or logout
	if ($authuser == true)
	{
		echo '
			<form action="'.$SERVER[PHP_SELF].'" method="post">
				<font face="Arial, Helvetica, sans-serif" size="1">
					<input type="submit" name="Logout" value="Logout" />
				</font>
			</form>';
	}
	else
	{
		include("login_form.php");
	}

?>

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Sun Nov 19, 2006 11:17 am
by Maugrim_The_Reaper
I don't have a solution - just noting XAMPP with PHP 5.1.6 seems is havng problems on my windows setup storing sessions. No session cookie is being set no matter what I try (php.ini has all the session.cookie values entered correctly).

Suggest you try a manual PHP install or another WAMP package...

Posted: Sun Nov 19, 2006 11:31 am
by Maugrim_The_Reaper
Fixed my issue - disabled ZoneAlarm (annoying Firewall that it is...).

How I wish I had my Linux box...

Re: Cookies and sessions not working...

Posted: Sun Nov 19, 2006 12:45 pm
by timvw
Since this is the security forum...
munkifisht wrote:

Code: Select all

<?php
	$login = STRTOUPPER($_POST["txt_name"]);
	$password = $_POST["txt_password"];
$query = " SELECT `users`.`password`, `users`.`authcode` FROM `users` WHERE ucase(`users`.`login`) =  '$login'";
You have not prepared the user input for use in a mysql context... Do some research and notice that your script as it is now is vulnerable to sql injection attacks.

Code: Select all

<form action="'.$SERVER[PHP_SELF].'" method="post">
Once again, you have not validated userinput.. Do some research and discover that using $_SERVER['PHP_SELF'] makes your page vulnerable for html injection attacks... easy solution: use action='#' instead.