?
Solved

php login problems : Session not destroyed !

Posted on 2003-03-18
4
Medium Priority
?
395 Views
Last Modified: 2011-09-20
Hello, well i've got this little problem : i've set up a reserved zone for some members on a website.
The users log on with a simple form (login/pass) on index.php, are logged by login.php et are accessing the reserved zone
(intra/intra.php).
They can log out through a logout.php, accessible from the reserved intra/intra.php.

But here comes my problem : if the user #1 goes back to the log page index.php from the reserved zone,
without clicking on logout.php, (by typing the url on the address bar or something) and user #2
on the same host tries to log in with a new login/pass pair, the user #2 has user #1's settings (same session!).

How could I destroy the old session before registering a new one ?

Thanks for your help,
Eric.

Here's some code I use :

------------------------ index.php (the login form) ------------

<form method="POST" action="./login.php">
        <font size="2" face="Tahoma, Arial"><font color="#FFFFFF">Login:
        <input type="text" name="username" size="20">
        Passw:
        <input type="password" name="password" size="20">
        </font>
        <input type="submit" value="OK" name="login">
        </font>
      </form>

----------------------------------------------------------------


------------------------------------ login.php  
<?PHP

//check that the user is calling the page from the login form and not accessing it directly
//and redirect back to the login form if necessary

header("Cache-Control: no-cache, must-revalidate");

if (!isset($username) || !isset($password))
 {
  header( "Location: http://eirikur.planet-work.com/telecom/index.php" );
 }

//check that the form fields are not empty, and redirect back to the login page if they are

elseif (empty($username) || empty($password))
 {
  header( "Location: http://eirikur.planet-work.com/telecom/index.php" );
 }

else
 {
//convert the field values to simple variables

//add slashes to the username and md5() the password
$user = addslashes($_POST['username']);
$pass = md5($_POST['password']);

//set the database connection variables

$dbHost = "****************";
$dbUser = "*******";
$dbPass = "*******";
$dbDatabase = "*******";

//connet to the database

$db = @mysql_connect("$dbHost", "$dbUser", "$dbPass") or die ("Error connecting to database.");

@mysql_select_db("$dbDatabase", $db) or die ("Couldn't select the database.");

$result=@mysql_query("select * from Users where username='$user' AND password='$pass'", $db);

//check that at least one row was returned

$rowCheck = @mysql_num_rows($result);
if($rowCheck > 0)
  {
   while($row = @mysql_fetch_array($result))
     {
  //start the session and register a variable

  session_start();
  session_register('username');

  //successful login code will go here...
  //echo 'Success!';

  //we will redirect the user to the reserved zone
  header( "Location: generic.php?file=intra/intra.php" );
     }

  }
  else
  {

  //if nothing is returned by the query, unsuccessful login code goes here...

  echo 'Incorrect login name or password. Please try again.';
  }
}
?>



0
Comment
Question by:eirikur
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 15

Expert Comment

by:VGR
ID: 8162812
my ugly suggestion (at least, it works)

in the intra/* zone, put your pages in a frameset. The other frame (invisible, rows=0) contains nothing visible but some javscript code for OnUnload event.
OnUnload, call a PHP page in an auto-closing spawned form. This PHP page will destroy the session.

Example : index.html/index.php
[here HEAD stuff, title, etc]
</head>
  <frameset rows="*, 0" frameborder=0 border=0 framespacing=0>
    <frame name=main src="index2.php">
    <frame name=b scrolling=no noresize src="fauxblank.php">
  </frameset>
</html>

fauxblank.php :
<?
session_start();
?>
<html>
<head>
<SCRIPT LANGUAGE="JavaScript">
<!-- Hide from JavaScript-Impaired Browsers
function ByeWin() {
window2=window.open('./index.php/byeuser','','width=50,height=50');
}
// End Hiding -->
</SCRIPT>
</head>
<body onUnload="ByeWin()">
</body>
</html>


(yes, for me closing a session is done via calling "index.php/byeuser" : adapt to your needs)
here's the code :
<?
if (($action=="byeuser")OR(isset($byeuser))) {
    LogAction($sess_pseudo,$REMOTE_ADDR,"byeuser : $sess_pseudo closed session (gone).",5);
    session_destroy();
    // I recommend to manually unset() all important variables
    echo "<SCRIPT>self.close();</SCRIPT>";
    exit;
} // byeuser case (en if pour l'instant, c'est mieux)
?>
0
 
LVL 2

Accepted Solution

by:
foreverfresh earned 750 total points
ID: 8165345
hi,

i will try to explain,

1. you must use 1 session variable like $sid
and add 1 more field to user table like sid VARCHAR(35)
after login check
if login&password is okey

$sid = md5(microtime());
mysql_quey("UPDATE user_table set sid='$sid' WHERE username='$user' AND password='$pass'", $db);
session_start();
session_register('sid');

after you have to check in all protected pages $sid
and compare with database,if another user wants to login
he will take new $sid,nobody can access with old $sid
because sid will change when new login.

whit this method nobody can use same user/pass same time.


I hope this method can halp you

sorry for my bad english :)
0
 
LVL 1

Author Comment

by:eirikur
ID: 8190537
Well the 1st solution was really too dirty and didn't work on me ^^

The 2nd solution was more interesting but my db got a problem with generating the sid,

so I took a solution with cookies, and i don't have that problem anymore. Thanks again, the 2nd one got the points, because it worked w/ someone else...
0
 
LVL 15

Expert Comment

by:VGR
ID: 8190567
i will stay polite and not answer to the "dirty" word

i already have "fun pals to fight with" on fuckfrance.com

0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Things That Drive Us Nuts Have you noticed the use of the reCaptcha feature at EE and other web sites?  It wants you to read and retype something that looks like this. Insanity!  It's not EE's fault - that's just the way reCaptcha works.  But it i…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to count occurrences of each item in an array.
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question