The output of the following code on a random page is :
print $_SESSION['uid']; // logged in user
// Get Data .
$uid = $_GET['ID']; // part of random page processing
print $_SESSION['uid'];
is :
1
2
My logged in User ID is changing ! :#
The code for the login (authenticate) page is something like this :
// Authenticate
$query = "SELECT * FROM User WHERE Email = '".$Email."' AND Password = '".$Password."'";
$result = mysql_query($query);
// Authenticated?
if(mysql_num_rows($result)) {
// Yes
// Set session Vars
$uid = mysql_result($result,0,ID);
$Access = mysql_result($result,0,Access);
session_destroy();
session_start();
$_SESSION['loggedIN'] = 1;
$_SESSION['Access'] = $Access;
$_SESSION['uid'] = $uid;
// Print a successful login and redirect
What you're seeing is a side-effect of register_globals. Basically:
$uid
and
$_SESSION['uid']
reference the same variable so when you do:
$uid = $_GET['ID'];
it's the equivalent of:
$SESSION['uid'] = $_GET['ID'];
My advice? Turn off register globals. It's deprecated in PHP 5.3 and will be removed in PHP 6. To turn it off, edit your php.ini file and change to this directive:
register_globals = Off
then restart Apache (or whatever your Web server is).
That's weird... Are you sure you're not doing $_SESSION['uid']++ anywhere?
Also, do you have register_globals on?
register_globals should be off by default.
Is there some call to session_register anywhere?
Related
I have got this strange problem. I wanted to make a page which uses a Username to identify which content should be displayed. It seems to work fine, except for one thing. The wrong value is read from the session on one specific page. I have checked the session value in my browser, but there the value seems to be correct. I'll show you the code:
this is my login function, using php:
<?php
//CONNECT TO DATABASE
$db = mysqli_connect("localhost","root","MyPassword","MyDBName");
if($db->connect_errno){
die('connection error: ' . $db->connect_errno);
}
//CHECK IF LOGIN DATA IS SUBMITTED AND IS CORRECT
if(isset($_POST['action'])){
switch($_POST['action']){
case "login":
$pw = $_POST['pw'];
$loginUn = $db->real_escape_string($_POST['loginUn']);
$result = mysqli_query($db,"SELECT `Password` FROM `accounts` WHERE `Username`='" .$loginUn. "'");
if(mysqli_num_rows($result) != 0){
$dbpw = $result->fetch_object();
$VI = explode("-",$dbpw->Password);
$dbpw = openssl_decrypt($VI[1],"blowfish","",0,$VI[0]);
if($pw == $dbpw){
$login = true;
$_SESSION['login'] = true;
$_SESSION['Username'] = $_POST['loginUn'];
$un = $_POST['loginUn'];
}
}
break;
case "logout":
$_SESSION['login'] = false;
$_SESSION['Username'] = "";
break;
}
}else{
if(isset($_SESSION['login'])){
$login = $_SESSION['login'];
$un = $_SESSION['Username'];
}
}
?>
it seems to work fine, since it works in the page it is used.
I have made some dummy accounts in the database, with these usernames: Admin and User.
Here is the code of the page it went wrong:
PHP:
//THIS IS NOT THE SAME PAGE AS THE PREVIOUS PHP CODE
$login = false; //CHECK IF USER HAS LOGGED IN
$un = "";
if(isset($_SESSION['login'])){
$login = $_SESSION['login']; //IF LOGGED IN SET TO SESSION VALUE
$un = $_SESSION['Username']; //SET $UN TO USERNAME IN SESSION
}
Then I used javascript and php to alert the values which the variables contain:
<script type="text/javascript">
alert("$un = <?php echo $un;?>");
</script>
With the login variable seemed to be no problem, since it had the good value, but the variable $un was wrong. When I wasn't logged in, it had no value, which is correct, but when I was logged in, it contained the value Admin, even when I wasn't logged in with Admin. In the browser options the cookie value seemed correct. I've checked the cookie on every page, and it worked just fine, just not on this page. What am I doing wrong that makes the browser(which is firefox by the way) think that it is always Admin that is logged in?
As mentioned earlier in the comments, there are many security risks in your script.
You should take a look at PHP's sessions to build your login. Using sessions, there will be only one cookie storing an ID and all the data will be stored on your server and can't be modified by the user.
Your problem with 'Admin' staying as cookie value could be a caching problem.
I just found out what I did wrong. A piece of code which I found irrelevant, missed a = so the variable wasn't compared, but set to this wrong value.
Hi I am trying to get the user signed in via sessions, here is my code it was working before now it isn't i didnt even change the code.
profile.php (to show after logged in)
<?php
ob_start();
session_start();
$userName = $_SESSION['username'];
$userid = $_SESSION['userid'];
if(isset($_GET['session'])) {
$currentSessionID = $_GET['session'];
$currentSessionID = md5(md5(md5($currentSessionID)));
session_id($currentSessionID);
header("Location:profile.php");
return;
}
if(!isset($userName)){
echo "OUT";
return;
}
...
scripts/signin.php
ob_start();
session_start();
include"config.php";
echo "here";
// check for required fields
if ($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['Username']) && isset($_POST['Password'])) {
$user = mysql_real_escape_string($_POST['Username']);
$pass = mysql_real_escape_string($_POST['Password']);
$decrypt = md5(md5(md5($pass)));
$ensure = "select * from userinfo WHERE Username = '$user' and Password='$decrypt' and status='1'";
$result= mysql_query($ensure);
if(mysql_num_rows($result) > 0) {
echo "here2";
$entry = mysql_fetch_array($result) or die(mysql_error());
$_SESSION['username'] = $entry['Username'];
echo $entry['Username'];
$_SESSION['userid'] = $entry['Id'];
$currentSessionID = session_id();
$currentSessionID = md5(md5(md5($currentSessionID)));
header("Location: http://www.myprocity.com/profile.php?session=".$currentSessionID);
echo "here3";
the reason why im passing in the session id is because im trying to only keep sign in and sign up HTTPS while the other pages HTTP so I can show Google ads, does anyone know how to implement this without security issues (perfectly)
it always goes to OUT even when $_SESSION is my username (database is correct)
In profile.php you are checking for the presence of a session ID, and changing the session ID if you find it. You are doing this after you've set up a session with session_start(), but the PHP manual specifically says you must call session_id() before session_start() for this to work.
You're also hashing $_GET['session'] before sending it, and again before using it. The session ID you're trying to use in profile.php won't match the session ID used in signin.php
The result is that $_SESSION does not have the data in it you are expecting.
You need to rationalise your use of session_id(), and ensure the correct value is passed from page to page. All the hashing with md5() is just complicating matters - drop it. Realistically, I don't see why you need anything more than session_start() at the top of each page and let PHP handle the sessions. You may have an argument for doing what you're doing, but your solution simply won't work.
if(isset($_POST["username"])&& isset($_POST["password"])){
include('config.php'); //this one connects to the database
$username = $_POST["username"];
$password = md5($_POST["password"]);
$sql2=mysql_query("SELECT * FROM clinic_staff WHERE username='$username' AND password='$password'");
$count2 = mysql_num_rows($sql2);
if($count2 == 1){
while($row2 = mysql_fetch_array($sql2)){
$id = $row2["staff_ID"];
$position = $row2["position"];
}
$_SESSION["id"] = $id;
$_SESSION["name"] = $username;
$_SESSION["password"] = $password;
$_SESSION["pos"] = $position;
header("location:index.php");
exit();
}
The problem is I can't echo the username in index.php. I don't know if it is passed successfully. in index.php i used echo $_SESSION["name"];
put session_start(); at the beginning of your document with no white space above it.
You need to look at session_start to start a session. Examples are here
I don't see session_start();. You have to call that function at the top of every page you use session variables. (At least I have to do that on my server, somebody said to me you should actually be able to use Session variables without session_start();, but everything that needed a session variable stopped working after I removed the calls to session_start();)
i have created a session after my login page and wanted to redirect to a secure page with session i created earlier.. but my session data is not pass.. may i know wat is the problem..
php session:
$em = $_POST['email'];
$pw = $_POST['password'];
$em = mysql_real_escape_string($em);
$pw = mysql_real_escape_string($pw);
$query = "SELECT * FROM Register WHERE email = '$em' AND pass = '$pw'";
$result = mysql_query($query) or die("Unable to verify user because : " . mysql_error());
if (mysql_num_rows($result) > 0) {
session_start();
// store session data
$_SESSION['login']=$em;
//echo 'Connected';
// Jump to secured page
echo "<script>window.location='http://example.com/secure.php'</script>";
}
the page i redirected to:
<?php session_start(); $_SESSION['login']; ?>
<p>Welcome
<?php
//retrieve session data
echo $_SESSION['login'];
?>
to M-Cloud</b>
Firstly.
Make sure that the session_start is at the top of the pages. That is the best practice.
Make sure the $em has a value when the SESSION is being set.
Check that the web hosting you use supports SESSIONS.
And at the top of the second page, you don't need to have the $_SESSION['login']; bit
To test that $em definitely has a value. echo it out on that page to check.
If this does not work, please paste more of the code so we can find the problem.
You can remove the first $_SESSION['login']; on the second page, then show the whole $_SESSION array with print_r($_SESSION); to see if the value is correct or not.
I'm using this:
function authUser($username, $password){
connectDB();
$sql = "SELECT id, username FROM users where username = '".$username."' and password = '".$password."'";
$result = mysql_query($sql);
$num_rows = mysql_num_rows($result);
if ($num_rows > 0){
while ($row = mysql_fetch_array($result)){
$username = $row['username'];
session_start();
session_register('username');
return $username;
}
}
closeConn();
}
With a combination of this:
$auth = authUser($username, $password);
if (isset($username)){
header( "Location: index.php" );
}
And then on the index.php (where i redirect them if a successful login) i'm trying to echo $username. But nothing is showing? Any ideas? Is this function the problem?
EDIT:
have now changed it so:
if ($num_rows > 0){
while ($row = mysql_fetch_array($result)){
$_SESSION['username'] = $row['username'];
return true;
}
}
Is that right?
I would change:
while ($row = mysql_fetch_array($result)){
$_SESSION['username'] = $row['username'];
return true;
}
into:
$row = mysql_fetch_array($result);
$_SESSION['username'] = $row['username'];
because you want to login and get ONE person out
Please note that you are always re-directing to index.php, not only on a successful login;
$auth = authUser($username, $password);
if (isset($username)){
header( "Location: index.php" );
}
$username is set, both on a successful and a non-successful login.
You need to use session_start() on the index page as well.
Make sure index.php has a session_start() called at the top of the script, and also, try using $_SESSION['username'] instead of just $username. A lot of servers nowadays are set up so you have to call the full variable (with $_SESSION) rather than just the shortened version. Read about Register Globals at http://php.net/manual/en/security.globals.php. If you still have problems, take the session_start() out of the authUser function and move it to the first line of that script as well.
Variables are not global between page instances, you need to put the variable in $_SESSION if you want it to be accessible over multiple pages.
First, session_register is deprecated. use $_SESSION:
$_SESSION['username'] = $row['username'];
Second, your authUser() function returns either a username (if successful) or nothing. Then this code:
$auth = authUser($username, $password);
if (isset($username))...
should be changed to
$username = authUser($username, $password);
if (isset($username))...
And one more thing, checking for passwords in the clear is a very very bad thing :) Consider hashing it with MD5().
Good luck!
If you use mysql_fetch_array then you should use array, like this: $row[0]
You can use mysql_fetch_assoc() to use table column name ($row['username'])