"Dynamics" sessions

Question

We have a login form that is processed by php and ajax. The ajax sends a request to the php page with the username and password to be logged in. It gets a response and if it's correct and working info, it logs them in:

The php page that takes requests has this code:

        echo (checkLogin($_POST['user'], $_POST['pass']) ? 'true' : 'false');
        if(checkLogin($_POST['user'], $_POST['pass']) == true)
        logIn($_POST['user'], $_POST['pass']);

The functions used in that statement:

function logIn($user, $pass)
    {
            $_SESSION['sid'] = md5(md5($user) . md5($pass));
            $_SESSION['username'] = $user;
            $_SESSION['password'] = $pass;
    }

    function checkLogin($user, $pass)
    {
        $user = strtolower($user);
        $pass = strtolower($pass);

        $res = mysql_query("SELECT * FROM users WHERE username='".$user."'");
        if(mysql_num_rows($res) == 1)
        {
            $data = mysql_fetch_assoc($res);
            if($data['pass'] == aCrypt($pass))
            {
                return true;
            }
            else
            {
                return false;
            }
        }
        else
        {
            return false;           
        }
    }

Now, it seems that the session is started and only able to be seen AFTER the user reloads the page. We need it to start the session right on the page...would we need to refresh the entire page with ajax? I don't really know where to go from here.

Answer 1

You probably want to use the Post-Redirect-Get pattern; after the user is successfully authenticated, use a redirect to send him to a new page.

As I noted above, please look into fixing the SQL injection and session fixation vulnerabilities in your code as well.