baconDelta
01-14-2012, 12:44 AM
so i'm trying to build my own login system. i made it work fine when the users were stored in an array, but now i'm trying to get it to work with the users stored in a database, and i've run into a bit of a problem.
what happens is if i login with a user that's in the database, my 'require_login' function spits out the 'mysite.com/login?login_required=1' url, as if there is no current_user set. so it seems like 'current_user' is not being set, since it returns the login_required string and not the 'username or pass is incorrect' string.
my login page has these two at the top for returning errors:
<?php if($_GET['error'] == 1): ?>
Username and/or password are incorrect
<?php endif ?>
<?php if($_GET['login_required'] == '1'): ?>
<h3>Login is required to view this page.</h3>
<?php endif ?>
the login is posted to my authenticating page which looks like so:
<?php
session_start();
require_once "auth.php";
require_once "../functions/connection.php";
$user_id = credentials_valid($_POST['username'], $_POST['password']);
if($user_id){
log_in($user_id);
if($_SESSION['redirect_to']){
header("Location:" . $_SESSION['redirect_to']);
unset($_SESSION['redirect_to']);
}else{
header("Location: index");
}
}else{
header("Location: login?error=1");
exit("You are being redirected");
}
?>
and the
credentials_valid function is described on the auth.php page. auth.php looks like so:
<?php
function credentials_valid($username, $password){
$username = mysql_real_escape_string($username);
$query = "SELECT `id`, `salt`, `password`
FROM `mods`
WHERE `username` = '$username' ";
$result = mysql_query($query);
if(mysql_num_rows($result)){
$user = mysql_fetch_assoc($result);
$password_requested = sha1($user['salt'] . $password);
if($password_requested === $user['password']){
return $user['id'];
}
}
return false;
}
function log_in($user){
$_SESSION['user_id'] = $user_id;
}
function current_user(){
static $current_user;
if(!current_user){
if($_SESSION['user_id']){
$user_id = intval($_SESSION['user_id']);
$query = "SELECT *
FROM `mods`
WHERE `id` = $user_id";
$result = mysql_query($query);
if(mysql_num_rows($result)){
$current_user = mysql_fetch_assoc($result);
return $current_user;
}
}
}
return $current_user;
}
function require_login(){
if(!current_user()){
$_SESSION['redirect_to'] = $_SERVER["REQUEST_URI"];
header("Location: ../modcp/login?login_required=1");
exit("You must log in");
}
}
?>
and in the header.php for these particular pages i want protected by a login i've put this at the top:
session_start();
require_once "../functions/connection.php";
require_once "../modcp/auth.php";
$current_user = current_user();
require_login();
but for whatever reason it's not directing me to the page it's supposed to. instead my url turns into login_required=1, which only happens when the current_user isn't set. but i can not for the life of me figure out why it's not being set. does anyone have a clue as to what i'm doing wrong here?
what happens is if i login with a user that's in the database, my 'require_login' function spits out the 'mysite.com/login?login_required=1' url, as if there is no current_user set. so it seems like 'current_user' is not being set, since it returns the login_required string and not the 'username or pass is incorrect' string.
my login page has these two at the top for returning errors:
<?php if($_GET['error'] == 1): ?>
Username and/or password are incorrect
<?php endif ?>
<?php if($_GET['login_required'] == '1'): ?>
<h3>Login is required to view this page.</h3>
<?php endif ?>
the login is posted to my authenticating page which looks like so:
<?php
session_start();
require_once "auth.php";
require_once "../functions/connection.php";
$user_id = credentials_valid($_POST['username'], $_POST['password']);
if($user_id){
log_in($user_id);
if($_SESSION['redirect_to']){
header("Location:" . $_SESSION['redirect_to']);
unset($_SESSION['redirect_to']);
}else{
header("Location: index");
}
}else{
header("Location: login?error=1");
exit("You are being redirected");
}
?>
and the
credentials_valid function is described on the auth.php page. auth.php looks like so:
<?php
function credentials_valid($username, $password){
$username = mysql_real_escape_string($username);
$query = "SELECT `id`, `salt`, `password`
FROM `mods`
WHERE `username` = '$username' ";
$result = mysql_query($query);
if(mysql_num_rows($result)){
$user = mysql_fetch_assoc($result);
$password_requested = sha1($user['salt'] . $password);
if($password_requested === $user['password']){
return $user['id'];
}
}
return false;
}
function log_in($user){
$_SESSION['user_id'] = $user_id;
}
function current_user(){
static $current_user;
if(!current_user){
if($_SESSION['user_id']){
$user_id = intval($_SESSION['user_id']);
$query = "SELECT *
FROM `mods`
WHERE `id` = $user_id";
$result = mysql_query($query);
if(mysql_num_rows($result)){
$current_user = mysql_fetch_assoc($result);
return $current_user;
}
}
}
return $current_user;
}
function require_login(){
if(!current_user()){
$_SESSION['redirect_to'] = $_SERVER["REQUEST_URI"];
header("Location: ../modcp/login?login_required=1");
exit("You must log in");
}
}
?>
and in the header.php for these particular pages i want protected by a login i've put this at the top:
session_start();
require_once "../functions/connection.php";
require_once "../modcp/auth.php";
$current_user = current_user();
require_login();
but for whatever reason it's not directing me to the page it's supposed to. instead my url turns into login_required=1, which only happens when the current_user isn't set. but i can not for the life of me figure out why it's not being set. does anyone have a clue as to what i'm doing wrong here?