I have a web server with Magento 1.4.0.1 installed. I have another web site that shares credential with it. I've managed to check if the customer is logged in or not (after having changed the cookies location in Magento), but things got complicated when I also tried to figure out if an admin was logged in. I can only get the proper answer for the first session I asked for (either the customer OR the admin, the second one is NEVER logged in).
How can I have both answers?
Here is the code I'm using to test that out:
require_once '../app/Mage.php';
umask(0) ;
Mage::app();
// Checking for customer session
Mage::getSingleton('core/session', array('name'=>'frontend') );
$session=Mage::getSingleton('customer/session', array('name'=>'frontend') );
if ($session->isLoggedIn()) {
echo "Customer is logged in";
} else {
echo "Customer is not logged in";
}
// Checking for admin session
Mage::getSingleton('core/session', array('name'=>'adminhtml') );
$adminsession = Mage::getSingleton('admin/session', array('name'=>'adminhtml'));
if($adminsession->isLoggedIn()) {
echo "Admin Logged in";
} else {
echo "Admin NOT logged in";
}
So with the code like this, the admin is never logged in. If you put the part about the admin first, then the customer is never logged in. It seems like I'm missing a line between the two requests.
This may be the same problem than this unanswered question: Magento how to check if admin is logged in within a module controller
This seems like a popular problem, but I could not find the proper solution...
Thanks for your help!
I've found that "bug-feature" from another angle of view (trying to login customer from adminside), but still found the cause.
The problem is with session_name() function. If you go to Mage_Core_Model_Session_Abstract_Varien you'll see there that the session object is using standart PHP session functions and PHP can't handle two sessions at the same time.
You session id for adminside is stored in cookie adminhtml, while for clientside your session id is in frontend cookie. Then in adminside you have session ID initialized by adminhtml cookie. When in adminside, your customer/session object is stored inside something like $_SESSION['customer'] (haven't checked exact key) inside PHP session for ID stored in adminhtml cookie. This means that customer/session object is refering to different sessions when inside admin and client parts of magento.
What you need to do is switch the session data. You can do this with the following code:
$switchSessionName = 'adminhtml';
$currentSessionId = Mage::getSingleton('core/session')->getSessionId();
$currentSessionName = Mage::getSingleton('core/session')->getSessionName();
if ($currentSessionId && $currentSessionName && isset($_COOKIE[$currentSessionName])) {
$switchSessionId = $_COOKIE[$switchSessionName];
$this->_switchSession($switchSessionName, $switchSessionId);
$whateverData = Mage::getModel('mymodule/session')->getWhateverData();
$this->_switchSession($currentSessionName, $currentSessionId);
}
protected function _switchSession($namespace, $id = null) {
session_write_close();
$GLOBALS['_SESSION'] = null;
$session = Mage::getSingleton('core/session');
if ($id) {
$session->setSessionId($id);
}
$session->start($namespace);
}
Here is what I use..
Mage::getSingleton('core/session', array('name'=>'adminhtml'));
$session = Mage::getSingleton('admin/session');;
if (!$session->getUser())
{
die("You aren't an admin!");
}
It is quite simple but not a recommended solution. I myself spend number of hours to do this.
For, windows based server try below solution:
$sessionFilePath = Mage::getBaseDir('session').DS.'sess_'.$_COOKIE['adminhtml'];
$sessionFile = file_get_contents($sessionFilePath);
$exp_cookie = explode(';',$sessionFile);
if(count($exp_cookie) > 100)
{
return "login";
}
return "expire";
For, Linux based server try below solution:
$sessionFilePath = Mage::getBaseDir('session').DS.'sess_'.$_COOKIE['adminhtml'];
$sessionFile = file_get_contents($sessionFilePath);
$exp_cookie = explode('--',$sessionFile)
if(count($exp_cookie) > 10)
{
return "login";
}
return "expire";
Thanks,
Kashif
Here is a simple script to check admin is logged or not and if logged get admin details of Magento.You can call to the session and the call to user function to get all details.
$userDetails = Mage::getSingleton('admin/session'); // Get data from the session
$userID = $userDetails->getUser()->getUserId(); // Get user ID
$userID = $userDetails->getUser()->getEmail(); // Get user Email
Please refer to http://webexplorar.com/magento-admin-details/ for more details.
Related
I would like to create a wordpress user with contributor privelages, remotely. However, I would like to also create their wordpress account using an email that I manipulate by using their id (from login on my site) and #example.com. So it would essentially be: id##example.com. I am very new to programming. I have looked and looked and just continue to scratch my head. What would be best practice for doing this? Any examples, resources, explanations would be appreciated!
I was thinking of creating a link in their account page that when the logged in user clicks it it will redirect them to a page that will create their user account within wordpress framework. They would have to be logged into my site to access.
I am not sure how to do the email portion of your question. Although, I would like to know how to meld the two together. However, if you are needing unique emails for wordpress you can by-pass this required section (required if using wp dashboard to create user). I found this recently.
You could simply:
$user_name = //however you get your unique identifier this will be their screen name
$user_id = username_exists( $user_name );
if ( !$user_id and email_exists($user_email) == false ) {
$user_id = wp_create_user( $user_name, $user_email );
wp_update_user(array(
'ID' => $user_id,
'role' => 'contributor'
));
}
If your users actually do have an email account on your server and you want them to receive emails from wordpress.. this will not fix your situation.
there are many ways to do this. the cleanest would probably at the moment be to use the Wordpress API together with JWT authentication.
Here is an easier solution. On the Remote Wordpress Installation you stick something like this into your functions.php
function remote_create_user() {
$token = (isset($_GET['token'])) ? sanitize_text_field($_GET['token']) : '';
$action = (isset($_GET['action'])) ? sanitize_text_field($_GET['action']) : '';
//this is not particularly secure, but let's assume your wordpress page has https which should encrypt the url...
//im just setting some random string to compare to
if ($token != '712031ff105541219fcc741d99a9addd' || $action != 'createuser') {
return;
}
$username = sanitize_text_field($_GET['username']);
$email = sanitize_text_field($_GET['email']);
//making sure the user doesn already exist
$user_id = username_exists($username);
if (!$user_id and email_exists($email) == false) {
$random_password = wp_generate_password($length = 12, $include_standard_special_chars = false);
//creating the user
$user_id = wp_create_user($username, $random_password, $email);
if ($user_id) {
//here you could send the user a welcome mail. if you want, include the password in the mail or just make him press the "forgot password" button
//wp_mail($to, $subject, $message);
echo "User created";
}
} else {
echo "User already exists.";
}
}
add_action('init', 'remote_create_user');
On the system you want to send the command from, you can then do something like this (on the serverside, you can't to this from the browser, because the "authentication" token will be visible in the javascript...
$createuser = file_get_contents('https://yourdomain.com/?token=712031ff105541219fcc741d99a9addd&action=createuser&username=test3&email=test3#test.com');
//depending on the result in $createuser, give an error message or redirect him to your wordpress login page or something
i hope this gives you some ideas.
Edit: Aboves init function is missing a wp_die() at the end. we dont want the whole page rendered here. also, this is just a quick & dirty solution.
Look into Wordpress Rest API or also custom endpoints.
I ran into a problem with my PHP session lately.
For developing I am using a MVC (Model View Controller) structure.
The important files:
├───classes
├───controllers
│ base_controller.php
| ...
│
├───helpers
├───parts
└───views
login_view.php
register_view.php
...
index.php
Problem: login_view.php can't "find" the $_SESSION["currentUser"], that is set in base_controller.php.
Explanation: The session is started in the index.php before the base_controller.php is loaded.
<?php
require_once("php/classes/DB.class.php");
require_once("php/classes/Functions.class.php");
require_once("php/classes/User.class.php");
session_start();
require_once("php/classes/ErrorMsg.class.php");
require_once("php/controllers/base_controller.php");
?>
The $_SESSION["currentUser"] is set in the base_controller.php after successful login. The $user object is stored in the Session. (No, not serialized, I know. But on purpose.)
if(login($username, $password)){
$m = "";
$_SESSION['currentUser'] = $user;
require_once('php/views/register_view.php');
exit();
}
The session is successfully created. Register_view.php is displayed and I am able to use the session.
When I reload the page however, and login_view.php is showed again, I can not use the session at all. Also, it seems that the base_controller.php itself can't use the session too.
The important parts of my base_controller.php:
$user = new User();
$error = new ErrorMsg();
...
//Button Login Pressed
if(isset($_POST["submit_login"])){
if(isset($_POST["login_username"]) && isset($_POST["login_password"])){
$username = htmlspecialchars($_POST["login_username"], ENT_QUOTES);
$password = $_POST["login_password"];
if(login($username, $password)){
$m = "";
$_SESSION['currentUser'] = $user;
require_once('php/views/register_view.php');
exit();
}
else{
$m = $error->WriteError("Login nicht möglich. Falsche Zugangsdaten.", "base_controller -> function login", "");
require_once('php/views/login_view.php');
exit();
}
}
}
...
//Does not work. isset($_SESSION["currentUser"]) returns FALSE
if(isset($_SESSION["currentUser"])){
if($_SESSION["currentUser"]->isLoggedIn()){
require_once('php/views/register_view.php');
exit();
}
}
// Display Login Page
require_once("php/views/login_view.php");
So to summarize it: register_view.php can use $_SESSION["currentUser"], login_view.php and base_controller.php cannot.
I've tried to
echo var_dump($_SESSION['currentUser']);
same as
echo var_dump($_SESSION[]);
but both return NULL or an empty array when used in login_view.php -> But give valid results in register_view.php
Do you have any idea what could be the cause of this non-persistent session?
I really hope I just made a very foolish mistake. You're welcome to laugh constructively. ^^
Are you calling start_session in login_view.php too?
start_session should always be called before using session variables.
Problem solved!
How I solved it:
Please make sure to read the original problem so you understand the fix.
The main problem was, that I tried to save the object $user directly into the $_SESSION. Due to the __PHP_Incomplete_Class the whole thing did not work. I fixed it with storing the User-Data in an array.
$_SESSION["currentUser"] = array("id"=>$user->GetUserId(),"firstname"=>$user->GetFirstname(),"lastname"=>$user->GetLastname(),"username"=>$user->GetUsername(),"lastlogin"=>$user->GetLastLogin(),"group"=>$user->GetGroup(), "class"=>$user->GetClass());
Now, the advantage of directly editing and using functions from the Class however, is gone. I can not use something like
foreach($_SESSION["currentUser"] as $key => $obj){
return '<p>'.$obj->getContent().'</p>';
}
anymore. Also, I can't directly set fields in the User Class anymore.
$_SESSION["currentUser"]->checkIfOnline();
However, to "log out" I just have to delete the session.
unset($_SESSION["currentUser"]); //To delete User session
Once all user-data is saved in a DB, it's perfect that way Session deleted = User logged out.
I need some help with some logic for my buying process on my website.
We have a 4 step buying process: results, customer details, payment details, order confirmation.
The results page simply outputs prices to the screen based on some query string parameters.
I then save lots of information to PHP Sessions variables for later use.
On the 2nd stage, the customer stage, I want to output some of these session variables to the screen which for the most part works.
In my code, one of the first things I do is check the existence of one of the session variables I set on the results page, just to check we are in business and the customers quote info is saving properly.
I have set up warning emails to myself to notify me when a user lands on either the customer or payment stage of the booking process but apparently the first session variable does not exist. I then display a friendly error message asking if they have enabled cookies in their browser.
We seem to be getting a lot of these warnings emails, alarmingly high. It doesn't feel like an accurate statistic of how many customers could arrive without cookies enabled.
The email alerts me of the current URL, the ref URL if there was one, the users IP address, and an output of all Session Vars they have saved (always none of course!)
I'm just stumped what to do next - are these really users or bots hitting the results page without cookies enabled which means they'll fail the test on the next page or could it be something else?
I have session_start() on the top of each of these buying pages so it's nothing like that.
Here's my customer page:
<?php
require_once "../includes/common.php";
$quoteShared = new quoteShared();
// Check if this is a direct page hit
if (requestSession("sessionnumber") == "") {
echo $quoteShared->directHit();
die;
common.php has session_start() at the top.
function requestSession($xParam) {
$value = "";
if (isset($_SESSION[$xParam]))
{
if ($_SESSION[$xParam] != "") {
$value = $_SESSION[$xParam];
}
}
return $value;
}
You can do it in javascript also, this way :
function cookiesAreEnabled()
{
var cookieEnabled = (navigator.cookieEnabled) ? 1 : 0;
if (typeof navigator.cookieEnabled == "undefined" && cookieEnabled == 0){
document.cookie="testcookie";
cookieEnabled = (document.cookie.indexOf("testcookie") != -1) ? 1 : 0;
}
return cookieEnabled == 1;
}
BEST WAY PHP
<?php
session_start();
if(!isset($_GET['testing'])){
setcookie('cookietest', 'somevalue', time()+3600);
header("location: cookie.php?testing=1");
}else{
if(isset($_COOKIE['cookietest']) && $_COOKIE['cookietest'] == 'somevalue'){
echo 'cookie enabled';
}else{
echo 'cookie not enabled';
}
}
I have two MySQL tables. The first one is for the user's credentials i.e. username, password, business_id (system generated). The second one has the user's profile for multiple entities e.g. business name, location, profile_id and business id (system genrated - the same number for the business_id).
The user can edit the details of their business details i.e. their details in the second table. The business id would be say 'abcdef' and profile id would be say 1234567, if they have a second business profile it would be say 1235879.
In order to edit each profile I would have to have the following URL
Edit Business Profile
For the second one it would be
Edit Business Profile
In turn when the a href is clicked the url in the browser would be edit_profile.php?id=1234567 and for the second one would be edit_profile.php?id=1235879
Would it be possible that instead of having edit_profile.php?id=1234567 and edit_profile.php?id=1235879 in the URL I would have edit_profile.php?id=1234567 and for the second one would be edit_profile.php
I don't want the User to see the id i.e. have only edit_profile.php
Ideally, I would like to use a PHP solution, please.
Yes, it is possible, but not exactly what are you trying to do
Solution #1
Intoduction
First of all, it should work only on users who are currently logged in and are trying to see their profile. The final results to reach is to not display ID in URL if ID is equal to current logged user's ID. It is more common than Solution #2 but if you want to hide all IDs, skip this solution.
Pluses:
There is not too much to change, just add a few more lines for checking current user ID
You can still use <a></a> tags for Edit Business Profile links.
Minuses:
Only current logged user's ID will be hidden in the URL
So what to do...
You probably use sessions to let users remain logged in even if they refreshed the page. You are on the right path, but you should add at least one more element to $_SESSION (Profile identification, so we can call it as profile_id for example).
Assume you are using this login formula:
function check_login($username, $password)
{
// query to find user with these inputs (encrypted password, prepared statements, etc)
if($query->num_rows > 0) // user exists
{
// fetch your query
// ...
session_start();
// set the session probably user is logged
// some return on success (probably redirect)
}
else
{
// some return on false
}
}
Now you should add one more $_SESSION element to save your current profile_id value:
session_start();
// ...
$_SESSION['profile_id'] = $result->profile_id; // <--- THIS IMPLEMENT
// some return on success (probably redirect)
1/2 is done!
Half of the problem is already finished, now all you need to do is compare $_GET input with $_SESSION.
Again, assuming your edit_profile.php file looks like this:
if(isset($_GET['id']) && !empty(trim($_GET['id'])))
{
$profile_id = intval($_GET['id']);
// ...
}
else
{
// probably an error profile id is not defined
}
// rest of the code ...
So now instead of error profile id is not defined we can assign to $profile_id variable index profile_id of superglobal $_SESSION:
else
{
$profile_id = intval($_SESSION['profile_id']);
}
Notice that I am assuming you have condition to reject access to this script, if user is not logged (some condition at the start).
Now your code should work but maybe you are asking the question what if user knows his ID and types it into URL?
So you have two choices:
Let it be as it is
Add condition to check if $_GET['id'] equals to $_SESSION['profile_id'] then redirect to edit_profile.php
Final thoughts...
Maybe if you are generating the list of the users, where the user can edit the others' users profiles including himself's, you want to remove id parameter of the edit_profile.php URL if the user's ID is equal to current ID in fetch loop. You can inspire by this simple function:
function generate_profile_edit_url($id)
{
session_start(); // for the case, you don't have started session yet
return 'Edit Business Profile';
}
Just in every fetch iteration you will use this function, like in the example below:
// ...
echo generate_profile_edit_url($result->profile_id);
// ...
Solution #2
Introduction
This solution will reach to the editing user's profile without any ID parameter in URL. It is designed for situation where user has rights to edit someone else's profile (for example, a moderator or an admin) and you still don't want to have the users' ID in the URL.
Pluses:
No ID parameter in URL needed for all users
Minuses:
you have to change every profile link to little form using POST action without JavaScript knowledge
no more <a></a> links for profile edit, again without JavaScript knowledge
users are still able to get their id if they want to
So what to do...
Firstly, we need to change edit_profile.php file. We have to recieve $_POST data containing target's profile_id.
Like in Solution #1, assume your edit_profile.php looks like:
if(isSet($_GET['id']) && !empty(trim($_GET['id'])))
{
$profile_id = intval($_GET['id']);
// ...
}
else
{
// probably an error profile id is not defined
}
// rest of the code ...
Most of the changes will be just replacing $_GET with $_POST:
if(isSet($_POST['profile_id']) && !empty(trim($_POST['profile_id'])))
{
$profile_id = intval($_POST['profile_id']);
// ...
}
else
{
// probably an error profile id is not defined
}
// rest of the code ...
For this file, it is enough.
Now there is some more work to do if you have a placed profile links in different files. But we can make it easier using one simple function like this:
function get_profile_edit_button($profile_id)
{
$html = '<form action="edit_profile" method="POST">';
$html .= '<input type="hidden" name="profile_id" value="' . intval($profile_id) . '">';
$html .= '<input type="submit" value="Edit Business profile">';
$html .= '</form>';
return $html;
}
The last thing is replace current edit profile links with this function. For example you have fetch loop of users:
// ...
echo 'Edit Business Profile';
// ...
So you will replace this string with your function get_profile_edit_button():
// ...
echo get_profile_edit_button($result->profile_id);
// ...
Final thoughts...
As I mentioned in minuses, profiles' ids cannot be totally hidden. If someone opened Source code of your page, he can see profile_id in hidden form type:
<input type="hidden" name="profile_id" value="1234567">
It is only on you what solution you prefer, but I can recommend you Solution #1. There is nothing bad about having IDs in URL. Stack Overflow has it too as you can see it on questions, answers, comments and users.
Useful resources:
PHP Session Security
PHP form token usage and handling
When logging in, try saving the user ID and business ID inside session.
As for example..
$logged_in = some_logic_stuffs();
if($logged_in){
session_start();
$_SESSION['user_id'] = SOME_ID_FETCHED_FROM_LOGIN_LOGIC;
$_SESSION['business_id'] = SOME_ID_FETCHED_FROM_LOGIN_LOGIC;
}
Now, when user goes to edit_profile.php, do
session_start();
$business_id = $_SESSION['business_id'];
$user_id = $_SESSION['business_id'];
For the login logic, try reading this tutorial:
http://www.formget.com/login-form-in-php/
If the user can edit multiple business profiles, the $_SESSION solutions would not work. You would need to disguise what gets sent to the address bar:
You would need to change your code to POST the data rather than sending it as a GET request.
To do this you could either use JavaScript to fake a form post on the link click, or wrap your link in a form tag and set method="POST".
POST sends the data "behind the scenes" rather than exposing it in the browser. I should add that this would still be visible to anyone wanting to discover your IDs, but it would hide it from the casual user at least.
If you really wanted security, #BobBrown's suggestion to tokenise would be a great way forward. You may find, however, that just hiding the ID from display on-screen is enough. Just make sure your user management system will restrict who can edit a particular business.
Try this
<?php
session_start();
include('dbconnect.php');
if(isset($_SESSION['username']))
{
$username = $_SESSION['username'];
$userid = $_SESSION['id'];
}
else
{
$_SESSION['id'] = "";
$_SESSION['username'] = "";
}
if($username <> "")
{
$username = 'username';
$userid = 'id';
}
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 900))
{
// last request was more than 30 minutes ago
session_unset(); // unset $_SESSION variable for the run-time
session_destroy(); // destroy session data in storage
}
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp
?>
then
<?php
#if the form is set (meaning that the information was submitted then define what the parameters are for each
if(isset($_REQUEST['username']) == TRUE)
{
$username = $_REQUEST['username'];
$password = $_REQUEST['password'];
#make sure there are no blank fields
if($username == "" OR $password == "")
{
echo '<p class="text-danger">Please enter a Username and Password</p>';
}
else
{
$userid = finduser($username, $password);
if($userid > 0)
{
loginuser($userid);
}
else
{
echo '<p class="lead text-danger">The Username and/or Password enter is incorrect</p><br />';
}
}
}
?>
after that then this
<?php
if(isset($_SESSION['username']))
{
if($_SESSION['username'] <> "")
{
//do something
}
else{
//form or something else
?>
<form>form goes here</form>
<p> or something else you want</p>
<?php
}
}
?>
Start your PHP with session_start(); then when the user logs in make a session value for the ID:
$_SESSION['profile-id'] = 1235879; //Select it from database
after in your edit_profile.php do that:
if (!isset($id)) {
$id = $_SESSION['profile-id'];
}
And then edit the $id.
Store the id in session on the first page:
$_SESSION['id'] = 12345;
And on edit_profile.php you can get the value by:
$id = $_SESSION['id'];
And start the session on every page by session_start();
Easiest and simplest way to handle your situation if you want to use Id or any information in URL and pass it through URL
then you can have a scret combination with your values like below
Firt you have to encode the value with your secret stuff for example
$sshhh="ITSMY_SECRET_VALUECODE";
$encrypted_id = base64_encode($your_value . $sshhh);
Then pass it (encrpyted_id) in URL
for example href="all-jvouchers.php?id=<?= $encrypted_id; ?>
and while getting value use below code to get back your value
$sshhh="ITSMY_SECRET_VALUECODE";
$decrypted_id_raw = base64_decode($_GET['id']);
$decrypted_id = preg_replace(sprintf('/%s/', $sshhh), '', $decrypted_id_raw);
Use $decrypted_id wherever and however you want to securely
I'm aware that this topic has been covered before here on Stack, and I have looked at some answers, but I'm still a bit stuck, being fairly new to PHP. Every page on my website requires a login, and so users are redirected to a login page on page load. At the top of each page then I have:
<?
require("log.php");
include_once("config.php");
include_once("functions.php");
?>
This redirects the user to log.php (with new code added):
<?
session_name("MyLogin");
session_start();
if(isset($_SESSION['url']))
$url = $_SESSION['url']; // holds url for last page visited.
else
$url = "index.php"; // default page for
if($_GET['action'] == "login") {
$conn = mysql_connect("localhost","",""); // your MySQL connection data
$db = mysql_select_db(""); //put your database name in here
$name = $_POST['user'];
$q_user = mysql_query("SELECT * FROM users WHERE login='$name'");
if (!$q_user) {
die(mysql_error());
}
if(mysql_num_rows($q_user) == 1) {
$query = mysql_query("SELECT * FROM users WHERE login='$name'");
$data = mysql_fetch_array($query);
if($_POST['pwd'] == $data['password']) {
$_SESSION["name"] = $name;
header("Location: http://monthlymixup.com/$url"); // success page. put the URL you want
exit;
} else {
header("Location: login.php?login=failed&cause=".urlencode('Wrong Password'));
exit;
}
} else {
header("Location: login.php?login=failed&cause=".urlencode('Invalid User'));
exit;
}
}
// if the session is not registered
if(session_is_registered("name") == false) {
header("Location: login.php");
}
?>
The login form is contained in login.php. The code for login.pho relevant to the PHP/log.php is:
<?
session_start();
if($_GET['login'] == "failed") {
print $_GET['cause'];
}
?>
and
<form name="login_form" id="form" method="post" action="log.php?action=login">
The answer that I came across stated that I should add:
session_start(); // starts the session
$_SESSION['url'] = $_SERVER['REQUEST_URI'];
to the top of each page, which I did, at the top of the page (above "require("log.php");"), and then add:
if(isset($_SESSION['url']))
$url = $_SESSION['url']; // holds url for last page visited.
else
$url = "index.php"; // default page for
to my login page, and use the following URL for redirect on successful login:
header("Location: http://example.com/$url"); // perform correct redirect.
I am not 100% where the code which stores the referring URL should go, at the top of log.php or login.php.
I have tried adding it to both, but the login page is just looping once I have entered the username and password.
I wonder if someone could help me get this working?
Thanks,
Nick
It appears that I don't have the privilege to comment on your post, so I'll do the best that I can to answer. I apologize for all of the scenarios, I'm just doing the best I can to answer on a whim.
SCENARIO 1:
If you've truly not selected a database in your code, as demonstrated here, could that potentially be your issue? Please do note, that the code below, is the code you've posted.
$db = mysql_select_db(""); //put your database name in here
SCENARIO 2:
The code below is not something I've ever used in anything I've built, might I suggest that you try replacing that line of code with the line below it?
if(session_is_registered("name") == false) { // Current
if(isset($_SESSION['name']) == false) { // Potential Replacement
SCENARIO 3:
If you're logic for the following, exists on the login.php file as well... That could potentially be your problem. Upon visiting your site, I noticed your form appears on login.php, yet your logic is posting to log.php. I'm hoping this bit of code can help rule out that "jump", as login.php might be saving itself and overwriting the $_SESSION variable you've established
session_start(); // starts the session
$_SESSION['url'] = $_SERVER['REQUEST_URI'];
If it's too complex to take it out of the login.php file, if you even have it there, I've put together some code that you can use to create "internal" breadcrumbs, so you can go 2 pages back in your history.
if(!isset($_SESSION['internal_breadcrumbs']))
$_SESSION['internal_breadcrumbs'] = array();
$_SESSION['internal_breadcrumbs'][] = $_SERVER['REQUEST_URI'];
$max_breadcrumbs = 5;
while(count($_SESSION['internal_breadcrumbs']) > $max_breadcrumbs)
array_shift($_SESSION['internal_breadcrumbs']);
That will create an array with a max of $max_breadcrumbs elements, with your most recent page at the end, like the following
Array
(
[internal_breadcrumbs] => Array
(
[0] => /other_page.php
[1] => /other_page.php
[2] => /other_page.php
[3] => /user_page.php <-- desired page
[4] => /login.php <-- most recent page
)
)
So now... you can setup your url to be something more like the following...
// I'm doing - 2 to accommodate for zero indexing, to get 1 from the current page
if(isset($_SESSION['internal_breadcrumbs']))
$url = $_SESSION['internal_breadcrumbs'][count($_SESSION['internal_breadcrumbs']) - 2];
else
$url = "index.php"; // default page for
All the best, and I certainly hope this has helped in some way.
IN SCENARIO 4
From the client test the login/password which ajax XMLHttpRequest with javascript code to a dedicated script for validation (do it on mode https for secure)
If response is right send the login password to your script server.
Stips : Encoding password is better secure !
Using header() function it's a bad idea.
Manual specification say ;
Remember that header() must be called before any actual output is
sent, either by normal HTML tags, blank lines in a file, or from PHP.
It is a very common error to read code with include, or require,
functions, or another file access function, and have spaces or empty
lines that are output before header() is called. The same problem
exists when using a single PHP/HTML file.
So in your case, i suggest that to use cookies with an ID generate only for the session, at the first connection its generate, and the duration of the cookie maybe for only from 2 to 10 minutes.
Regenerate cookie each time the loging.PHP is called !
Have a nice day