PDA

View Full Version : Help: Users can login and access their account, but not content?



mucky1215
08-18-2008, 01:41 PM
Hello,

I've created a User System for my website that's not yet released, it allows you to register and login and access the control panel, but the only problem with it is that on user only content it displays "Not Logged in...", but they are logged in, when you go to for example (http://users.domain.com/cp.php) it will display their account data that was previously stored using '$_SESSION' variable.

I don't know if i've done something wrong with defining the $_SESSION['var'] or the php code to display content that is only accessible to registered users:



<?php
if(isset($_SESSION['uid'])){

echo 'Logged in as '.$_SESSION['s_username'].', <a href="logout.php">logout</a>';

} else {

echo 'Not logged in...';

}
?>

Above is what i use to display hidden content, but it only shows 'Not Logged in...'

And here is the code when the $_SESSION['var'] are defined:



if($row['activated'] > 0)
{

$_SESSION['s_logged_n'] = 'true';
$_SESSION['uid'] = $row['uid'];
$_SESSION['loggedon'] = $row['lastsigned'];
$_SESSION['lastupdate'] = $row['lastupdate'];
$_SESSION['s_pass'] = md5($row['password']);
$_SESSION['s_username'] = $username;


Well that's half of the code, i would appreciate if anyone could help me fix this problem!

Regards,
Ben

fileserverdirect
08-18-2008, 02:16 PM
mucky1215,
Are you sure that the user has logged in correctly, Is there any other page that shows
"Logged in as Test, <a href="logout.php">logout</a>" in your code, or is this the only page in which the user has to log into. It would be nice to know if this was the only page causing the problem, or if it was just an error with your login script?

mucky1215
08-18-2008, 02:25 PM
mucky1215,
Are you sure that the user has logged in correctly, Is there any other page that shows
"Logged in as Test, <a href="logout.php">logout</a>" in your code, or is this the only page in which the user has to log into. It would be nice to know if this was the only page causing the problem, or if it was just an error with your login script?

Well, i can say that on the login page shows the user is logged in, but other pages it displays 'Not Logged in...'. I don't think it's a error with my login script to be honest, but i could be wrong. Here's the script i use for the login page where it shows them logged in:



<?php

if($_SESSION["s_username"]){

?>

<p><b>Notice:</b> You are already logged in as <b><?php echo $_SESSION['s_username'] ?></b>... Please go to your <a href="http://users.domain.com/cp.php">Control Panel</a></p>

<?php
} else {

echo 'Not Logged in...';

}

?>


Every page has this before any html is outputted:



<?php session_start(); ?>


What could possibly causing this problem?

Regards,
Ben

mucky1215
08-18-2008, 04:14 PM
Any ideas or a way round of fixing this problem, would appreciate any help :).

fileserverdirect
08-18-2008, 04:28 PM
I am now pretty sure that there is an error with you login system (with MySQL).
Please post your login page here. I do not understand the point of the "Activated" if statement, is that if the user verifyed email, or if the user is logged on? If you have a link to your problamatic code please post it here :)

mucky1215
08-18-2008, 04:43 PM
I am now pretty sure that there is an error with you login system (with MySQL).
Please post your login page here. I do not understand the point of the "Activated" if statement, is that if the user verifyed email, or if the user is logged on? If you have a link to your problamatic code please post it here :)

For the question regarding the "Activated" if statement, when the user first registers on the website, you are not active so therefore you have to verify your account via email, hope that answers your question.

And for the login script here it is:



<?php

include 'd/user.connect.inc.php';

if(isset($_POST['login']))
{

$username = trim(addslashes($_POST['username']));
$password = md5(trim($_POST['password']));
$confpass = $_POST['confpass'];
$date = date("l jS F Y, g:i:s a");

$query = mysql_query("SELECT * FROM Users WHERE username = '$username' AND password = '$password' LIMIT 1") or die(mysql_error());
$lastsigned = mysql_query("UPDATE Users SET lastsigned = '$date' WHERE username = '$username'") or die(mysql_error());
if(mysql_num_rows($query) == 0)
{
echo '<b>ERROR:</b> We could not find that account, please make sure you have the correct username &amp; password. <br />[<a href="http://users.domain.com/forgotpwd.phtml">Forgot Password</a>] - [<a href="http://users.domain.com/resendemail.phtml">Resend Activation Email</a>]';
include ('footer.php');
exit;
}

$row = mysql_fetch_array($query);

// now we check if they are activated

if($row['attempts'] == '3')
{
echo '<img alt="locked" src="images/icon_padlock.gif" /> Your account has been locked for security purposes, please contact as soon as possible. => <b>'.$row['attempts'].'/3</b> Failed Login Attempts <br />(An email has been sent to you, please check your emails)';
$to = ''.$row['name'].' <'.$row['email'].'>';
$subject = ''.$row['username'].', your account has been locked...';
$message = '
<html>
<body>
<span style="font-size:9pt;font-family:sans-serif;">
Dear <b>'.$row['name'].'</b>,<br /><br />
We are sorry to inform you that your account was locked due to three failed login attempts, this is a security procedure in order to prevent account abuse and hacking attempts.<br />
Once your account is locked it will remain locked, until a member of staff reviews the issue and gets back to you.<br /><br />
Please contact us as soon as possible to resolve this issue.<br /><br />
Username: <b>'.$row['username'].'</b><br >
Email: <b>'.$row['email'].'</b><br />
Failed Attempts: <b>'.$row['attempts'].'/3</b><br /><br />
Kind regards,<br >
Website Team,<br />
www.domain.com
</span>
</body>
</html>
';

$header .= "MIME-Version: 1.0\n";
$header .= "From: Xbox Daily <accounts@domain.com>\nContent-Type: text/html; charset=windows-1252\n";
$header .= "Reply-To: Xbox Daily <support@domain.com>\n";
$header .= "X-Mailer: PHP/".phpversion();

$send = mail($to, $subject, $message, $header);

include ('footer.php');
exit;
}

if($_POST['password'] !== $_POST['confpass'])
{
$upd = mysql_query("UPDATE Users SET attempts = attempts +1 WHERE username = '$username'") or die(mysql_error());
echo '<b>ERROR:</b> Both passwords did not match please check for any uppercase or lowercase characters. <b>'.$row['attempts'].'/3</b> Failed Login Attempts';
include ('footer.php');
exit;
}

if(mysql_num_rows($query) > 0)
{

if($row['activated'] > 0) //checks to see if the user is activated or not.
{

$_SESSION['s_logged_n'] = 'true';
$_SESSION['uid'] = $row['uid'];
$_SESSION['loggedon'] = $row['lastsigned'];
$_SESSION['lastupdate'] = $row['lastupdate'];
$_SESSION['s_pass'] = md5($row['password']);
$_SESSION['s_username'] = $username;
$_SESSION['s_name'] = $row['name'];
$_SESSION['s_email'] = $row['email'];
$_SESSION['s_dob'] = $row['dob'];
$_SESSION['s_reg'] = $row['registered'];
$_SESSION['s_act'] = $row['actkey'];
$_SESSION['msnim'] = $row['msnim'];
$_SESSION['aim'] = $row['aim'];
$_SESSION['yim'] = $row['yim'];
$_SESSION['int'] = $row['interests'];
$_SESSION['hobs'] = $row['hobbies'];
$_SESSION['xbl'] = $row['xblt'];
$_SESSION['fel'] = $row['feeling'];
$_SESSION['ht'] = $row['hometown'];
$_SESSION['ocu'] = $row['occupation'];
$_SESSION['web'] = $row['website'];


echo '<meta http-equiv="refresh" content="4;url=http://users.domain.com/ucp.php">';
echo '<div id="login"><img alt="logging in" src="http://users.domain.com/images/19-1.gif" /><br /><h4>'.$row['username'].'... Signing In</h4><span style="font-size:x-small;font-family:sans-serif;">If this takes longer than 5 minutes, please click <a href="http://users.domain.com/ucp.php">here</a>.</span></div>';

} else {

echo '
<div id="error"><b>ERROR:</b> You need to activate your account, before logging in... Please check your emails for further instructions!</div>';

}

} else {

echo '<b>ERROR:</b> There was a problem proccessing your details, please try again later...';

}

} else {

}

?>


Hopefully this will help you in determining where the issue is coming from, but as i said it logs the user in successfully and allows you to access the Control Panel and allows them to edit their account (e.g. Password, Email, Profile, etc).

And on the login page, it actually shows the person they are still logged in but as the login page was the first page to register the $_SESSION['var'] variables.

I just can't understand why the login page works by showing they are logged in and not the other pages??? I would so much appreciate if you could help me in solving this issue!

Regards,
Ben

fileserverdirect
08-18-2008, 05:08 PM
Try first adding an echo $_SESSION['password']; to see if they are set on the next page. If that does not work maybe adding session_start(); to the top of the page would solve it. The session variables my not work correctly if the session has not been started, if that does not work, I would try just acessing the database directly by using this example (with $rows already defined):

Your password is <?php echo $rows['password']; ?>

-Ben(Yea, my name is Ben too)

mucky1215
08-18-2008, 05:27 PM
Try first adding an echo $_SESSION['password']; to see if they are set on the next page. If that does not work maybe adding session_start(); to the top of the page would solve it. The session variables my not work correctly if the session has not been started, if that does not work, I would try just acessing the database directly by using this example (with $rows already defined):

Your password is <?php echo $rows['password']; ?>

-Ben(Yea, my name is Ben too)

Just tried echoing


<?php echo $_SESSION['s_pass']; ?>

And it shows the user password but in md5 format, tried the other method by echoing


<?php echo $row['password']; ?>

And it showed nothing whatsoever, i don't know if this a mysql database issue or something isn't doing what it's suppose to do.

And
<?php session_start(); ?> is at the very top of the page before any html, this on every page.

Any ideas???

Nice to meet you ben :p :D

fileserverdirect
08-18-2008, 08:01 PM
O.K., You may not have the database set up on the page that you are testing , so $rows['s_pass']; may not work. if the $_SESSION password variable works, then use that, just do:


$_SESSION['s_pass'] = md5($_SESSION['s_pass']);

And also, always use session_start(); at the top of the page, even if it is being imported ;)

mucky1215
08-18-2008, 08:28 PM
Well at least i know the information is being passed through $_SESSION['varname'], but i'm just ain't getting anywhere about showing the hidden content that my little php script holds.

I have to admit it this has puzzled me :confused: unless theres something out there to solve this annoying issue... I'll be thinking for awhile lol

fileserverdirect
08-18-2008, 09:27 PM
So let me get this straight, If the login system is working, and the variables are being set, then The Control Panel must be the problem. Paste that code here, andd maybe the is somthing worng there. :)

mucky1215
08-18-2008, 10:24 PM
So let me get this straight, If the login system is working, and the variables are being set, then The Control Panel must be the problem. Paste that code here, andd maybe the is somthing worng there. :)

Here's what is at the top of Control Panel:



<?php
session_start();
if($_SESSION['logged'] == 1){
include 'd/user.connect.inc.php';
?>


$_SESSION['logged'] is defined when logged in, if the value is less than 1 (e.g. 0) it will redirect the user back to the sign in page.

Here's what is at the bottom of the page:



<?php
} else {
header("Location: signin/index.phtml");
}
?>


Then that's about it really, the rest is just echoing the $_SESSION data that was set previously when the user logged in.

I hope this helps, if you need anymore of my script to work out this problem then just ask :).

I'm currently doing a few adjustments to the code, to see if that will fix this problem but still no luck yet.

fileserverdirect
08-18-2008, 10:47 PM
You have WAY too may "logged in" variables:
if(isset($_SESSION['uid'])){ and
if($_SESSION['logged'] == 1){ and
if($_SESSION["s_username"]){
they all check the same thing, whether the user is logged in.
Stick with 1 variable, the "logged" one, and change these (blue)


<?php
session_start();
if(!$_SESSION['logged'] == 1){
include 'd/user.connect.inc.php';
?>
html stuff
---
<p><b>Notice:</b> You are already logged in as <b><?php echo $_SESSION['s_username']; ?></b>... Please go to your <a href="http://users.domain.com/cp.php">Control Panel</a></p>
---
More html stuff (if logged in)
<?php
} else {

echo 'Not Logged in...';
?>
More stuff to show if not logged in
<?php
}
?>
other html ending html stuff (both)

and change this (on the login page):


if($row['activated'] > 0) //checks to see if the user is activated or not.
{

$_SESSION['logged'] = '1';


Hope this helps!