Any ideas please?

It does sound like a session cookie problem (i.e. the browser is no accepting it). Bear in mind that security programs (e.g. Norton) can also block cookies.

I don't know if it's a cookie problem, but it really doesn't make sense. It looks like Smithy's using sessions - and the thing with sessions is that it's data is stored solely on the server so the client browser settings will have no affect. In fact browsers don't even have session settings. Smithy - You need to be able to replicate this problem somehow and see it first hand. Can you provide some details on how some of the users "are not being able to log in?"

Yeah I completely agree. I would love to be able to replicate the problem myself, but for the life of me I can't. Having said this, I am confident that there is a problem somewhere as sufficient users contact me about it.

Essentially they all say that after logging they are unable to view the "member only" pages, and are asked to login again. Going on what d40sithui has said, leads me to wonder whether the problem might be in the "checking user is logged in" code. Here is a summary of the function that does just that;

//Select the password for this user from the db
$sql = "SELECT pswd FROM user WHERE user_id = '$user_id' AND email = '$email'";
$result = mysql_query($sql);

//only proceed if there is just one such result
if (mysql_num_rows($result) == 1){

$res = mysql_fetch_row($result);

if ($_SESSION['password'] == md5(strtolower($res[0]))){
return true;
}
else{
//return false;
}
}
else{
//return false;
}

Everything looks okay although there are some minor things here that could be improved. Could we see the login script as well? For some reason I'm looking at the

if ($_SESSION['password'] == md5(strtolower($res[0]))){

to be a bit suspicious

Hi again, yes here is the login script all its complete glory:

//posts to local vars
$email=$_POST['email'];
$pswd=$_POST['pswd'];
$mess=$_GET['message'];

//check for just 1 of 2 entries .. give seperate error
if(($email && !$pswd) ¦¦ (!$email && $pswd)){
header("Location: ../login/login.php?error=2");
die('');
}

//if both email and password present
if($email && $pswd) {

//connect
connect();

$email = strtolower($email);
$pswd = strtolower($pswd);

//select the uid for the entry that corresponds to the username and password entered
$sql = "SELECT user_id, name FROM user WHERE email ='$email' AND pswd = '$pswd'";
$result = mysql_query($sql);

//if there is such entry then...
if(mysql_num_rows($result)){

$res = mysql_fetch_row($result);

//set the session variables
$_SESSION['contact_name'] = $res[1];//set contact name
$_SESSION['user_id'] = $res[0]; //set user id
$_SESSION['email'] = $email; //set email
$_SESSION['pswd'] = md5($pswd); //set encrypted password

.....

}

While your logic does make sense, I see one potential error and several suggestions.
1) You used the key "pswd" to store the password after successful login, but it your CHECK IF USER IS LOGGED IN script, you use $_SESSION['password'] as oppose to $_SESSION['pswd'] to compare to the key in the database.

2)The way you check is user is logged in is kind of impractical. It is legit, but the majority of systems usually only check for the user id in the session(not the password). If it's present, the user is logged in and you've already checked the validity of the user using the login form. Furthermore, you shouldn't store passwords in the session because it just provides another way for someone to get it.

3) One minor thing is you should always use clean your data before actually making any transactions in the database. At the very least, use mysql_real_escape_string() to all data before comparing to ones in the database. This will help prevent any SQL Injection attempts.

4) All the passwords that are stored in your database should be encrypted - just in case someone gains access to the database, they still wont be able to see the actual password. It looks here as though only the password that you store in the session is encrypted.

Thanks d40, I really appreciate you taking the time to look at the script.

Sure no problem. I like to try and help people out since people have helped me a lot in the past. Usually with problems like this, it's a little thing that got overlooked when you changed something without realizing the full effect. As long as you maintain your data and variable integrity and make sure you start each page with session_start(), you'll be golden. If you have any other info that you think is useful to help fix this, feel free to post and someone will respond to you.

Hey, Smithydude, what type of internet connection are they on? I know that I have problems keeping sessions intact when I'm on my iPhone because it sometimes switches towers. Depending on their internet connection, they may be getting bounced between different connection parameters--especially if they're on dial-up or AOL. I'm not sure this is the issue, or how to solve it, I just know that it's a problem for me.