So after debugging my session array while logging into my website, I find that when posting a form, all session data is lost. The session data is wiped when the updateDetails and changePassword methods are called. Why is this?
session_start() is called before any data processing
Upon a POST request, session data is set and unset (but not the entire $_SESSION variable)
I use the following code to check for POST requests:
if($_SERVER['REQUEST_METHOD'] == 'POST') {
}
It only happens once: Once the session has been lost, the methods can be called without the issue occuring any further (until they lose the session through expiration or closing their browser).
index.php (part)
session_start();
$page = $_GET['p'];
$query = $_GET['q'];
$req = $_GET['req'];
$user = new User();
switch($page) {
case 'account':
if($req=="logout") {
if($user->isLoggedIn())
$user->logout();
header("Location: /?p=account");
exit();
}
else if($req=="signup") {
if($user->isLoggedIn()) {
header("Location: /?p=account");
exit();
}
else {
if($_SERVER['REQUEST_METHOD'] == 'POST') {
$form_data = array('username' => $_POST['username'],
'password' => $_POST['password'],
'password_repeat' => $_POST['password_repeat'],
'title' => $_POST['title'],
'first_name' => $_POST['first_name'],
'surname' => $_POST['surname'],
'dob_day' => $_POST['dob_day'],
'dob_month' => $_POST['dob_month'],
'dob_year' => $_POST['dob_year'],
'gender' => $_POST['gender'],
'email' => strtolower($_POST['email']),
'email_repeat' => strtolower($_POST['email_repeat']));
if($user->signup($form_data)) {
header("Location: /?p=account");
exit();
}
}
}
}
else {
if($user->isLoggedIn()==true) {
if($_SERVER['REQUEST_METHOD'] == 'POST') {
if($req=='editdetails') {
$form_data = array(
'title' => $_POST['title'],
'first_name' => $_POST['first_name'],
'surname' => $_POST['surname'],
'gender' => $_POST['gender'],
'phone' => $_POST['phone'],
'email' => strtolower($_POST['email']),
'password' => $_POST['password']
);
if($user->updateDetails($form_data)) {
header("Location: /?p=account");
exit();
}
}
else if($req=='changepassword') {
$form_data = array(
'old_password' => $_POST['old_password'],
'password' => $_POST['password'],
'password_repeat' => $_POST['password_repeat'],
);
if($user->changePassword($form_data)) {
header("Location: /?p=account");
exit();
}
}
}
$user->retrieveUserDetails();
$details=$user->getUserDetails();
}
else {
if($req) {
header("Location: /?p=account");
exit();
}
else if($_SERVER['REQUEST_METHOD'] == 'POST') {
$form_data = array('username' => $_POST['username'], 'password' => $_POST['password']);
if($user->login($form_data)) {
$user->retrieveUserDetails();
$details=$user->getUserDetails();
}
}
}
}
break;
}
user.php (part)
class User {
private $auth;
private $details;
private $session_alert;
function User() {
if(isset($_SESSION['alert']))
$this->session_alert = $_SESSION['alert'];
$this->auth = isset($_SESSION['auth']) ? $_SESSION['auth'] : null;
if(isset($this->auth)) {
$database= new Database;
if($database->checkUserSession($this->auth['user_id'],session_id())) {
$this->logged_in=true;
}
else {
$this->addSessionAlert('global','Your login session has possibly timed out, you may login again by clicking here.',true);
unset($_SESSION['auth']);
}
}
}
function login($data) {
$return = false;
$this->form = new Form($data,0);
if(!$this->form->getError()) {
$database= new Database;
$error_msg = "The username/password entered was invalid. Please check to see if they are correct and try again, or use the relevant links to recover your account.";
$salt = $database->getSaltByUsername($data['username']);
if($salt) {
$hash = $this->hashpwd($data['password'],$salt);
// Do login
$this->auth = array();
$this->auth['user_id'] = $database->checkUserByHash($data['username'],$hash);
if($this->auth['user_id']) {
session_regenerate_id();
if($database->doLogin($this->auth['user_id'],session_id())) {
$details=$database->getUserDetailsById($this->auth['user_id']);
$this->auth['first_name'] = $details['first_name'];
$_SESSION['auth']=$this->auth;
$this->logged_in=true;
$return = true;
}
else
$this->form->pushError('Something went wrong, please try again.');
}
else
$this->form->pushError($error_msg);
}
else
$this->form->pushError($error_msg);
}
return $return;
}
function logout() {
$return = false;
if(isset($this->auth)) {
$database= new Database;
if($database->clearUserSession($this->auth['user_id'],session_id())) {
unset($_SESSION['auth']);
$this->logged_in=false;
session_regenerate_id();
$return = true;
}
}
return $return;
}
function signup($data) {
$return = false;
$this->form = new Form($data,1);
if(!$this->form->getError()) {
$database= new Database;
if($database->checkUserByUsername($data['username']))
$this->form->pushError("The username entered already exists, please try again.");
else if($database->checkUserByEmail($data['email']))
$this->form->pushError("The e-mail address entered is already in use, please try again.");
else {
$dbarray = $data;
unset($dbarray['password'],$dbarray['password_repeat'],$dbarray['dob_month'],$dbarray['dob_day'],$dbarray['dob_year']);
$dbarray['dob']=date("Y-m-d", mktime(0,0,0,$data['dob_month'], $data['dob_day'], $data['dob_year']));
$dbarray['salt']=strtoupper(md5(mt_rand()));
$dbarray['hash'] = $this->hashpwd($data['password'],$dbarray['salt']);
// Do signup
$this->auth = array();
$this->auth['user_id'] = $database->newUser($dbarray);
if($this->auth['user_id']) {
session_regenerate_id();
if($database->doLogin($this->auth['user_id'],session_id())) {
$details=$database->getUserDetailsById($this->auth['user_id']);
$this->auth['first_name'] = $details['first_name'];
$_SESSION['auth']=$this->auth;
$this->logged_in=true;
}
$return=true;
}
else {
$this->form->pushError("Something went wrong, please try again.");
}
}
}
return $return;
}
function updateDetails($data) {
$return = false;
$this->form = new Form($data,2);
if(!$this->form->getError()) {
$database= new Database;
if( $database->checkUserByEmailNotById($data['email'],$this->auth['user_id']) ) {
$this->form->pushError("The e-mail address entered is already in use, please try again.");
}
else {
$salt = $database->getSaltById($this->auth['user_id']);
if($salt) {
$hash = $this->hashpwd($data['password'],$salt);
if($database->checkUserIdByHash($this->auth['user_id'],$hash)) {
$database->updateUserById($this->auth['user_id'],$data);
$return = true;
}
else
$this->form->pushError("The password entered was incorrect, please try again.");
}
}
}
return $return;
}
function changePassword($data) {
$return = false;
$this->form = new Form($data,3);
if(!$this->form->getError()) {
$database= new Database;
$salt = $database->getSaltById($this->auth['user_id']);
if($salt) {
$hash = $this->hashpwd($data['old_password'],$salt);
if($database->checkUserIdByHash($this->auth['user_id'],$hash)) {
$salt=strtoupper(md5(mt_rand()));
$hash = $this->hashpwd($data['password'],$salt);
if($database->updateSaltHashById($this->auth['user_id'],$salt,$hash)) $this->addSessionAlert('yourdetails','Your password has been changed successfully.',false);
$return = true;
}
else
$this->form->pushError("The old password entered was incorrect, please try again.");
}
}
return $return;
}
function isLoggedIn() {
return $this->logged_in;
}
function getUserDetails() {
return $this->details;
}
}
Starting a session inside a class's contructor method, just does not sound nice.
Use session_start(); at the top of the index.php page instead.
in each page where you want to use sessions you must call session_start ();
See here:
http://codex.wordpress.org/Function_Reference/wp_update_user
Note: If current user's password is being updated, then the cookies
will be cleared!
Now, why WordPress will do this is not clear, but it is clearly stated that cookies, and therefore sessions, will be removed on setting a password through wp_update_user().
Some people have found that applying an exit(); immediately after a redirect when setting the password, will prevent the cookies from being lost.
Related
This is more like a debugging problem than an actual question. I have a login script in PHP which should check for user information from a local database and if present, then display them. Or else, redirect them to the Google OAuth2 Login process. The following php files concern the login flow :
google_login.php
<?php
error_reporting(E_ALL); ini_set('display_errors', 1);
require('http.php');
require('oauth_client.php');
require('../config.php');
require('StructuredQuery.php');
define("SCOPE", 'https://www.googleapis.com/auth/userinfo.email '.
'https://www.googleapis.com/auth/userinfo.profile' );
$client = new oauth_client_class;
$sq= new StructuredQuery();
// set the offline access only if you need to call an API
// when the user is not present and the token may expire
$client->offline = FALSE;
$client->debug = false;
$client->debug_http = true;
$client->redirect_uri = GOOGLE_REDIRECT_URL;
$client->client_id = GOOGLE_CLIENT_ID;
$application_line = __LINE__;
$client->client_secret = GOOGLE_CLIENT_SECRET;
if (strlen($client->client_id) == 0 || strlen($client->client_secret) == 0)
die('Please go to Google APIs console page ' .
'http://code.google.com/apis/console in the API access tab, ' .
'create a new client ID, and in the line ' . $application_line .
' set the client_id to Client ID and client_secret with Client Secret. ' .
'The callback URL must be ' . $client->redirect_uri . ' but make sure ' .
'the domain is valid and can be resolved by a public DNS.');
/* API permissions
*/
$client->scope = SCOPE;
if (($success = $client->Initialize())) {
if (($success = $client->Process())) {
if (strlen($client->authorization_error)) {
$client->error = $client->authorization_error;
$success = false;
} elseif (strlen($client->access_token)) {
$success = $client->CallAPI(
'https://www.googleapis.com/oauth2/v1/userinfo', 'GET', array(), array('FailOnAccessError' => true), $user);
}
}
$success = $client->Finalize($success);
}
if ($client->exit)
exit;
if ($success) {
// Now check if user exist with same email ID
try {
$result = $sq->getUserInfo($user->id);
if ($result["count"] > 0) {
// User Exist
$_SESSION["name"] = $result["name"];
$_SESSION["email"] = $result["email"];
$_SESSION["clevel"]=$result["clevel"];
$_SESSION["new_user"] = "no";
} else {
// New user, Insert in database
$result = $sq->putNewUserInfo($user->id,$user->name,$user->email);
if ($result===true) {
$_SESSION["name"] = $user->name;
$_SESSION["email"] = $user->email;
$_SESSION["new_user"] = "yes";
$_SESSION["e_msg"] = "";
}
}
$_SESSION["login_type"]="Google";
} catch (Exception $ex) {
$_SESSION["e_msg"] = $ex->getMessage();
}>
$_SESSION["user_id"] = $user->id;
} else {
$_SESSION["e_msg"] = $client->error;
}
header("Location: ".ROOT_DIR."homepage.php");
exit;
?>
StructuredQuery.php
<?php
error_reporting(E_ALL); ini_set('display_errors', 1);
require_once 'config.php';
class StructuredQuery{
var $opt;
var $pdo;
function __construct(){
$opt = [
PDO::ATTR_PERSISTENT => FALSE,
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
PDO::ATTR_EMULATE_PREPARES => false,
];
$this->pdo = new PDO(DB_DRIVER.":host=".DB_SERVER.";dbname=".DB_NAME, DB_SERVER_USERNAME, DB_SERVER_PASSWORD, $opt);
}
// Cross Site Script & Code Injection Sanitization
function xss_cleaner($input_str) {
$return_str = str_replace( array('<',';','|','&','>',"'",'"',')','('), array('<',':','|','&','>',''','"',')','('), $input_str );
$return_str = str_ireplace( '%3Cscript', '', $return_str );
return $return_str;
}
//SQLInjection detect
function sql_injection_detect($input_query){
try{
$blacklist=array('SELECT','WHERE','UPDATE','DELETE','INSERT','FROM','DROP','MERGE','SET','INSERT','REMOVE','REPLACE','QUERY');
$err_level=0;
foreach($blacklist as $blacklist_item){
if(stripos($input_query,$blacklist_item)!==false){
$err_level++; //Counter for number of blacklist words used. 2 means dangerous. Terminate immediately.
if($err_level==2){
die('Was that an IT joke? Cause I am a 12th grader, not an IT Pro.');
}
}
}
return true;
}catch(Exception $e){
echo 'Exception Occured:',$e->getMessage(),"\n";
die('You\'ve been Terminated');
}
}
function getUserInfo($user_id){
$user_id=xss_cleaner($user_id);
if(sql_injection_detect($user_id)){
$query=$pdo->prepare("select statement");
$query->bindParam(":user_id",$user_id,PDO::PARAM_STR);
$query->execute();
$result=$query->fetch();
$result["count"]=$query->rowCount();
return $result;
}
}
function putNewUserInfo($user_id,$name,$email){
$user_id=$this->xss_cleaner($user_id);
$name=xss_cleaner($name);
$email=xss_cleaner($email);
if(sql_injection_detect($user_id) && sql_injection_detect($name) && sql_injection_detect($email)){
$query=$pdo->prepare("insert statement");
$query->bindParam(":user_id",$user_id,PDO::PARAM_STR);
$query->bindParam(":name",$name,PDO::PARAM_STR);
$query->bindParam(":email",$email,PDO::PARAM_STR);
$query->execute();
return true;
}else{
return false;
}
}
function modifyUserInfo($user_id,$name,$email,$clevel){
$user_id=xss_cleaner($user_id);
$name=xss_cleaner($name);
$email=xss_cleaner($email);
$clevel=xss_cleaner($clevel);
if(sql_injection_detect($user_id) && sql_injection_detect($name) && sql_injection_detect($email) && sql_injection_detect($clevel)){
$query=$pdo->prepare("update statement");
$query->bindParam(":user_id",$user_id,PDO::PARAM_STR);
$query->bindParam(":name",$name,PDO::PARAM_STR);
$query->bindParam(":email",$email,PDO::PARAM_STR);
$query->bindParam(":clevel",$clevel,PDO::PARAM_INT);
$query->execute();
return true;
}else{
return false;
}
}
}
Now the issue that bothers me is this- whenever i press Login With Google, it redirects to google_login.php, well and fine. And then, directly to the homepage as if I am already logged in even though I am not. Even weirder is that it displays my e-mail and my username as blank, even though it says that I am an existing user.
P.S. No, the database does not contain any blank entries and it works fine, I double-checked.
this is a controller where i'm creating a session :
public function login(){
if(isset($_POST)){
$res = $this->register_model->loginUser();
if($res['result'] === true){
// declare session variables
$user = $res['info']; // array containing user information
// set session variables
$_SESSION['storeId'] = $user->str_id;
$_SESSION['sName'] = $user->str_nme;
$_SESSION['sId'] = $user->str_identifier;
$_SESSION['hash'] = $user->hash;
$res['info'] = null;
}
} else {
$res = array('result'=>false,'msg'=>'Login failed. Please try again');
}
echo json_encode($res);
}
and this is a controller where i retrieve a session
Try this
public function login(){
if(isset($_POST)){
$res = $this->register_model->loginUser();
if($res['result'] === true){
// declare session variables
$user = $res['info']; // array containing user information
// set session variables
$this->load->library('session');
$newdata = array(
'storeId' => $user->str_id,
'sName' => $user->str_nme,
'sId' => $user->str_identifier,
'hash' => $user->hash,
'info' => null,
'logged_in' => TRUE,
);
$this->session->set_userdata($newdata);
}
} else {
$res = array('result'=>false,'msg'=>'Login failed. Please try again');
}
echo json_encode($res);
}
I'm using php codeigniter for my project. In my login page if username and password is invalid just load the login page, else load the home. if invalid, First time it loads the login page again given the wrong details for login one controller name is added in url like local turns like localhost/project name/administrator/administrator/login_authentication
my code is
function index()
{
if($this->session->userdata('usertype') != '')
{
redirect('administrator/administrator_view');
}
else
{
$this->load->view('login');
}
}
function login_authentication()
{
$username=$this->input->post('username');
$password=$this->input->post('password');
$user = $this->administrator->admin_authentication($username,$password);
if(count($user) == 1)
{
foreach($user as $admin_value)
{
$user_name=$admin_value['UserName'];
$usertype=$admin_value['UserType'];
}
$session_data = array(
'username' => $user_name,
'usertype' => $usertype,
);
$this->session->set_userdata($session_data);
if($usertype == 1)
{
redirect('administrator/administrator_view');
}
}
else
{
$data['Invalid_Login']="Invalid Username and Password";
$this->load->view('login',$data);
}
}
function administrator_view()
{
if($this->session->userdata('usertype') == '')
{
redirect('administrator');
}
else
{
$data['heading'] = '';
$this->load->view('header', $data);
$this->load->view('dashboard', $data);
$this->load->view('footer');
}
}
Admin authentication function
function admin_authentication($username, $password)
{
$this->db->select('*');
$this->db->from('user');
$this->db->where('UserName',$username);
$this->db->where('Password',$password);
$query = $this->db->get();
return $query->result_array();
}
I'm trying more than one time given not correct information for login everytime one controller name added in url. Please help me.
Thanks in advance.
change
$this->session->set_userdata($session_data);
to
$this->session->set_userdata(('some_name', $session_data);
and change
if($this->session->userdata('usertype') == '')
in all area to
$ses = $this->session->userdata('some_name');
if($ses['usertype'] == '')
and try....
first of all check if there is an post request in your function login_authentication() like this:
function login_authentication()
{
if( $this->input->post(null) ){
//your authentication code here
}else{
//load the login view here
}
}
Here is your function:
function login_authentication(){
if( $this->input->post(null) ){ //check if there is an post request
$username=$this->input->post('username');
$password=$this->input->post('password');
$user = $this->administrator->admin_authentication($username,$password);
print_r( $user );die(); //the user array as returned from the model see if its correct or not
if(count($user) == 1)
{
foreach($user as $admin_value)
{
$user_name=$admin_value['UserName'];
$usertype=$admin_value['UserType'];
}
$session_data = array(
'username' => $user_name,
'usertype' => $usertype,
);
print_r( $session_data );die; //see if it builds the correct array or not
//$this->session->set_userdata($session_data);
$this->session->set_userdata('user_info',$session_data); //to read the username use like $this->session->userdata['user_info']['username'];
if($usertype == 1)
{
redirect('administrator/administrator_view');
}
}else{ //invalid credentials load the login view
$this->session->set_flashdata('Invalid_Login', 'Invalid username or password!'); //to echo in view use $this->session->flashdata('Invalid_Login');
redirect('administrator', 'refresh');
}
}else{ //redirect to index function now
redirect('administrator', 'refresh');
}
}
In your function administrator_view(),
function administrator_view(){
if( !$this->session->userdata('user_info') ){
print_r( $this->session->all_userdata() );die('no session set redirecting'); //the session is not set here
redirect('administrator');
}
else{
$data['heading'] = '';
$this->load->view('header', $data);
$this->load->view('dashboard', $data);
$this->load->view('footer');
}
}
I know how to create session in core PHP, and I have understand how to do this in codeigniter, but I am unable to understand how to check, if the session is set or not? I have tried to check this through View but it always give me the meesage Please Login.
Kindly tell me how can I check whether the session is Set or not Set
Controller
if ($user_type=='Student')
{
if ($LoginData= $this->loginmodel->studentLogin($username,$password))
{
foreach($LoginData as $UserId)
{
$currentId= $UserId->StudentId;
}
//[[session]]
$data['students_data']= $this->loginmodel->student_profile($currentId);
$this->session->userdata('$data');
$this->load->view('students',$data);
}
else
{
//$data['message']= array('Invalid Username or Password');
$this->load->view('Login');
echo "Invalid Username or Password";
}
}
elseif ($user_type=="Faculty")
{
if($data['faculty_data']=$this->loginmodel->faculty_admin($username, $password))
{
$this->session->userdata('$data');
$this->load->view('faculty');
}
else
{
$this->load->view('Login');
echo "Invalid Username or Password";
}
}
VIEW
<?php
if (!$this->session->userdata('$data'))
{
echo "Please Login";
}
else
{
}
?>
<!DOCTYPE
Creating Session:
$newdata = array(
'username' => 'johndoe',
'email' => 'johndoe#some-site.com',
'logged_in' => TRUE
);
$this->session->set_userdata($newdata);
or
$this->session->set_userdata('some_name', 'some_value');
But before that ensure that you have the session library included.
$this->load->library('session');
Get Session Data:
if($this->session->userdata('whatever_session_name_is')){
// do something when exist
}else{
// do something when doesn't exist
}
if ($this->session->userdata('variable') !== FALSE) {
echo 'Variable is set';
} else {
echo 'Variable is not set';
}
More info
Demo code
Using has_userdata
if ($this->session->has_userdata('username')) {
return TRUE;
} else {
return FALSE;
}
This question already has answers here:
CI - show database error or fail
(2 answers)
Closed 9 years ago.
I've developed a simple login system which works OK but fails, and I need to know why.
QUESTION: How to show what is causing the fail?
Here's the database function:
function login($email,$password)
{
$this->db->where("email",$email);
$this->db->where("password",$password);
$query=$this->db->get("users");
if($query->num_rows()>0)
{
foreach($query->result() as $rows)
{
//add all data to session
$newdata = array(
'user_id' => $rows->id,
'user_name' => $rows->username,
'user_email' => $rows->email,
'logged_in' => TRUE,
);
}
$this->session->set_userdata($newdata);
return true;
}
return false;
}
And here's the logic:
public function login()
{
$this->load->library('form_validation');
// field name, error message, validation rules
$this->form_validation->set_rules('email', 'Your Email', 'trim|required|valid_email');
$this->form_validation->set_rules('password', 'Password', 'trim|required|min_length[4]|max_length[32]');
if($this->form_validation->run() == FALSE)
{
$this->signin();
}
else
{
$email=$this->input->post('email');
$password=md5($this->input->post('pass'));
$result=$this->user_model->login($email,$password);
if($result)
{
$this->dash();
}
else
{
$data['title']= 'Login Error';
$this->load->view('nav/header', $data);
$this->load->view('login', $data);
$this->load->view('nav/footer', $data);
}
}
}
I know the error is happening as I redirect back to the login page if it fails and change the title text to show me (only in testing mode for right now). But how can I find out what is going wrong?
This is the check database function:
function login($email,$password)
{
$this->db->where("email",$email);
$this->db->where("password",$password);
$query=$this->db->get("users");
if($query->num_rows()>0)
{
foreach($query->result() as $rows)
{
//add all data to session
$newdata = array(
'user_id' => $rows->id,
'user_name' => $rows->username,
'user_email' => $rows->email,
'logged_in' => TRUE,
);
}
$this->session->set_userdata($newdata);
return true;
}
return false;
}
I assume all your php code is fine, then what you need is set custom form-validation-message for each input to know which input went wrong and echo them:
<?php echo validation_errors(); ?>
write below code in your view file
<section id="notification" >
<?php
if(validation_errors() !== '' ) {
echo "<div class='alert-msg error'>";
echo validation_errors();
echo "</div>";
}
$error = $this->session->flashdata('error');
$success = $this->session->flashdata('success');
if($error)
{
echo "<div class='alert-msg error'>";
echo $this->session->flashdata('error');
echo "</div>";
}
if($success)
{
echo "<div class='alert-msg success'>";
echo $this->session->flashdata('success');
echo "</div>";
}
?>
</section>
and set success/error message conditionally in flash data in controller ( see below)
if($result) {
$this->dash();
$this->session->set_flashdata('success', 'Login successfully.');
} else {
$this->session->set_flashdata('error', 'Login failed');
}
Read more Flashdata in CI
For your changed answer:
use below logic in your model
$qry = $this->db->get_where('users', array('username' => $this->_username ));
if ($qry->num_rows() == 1) {
$user = $qry->row_array();
$submitted_pass = md5($this->_password);
$db_pass = $user['password'];
if ($submitted_pass === $db_pass) {
return $user;
} else {
// wrong username/password
$this->session->set_flashdata('error', $this->errorList[10]);
return FALSE;
}
} else {
// no such username exist
$this->session->set_flashdata('error', $this->errorList[15]);
return FALSE;
}