more login craziness - PHP Server Side Scripting forum at WebmasterWorld - WebmasterWorld

Forum Moderators: coopster

Message Too Old, No Replies

more login craziness

Gilead

2:56 pm on Dec 9, 2011 (gmt 0)

10+ Year Member

I had a meeting to show off my project, only it didn't go as planned. For some reason, they couldn't log in. I had tested their account that very day and could login and out with out an issue. When I looked again, I saw that they actually were logged in, but the menu was not showing up. I used session variables to determine the menu. If an admin then show everything, if a superuser, then only show what they have access to. If a normal user, send them back to the login page. The third admin that I added, neither one of us could get in there, even copying the password directly from phpmyadmin.

So I made sure to echo out both the entered password and the database password. In the first 2 admins, it was fine. However the last one I added came up blank on the database password. It is clearly in there. Any ideas how to fix this?

I just sha1 hashed the incoming password, which is supposed to work, it has in the past, this time running the check, the database password is blank.

Thanks!

PS. For some reason, I had to clear my cache before I could log in on several occasions. Any thoughts on that?

Me with egg on my face... :-(

eelixduppy

5:34 pm on Dec 9, 2011 (gmt 0)

>> they couldn't log in
What was the behavior? Were they sent to the ban page? did it say they didn't have the correct credentials? Did closing the browser and re-opening it solve the issue?

>> blank on the database password
Clearly there is an error someplace in your logic. Did you view source to make sure it wasn't hidden in the browser?

londrum

6:29 pm on Dec 9, 2011 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

When I looked again, I saw that they actually were logged in, but the menu was not showing up.

that sounds to me like the page output was cached from a previous try (which didn't include the menu), and your browser is just serving up the old copy.

have you got any nocache headers on it?

one of the funny things about using sessions is that if the user doesnt accept cookies, then php will append a query string onto the end of the url instead. if someone logs in with one of those, then that will basically be a brand new url, so the browser wont be able to serve up an old copy.

but if they are accepting cookies, then the url will most likely be the same, so unless you've got nocache headers on there the browser could serve up an old copy (minus the menu).

that might explain why it worked alright when you tested it, but not when your pal did

Gilead

7:36 pm on Dec 9, 2011 (gmt 0)

10+ Year Member

The behavior was to drop back to the login screen.

Here is the code for the login process:

See if I missed something.
session_start();

include('config.php');
$user_table=(USER);
$admin_table=(ADMIN);

// username and password sent from form
$myusername=mysql_real_escape_string($_POST['username']);
$mypassword=mysql_real_escape_string($_POST['password']);

// first you would want to know if they attempted 10 times
if(isset($_SESSION['attempts']) && $_SESSION['attempts'] >= 10) {
header("Location:banned.html");
exit;
}
else {
$sql="SELECT attempts FROM $admin_table WHERE username='$myusername'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
//if found how many attempts do they have?
if ($count==1){
$row = mysql_fetch_array($result);
$attempts=$row['attempts'];
// if they have more than 9 send them to the banned page
if ($attempts>=10){
header("location:banned.html");
exit;
}
}
}
$q= "SELECT * FROM $admin_table WHERE username='$myusername' and password='$mypassword'";
$result= mysql_query($q)or die("Cannot find your login credentials " . mysql_error());
//$row = mysql_fetch_assoc($result);
//$dbpassword=$row['password'];
//echo 'entered password ';
//echo $mypassword;
//echo '<br />';
//echo 'database password';
//echo $dbpassword;
// If result matched $myusername and $mypassword, table row must be 1 row
if(mysql_num_rows($result) == 1) {
$row = mysql_fetch_assoc($result);
$_SESSION['username'] = $row['username'];
$_SESSION['useraccess'] = $row['access_level'];
$useraccess=$row['access_level'];
$q = "UPDATE $admin_table SET attempts = 0 WHERE username = '$myusername'";
$delattempts= mysql_query($q)or die(mysql_error());
// Log date and time
$sql = "UPDATE $admin_table SET last_login = '". date("Y-m-d h:i:s"). "' WHERE username = '$myusername'";
$logdate = mysql_query($sql) or die(mysql_error());
// Send to Admin index page
header("Location: http://example.com/testing/members/main/admin/index.php?$useraccess");
exit;
}

else {
$addattempt="UPDATE $admin_table SET attempts = attempts +1 WHERE username= '$myusername' ";
mysql_query($addattempt);
//send them back to the login page
header("location:index.php");
}

// If they are not found in the Admin table check the Member table
$sql="SELECT * FROM $user_table WHERE member_login='$myusername' and member_password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
if(mysql_num_rows($result) == 1) {
$row = mysql_fetch_assoc($result);
// Register $myusername, $mypassword and redirect
$_SESSION['login']= $row['member_login'];
$_SESSION['id']= $row['contactid'];
$_SESSION['useraccess']= 'User';

header("location:http://example.com/testing/members/main/index.php");
exit;
}
else {
$_SESSION['attempts']=$_SESSION['attempts']+1;
header("location:index.php");
exit;
}

I have a no cache in the admin page:
//prevents caching
header("Expires: Fri, 01 Jan 1988 00:00:00 GMT");
header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");
header("Cache-Control: post-check=0, pre-check=0",false);
session_cache_limiter();

Was thinking about passing the access in the url, but if it does that automatically, then...

I will add a no cache to the login process just to be safe.

[edited by: eelixduppy at 10:01 pm (utc) on Dec 9, 2011]
[edit reason] example.com [/edit]