login with users stored in db

**baconDelta** · 01-14-2012, 12:44 AM

so i'm trying to build my own login system. i made it work fine when the users were stored in an array, but now i'm trying to get it to work with the users stored in a database, and i've run into a bit of a problem.

what happens is if i login with a user that's in the database, my 'require_login' function spits out the 'mysite.com/login?login_required=1' url, as if there is no current_user set. so it seems like 'current_user' is not being set, since it returns the login_required string and not the 'username or pass is incorrect' string.

my login page has these two at the top for returning errors:

PHP Code:


<?php if($_GET['error'] == 1): ?>
    Username and/or password are incorrect
<?php endif ?>
<?php if($_GET['login_required'] == '1'): ?>
<h3>Login is required to view this page.</h3>
<?php endif ?>

the login is posted to my authenticating page which looks like so:

PHP Code:


<?php
session_start();
require_once "auth.php";
require_once "../functions/connection.php";

$user_id = credentials_valid($_POST['username'], $_POST['password']);
if($user_id){
    log_in($user_id);
    
    if($_SESSION['redirect_to']){
        header("Location:" . $_SESSION['redirect_to']);
        unset($_SESSION['redirect_to']);
        
    }else{
        header("Location: index");
    }
}else{
    header("Location: login?error=1");
    exit("You are being redirected");
}
?>

and the

PHP Code:


credentials_valid

function is described on the auth.php page. auth.php looks like so:

PHP Code:


<?php
function credentials_valid($username, $password){
    $username = mysql_real_escape_string($username);
    $query = "SELECT `id`, `salt`, `password`
              FROM `mods`
              WHERE `username` = '$username' ";
              
    $result = mysql_query($query);
    if(mysql_num_rows($result)){
        $user = mysql_fetch_assoc($result);
        $password_requested = sha1($user['salt'] . $password);
        if($password_requested === $user['password']){
            return $user['id'];
        }
    }
    return false;
}

function log_in($user){
    $_SESSION['user_id'] = $user_id;
}

function current_user(){
    static $current_user;
    
    if(!current_user){
        if($_SESSION['user_id']){
            $user_id = intval($_SESSION['user_id']);
            $query = "SELECT *
                      FROM `mods`
                      WHERE `id` = $user_id";
            
            $result = mysql_query($query);
            if(mysql_num_rows($result)){
                $current_user = mysql_fetch_assoc($result);
                return $current_user;
            }
        }
    }
    return $current_user;
}

function require_login(){
    if(!current_user()){
        $_SESSION['redirect_to'] = $_SERVER["REQUEST_URI"];
        header("Location: ../modcp/login?login_required=1");
        exit("You must log in");
    }
}

?>

and in the header.php for these particular pages i want protected by a login i've put this at the top:

PHP Code:


session_start();
require_once "../functions/connection.php";
require_once "../modcp/auth.php";
$current_user = current_user();
require_login();

but for whatever reason it's not directing me to the page it's supposed to. instead my url turns into login_required=1, which only happens when the current_user isn't set. but i can not for the life of me figure out why it's not being set. does anyone have a clue as to what i'm doing wrong here?

**crobinson42** · 01-14-2012, 02:17 AM

Did it work before? New hosting server? Have you checked you php.ini for session options?

**baconDelta** · 01-14-2012, 06:26 AM

no same server. it worked with an array of users, but i haven't gotten it to work with a db of users. db of other stuff works, but this is just a bit more complicated. i'm not sure which php.ini settings i'd have to fiddle with, i'm surprised if i have to change something.

**baconDelta** · 01-15-2012, 03:25 AM

well if i remove the require_login() from the header it works fine....but then the secured pages aren't secured... so current_user is definitely not being stored in the session correctly :/ still haven't found the problem though