0

I set session variables on a login page, and then it redirects to the home page, where a function called isLoggedIn() decides whether it include()s signed-in.php or membership-container.php in the header. signed-in.php is what shows if the person is logged in, and membership-container.php is shown if the client is not logged in. After I login it shows signed-in.php as would be expected, but when I reload the page, it shows membership-container.php.

Login page:

<!DOCTYPE html>
    <?php
        session_start();
        /*error_reporting(0);*/

        require 'users/database/connect-database.php';

        require 'users/database/database-functions.php';

        if ($_POST) {
            $email = sanitize($connection, strip_tags($_POST['login_email']));
            $password = sanitize($connection, strip_tags($_POST['login_password']));
            $encrypted_password = sha1($password);
            if (!empty($email) && !empty($password)) {
                if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
                    $error = 'Your email is not valid.';
                } else if(exists($connection, 'email', 'members', 'email', $email) == false) {
                    $error = "We didn't find anyone with that email and password. Have you joined SamHalesJr.com yet?";
                } else if (exists($connection, 'email', 'members', 'password', $encrypted_password) == false) {
                    $error = "Please enter the correct password.";
                } else if (detail($connection, 'active', 'members', 'email', $email) != 1) {
                    $error = "You haven't activated your account!";
                } else {
                    $query = login($connection, $email, $encrypted_password);
                    if ($query == true) {
                        ini_set('session.gc_maxlifetime', $inactive_session);
                        $_SESSION['session'] = time();
                        $_SESSION['logged_in'] = detail($connection, 'user_id', 'members', 'email', $email);
                        if (isLoggedIn()) {header('Location: /home');}
                    }
                }
            } else {
                $error = 'Please enter an email and password.';
            }
        }
        require 'users/database/disconnect-database.php';
    ?>
<html>
    <head>
        <meta charset="utf-8">
    </head>
    <body>
        <form action="/login" method="POST">
            <input placeholder="Email" value="<?php echo $email; ?>" type="text" name="login_email"><br>
            <input placeholder="Password" value="<?php echo $password; ?>" type="password" name="login_password"><br>
            <input type="submit" value="Login">
        </form>
    </body>
</html>

I know connect-database.php and disconnect-database.php work, and here are the contents of database-functions.php:

<?php
    $inactive_session = 7200;

    function sanitize($connection, $data) {
        return mysqli_real_escape_string($connection, $data);
    }
    function exists($connection, $detail, $table, $row, $value) {
        $query = mysqli_query($connection, "SELECT `$detail` FROM `$table` WHERE `$row` = '$value'");
        $count = mysqli_num_rows($query);
        return ($count >= 1) ? true : false;
    }
    function generate($password) {
        $password = hash('sha512', $password);
        return $password;
    }
    function isLoggedIn() {
        if (isset($_SESSION['logged_in'])) {
            return true;
        } else {
            return false;
        }
    }
    function detail($connection, $detail, $table, $row, $value) {
        $query = mysqli_query($connection, "SELECT `$detail` FROM `$table` WHERE `$row` = '$value'");
        $associate = mysqli_fetch_assoc($query);

        return $associate[$detail];
    }
    function login($connection, $email, $password) {
        $query = mysqli_query($connection, "SELECT `email`, `password` FROM `members` WHERE `email` = '$email' AND `password` = '$password'");
        $count = mysqli_num_rows($query);
        if ($count >= 1) {
            return true;
        } else {
            return false;
        }
    }
    function logout() {
        unset($_SESSION['logged_in']);
        session_unset();         
        session_destroy();
    }
?>

Am I correct that the session_start() and any other $_SESSION[''] variables need to go before the <html> tag? Here is the code that I put before the <html> tag in each page:

<?php
    include 'users/database/database-functions.php';
    ini_set('session.gc_maxlifetime', $inactive_session);

    session_start();

    if (isset($_SESSION['session']) && (time() - $_SESSION['session'] > $inactive_session)) {
        logout();
    }
    $_SESSION['session'] = time(); // Update session
?>

Leave a comment if there is any other info that you need and thanks so much for anyone's help. I've been working on this for a long time and am still new to session handling and functions.

Just to make it clear, my problem is that when I enter the ___correct___info to /login and click the login button, it redirects to the /home page as it should do and it shows signed-in.php in the header, but when I reload /home it shows membership-container.php.

If it helps at all, after I have reloaded the home page (after logging in), it still shows the PHPSESSID cookie, just as it does when it shows signed-in.php. It also says that the cookie expires "when the browsing session ends." I don't know if that means anything, but that fact that it still shows the PHPSESSID cookie could mean that the session is still alive and that the error is in my isLoggedIn() function.

Also it might help to see what exactly is inside the header:

<?php if (isLoggedIn()) {
    include 'signed-in.php';
} else {
    include 'membership-container.php';
} ?>

Thank you anyone who helps me out with this.

BestAnswer
  • 136
  • 1
  • 18
  • Sidenote : your password hashing function is totally useless, one round of SHA-1 (or SHA-512 if we look at the second code you posted) with no salt will be broken instantly. –  May 28 '14 at 03:10
  • @André You mean if I wrote `echo sha1($encrypted_password);` it would display the original password? I don't know what you mean. – BestAnswer May 28 '14 at 03:15
  • _“Am I correct that the session_start() and any other $_SESSION[''] variables need to go before the tag?”_ – only `session_start` has to be called before any _output_ is made (unless output buffering is on) – but you failed to comply with that in your login page already, because you have the doctype before it. – CBroe May 28 '14 at 03:17
  • @CBroe Oh, so it has to go even before the ` `! I wonder if that could be the problem, becaus it is after the doctype on all of the pages! – BestAnswer May 28 '14 at 03:19
  • _“it still shows the PHPSESSID cookie”_ – that’s no surprise, but doesn’t mean anything – what _value_ it has would be of interest, because only if it still contains the same session id as before PHP was able to pick up the existing session again. If that’s not the case, that would mean PHP has started a _new_ session. – CBroe May 28 '14 at 03:19
  • 1
    The password is hashed so no, your example won't display the plaintext password. However since it's only a single round of SHA1 it's trivial to bruteforce, and it's even more trivial since there's no salt. [Don't roll your own crypto or password hashing](http://security.stackexchange.com/questions/18197/why-shouldnt-we-roll-our-own) and [use robust password-hashing functions](http://stackoverflow.com/a/20813267/2629998). –  May 28 '14 at 03:20
  • @CBroe it has the same session id first right after I have logged in and it shows `signed-in.php` and after I reload it and it shows `membership-container.php` What does that mean? – BestAnswer May 28 '14 at 03:23
  • I’d suggest you first of all take out your auto-logout stuff – to see if maybe that’s the problem here. And if that’s not it, you will have to do some further debugging. – CBroe May 28 '14 at 03:30
  • @ CBroe, it still isn't working after taking out the auto-logout stuff?... hmm – BestAnswer May 28 '14 at 04:11
  • @CBroe Another interesting fact. After I use the function `logout()`, it still has a `PHPSESSID` and it has the same id as before I logged out. I don't think that's right. – BestAnswer May 28 '14 at 14:51
  • Does the fact that I see a `PHPSESSID` in the site cookie mean that there is a session active? – BestAnswer May 28 '14 at 22:32

0 Answers0