eirikur
asked on
php login problems : Session not destroyed !
Hello, well i've got this little problem : i've set up a reserved zone for some members on a website.
The users log on with a simple form (login/pass) on index.php, are logged by login.php et are accessing the reserved zone
(intra/intra.php).
They can log out through a logout.php, accessible from the reserved intra/intra.php.
But here comes my problem : if the user #1 goes back to the log page index.php from the reserved zone,
without clicking on logout.php, (by typing the url on the address bar or something) and user #2
on the same host tries to log in with a new login/pass pair, the user #2 has user #1's settings (same session!).
How could I destroy the old session before registering a new one ?
Thanks for your help,
Eric.
Here's some code I use :
------------------------ index.php (the login form) ------------
<form method="POST" action="./login.php">
<font size="2" face="Tahoma, Arial"><font color="#FFFFFF">Login:
<input type="text" name="username" size="20">
Passw:
<input type="password" name="password" size="20">
</font>
<input type="submit" value="OK" name="login">
</font>
</form>
-------------------------- ---------- ---------- ---------- --------
-------------------------- ---------- login.php
<?PHP
//check that the user is calling the page from the login form and not accessing it directly
//and redirect back to the login form if necessary
header("Cache-Control: no-cache, must-revalidate");
if (!isset($username) || !isset($password))
{
header( "Location: http://eirikur.planet-work.com/telecom/index.php" );
}
//check that the form fields are not empty, and redirect back to the login page if they are
elseif (empty($username) || empty($password))
{
header( "Location: http://eirikur.planet-work.com/telecom/index.php" );
}
else
{
//convert the field values to simple variables
//add slashes to the username and md5() the password
$user = addslashes($_POST['usernam e']);
$pass = md5($_POST['password']);
//set the database connection variables
$dbHost = "****************";
$dbUser = "*******";
$dbPass = "*******";
$dbDatabase = "*******";
//connet to the database
$db = @mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database.");
@mysql_select_db("$dbDatab ase", $db) or die ("Couldn't select the database.");
$result=@mysql_query("sele ct * from Users where username='$user' AND password='$pass'", $db);
//check that at least one row was returned
$rowCheck = @mysql_num_rows($result);
if($rowCheck > 0)
{
while($row = @mysql_fetch_array($result ))
{
//start the session and register a variable
session_start();
session_register('username ');
//successful login code will go here...
//echo 'Success!';
//we will redirect the user to the reserved zone
header( "Location: generic.php?file=intra/int ra.php" );
}
}
else
{
//if nothing is returned by the query, unsuccessful login code goes here...
echo 'Incorrect login name or password. Please try again.';
}
}
?>
The users log on with a simple form (login/pass) on index.php, are logged by login.php et are accessing the reserved zone
(intra/intra.php).
They can log out through a logout.php, accessible from the reserved intra/intra.php.
But here comes my problem : if the user #1 goes back to the log page index.php from the reserved zone,
without clicking on logout.php, (by typing the url on the address bar or something) and user #2
on the same host tries to log in with a new login/pass pair, the user #2 has user #1's settings (same session!).
How could I destroy the old session before registering a new one ?
Thanks for your help,
Eric.
Here's some code I use :
------------------------ index.php (the login form) ------------
<form method="POST" action="./login.php">
<font size="2" face="Tahoma, Arial"><font color="#FFFFFF">Login:
<input type="text" name="username" size="20">
Passw:
<input type="password" name="password" size="20">
</font>
<input type="submit" value="OK" name="login">
</font>
</form>
--------------------------
--------------------------
<?PHP
//check that the user is calling the page from the login form and not accessing it directly
//and redirect back to the login form if necessary
header("Cache-Control: no-cache, must-revalidate");
if (!isset($username) || !isset($password))
{
header( "Location: http://eirikur.planet-work.com/telecom/index.php" );
}
//check that the form fields are not empty, and redirect back to the login page if they are
elseif (empty($username) || empty($password))
{
header( "Location: http://eirikur.planet-work.com/telecom/index.php" );
}
else
{
//convert the field values to simple variables
//add slashes to the username and md5() the password
$user = addslashes($_POST['usernam
$pass = md5($_POST['password']);
//set the database connection variables
$dbHost = "****************";
$dbUser = "*******";
$dbPass = "*******";
$dbDatabase = "*******";
//connet to the database
$db = @mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database.");
@mysql_select_db("$dbDatab
$result=@mysql_query("sele
//check that at least one row was returned
$rowCheck = @mysql_num_rows($result);
if($rowCheck > 0)
{
while($row = @mysql_fetch_array($result
{
//start the session and register a variable
session_start();
session_register('username
//successful login code will go here...
//echo 'Success!';
//we will redirect the user to the reserved zone
header( "Location: generic.php?file=intra/int
}
}
else
{
//if nothing is returned by the query, unsuccessful login code goes here...
echo 'Incorrect login name or password. Please try again.';
}
}
?>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well the 1st solution was really too dirty and didn't work on me ^^
The 2nd solution was more interesting but my db got a problem with generating the sid,
so I took a solution with cookies, and i don't have that problem anymore. Thanks again, the 2nd one got the points, because it worked w/ someone else...
The 2nd solution was more interesting but my db got a problem with generating the sid,
so I took a solution with cookies, and i don't have that problem anymore. Thanks again, the 2nd one got the points, because it worked w/ someone else...
i will stay polite and not answer to the "dirty" word
i already have "fun pals to fight with" on fuckfrance.com
i already have "fun pals to fight with" on fuckfrance.com
in the intra/* zone, put your pages in a frameset. The other frame (invisible, rows=0) contains nothing visible but some javscript code for OnUnload event.
OnUnload, call a PHP page in an auto-closing spawned form. This PHP page will destroy the session.
Example : index.html/index.php
[here HEAD stuff, title, etc]
</head>
<frameset rows="*, 0" frameborder=0 border=0 framespacing=0>
<frame name=main src="index2.php">
<frame name=b scrolling=no noresize src="fauxblank.php">
</frameset>
</html>
fauxblank.php :
<?
session_start();
?>
<html>
<head>
<SCRIPT LANGUAGE="JavaScript">
<!-- Hide from JavaScript-Impaired Browsers
function ByeWin() {
window2=window.open('./ind
}
// End Hiding -->
</SCRIPT>
</head>
<body onUnload="ByeWin()">
</body>
</html>
(yes, for me closing a session is done via calling "index.php/byeuser" : adapt to your needs)
here's the code :
<?
if (($action=="byeuser")OR(is
LogAction($sess_pseudo,$RE
session_destroy();
// I recommend to manually unset() all important variables
echo "<SCRIPT>self.close();</SC
exit;
} // byeuser case (en if pour l'instant, c'est mieux)
?>