(PHP) User is being forced to RE-LOGIN after trying to do something on an admin page

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by hatorade on Stack Overflow See other posts from Stack Overflow or by hatorade
Published on 2010-03-22T20:27:40Z Indexed on 2010/03/22 20:31 UTC
Read the original article Hit count: 269

Filed under:
|

I have created an admin panel for a client in PHP, which requires a login. Here is the code at the top of the admin page requiring the user to be logged in:

admin.php

<?php
session_start();
require("_lib/session_functions.php");
require("_lib/db.php");
db_connect();


//if the user has not logged in
if(!isLoggedIn())
{
    header('Location: login_form.php');
    die();
}
?>

Obviously, the if statement is what catches them and forces them to log in. Here is the code on the resulting login page:

login_form.php

<form name="login" action="login.php" method="post">
    Username: <input type="text" name="username" />
    Password: <input type="password" name="password" />
    <input type="submit" value="Login" />
</form>

Which posts info to this controller page:

login.php

<?php
session_start(); //must call session_start before using any $_SESSION variables
include '_lib/session_functions.php';

$username = $_POST['username'];
$password = $_POST['password'];

include '_lib/db.php'; 
db_connect(); // Connect to the DB

$username = mysql_real_escape_string($username);

$query = "SELECT password, salt
        FROM users
        WHERE username = '$username';";
$result = mysql_query($query);

if(mysql_num_rows($result) < 1) //no such user exists
{
    header('Location: login_form.php?login=fail');
    die();
}

$userData = mysql_fetch_array($result, MYSQL_ASSOC);
db_disconnect();
$hash = hash('sha256', $password . $userData['salt']);

if($hash != $userData['password']) //incorrect password
{
    header('Location: login_form.php?login=fail');
    die();
}
else
{
    validateUser(); //sets the session data for this user
}

header('Location: admin.php');

?>

and the session functions page that provides login functions contains this:

session_functions.php

<?php
function validateUser()
{
    session_regenerate_id (); //this is a security measure
    $_SESSION['valid'] = 1;
    $_SESSION['userid'] = $username;
}

function isLoggedIn()
{
    if($_SESSION['valid'])
        return true;

    return false;
}

function logout()
{
    $_SESSION = array(); //destroy all of the session variables
    if (ini_get("session.use_cookies")) {
        $params = session_get_cookie_params();
        setcookie(session_name(), '', time() - 42000,
            $params["path"], $params["domain"],
            $params["secure"], $params["httponly"]
        );
    }
    session_destroy();
}
?>

I grabbed the sessions_functions.php code of an online tutorial, so it could be suspicious.

Any ideas why the user logs in to the admin panel, tries to do something, is forced to re-login, and THEN is allowed to do stuff like normal in the admin panel?

© Stack Overflow or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about php

Related posts about login

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle