I’m having a little trouble implementing a login system that both allows users to be rememebered via cookie but at the same time not allow unauthorized access using site URL
here is my code for successful_login, the problem lies here as I get a redirect error:
<?php
session_start();
// IF USER NOT REMEMBERED OR NO SESSION THEN THROW HIM OUT TO LOGIN
if (!isset($_SESSION['valid'])|| !isset($_COOKIE['myusername']))
{
header("Location: index.php");
}
$host="localhost"; // Host name
$username="root"; // Mysql username
$password="*****"; // Mysql password
$db_name="secure_login"; // Database name
$tbl_name="users"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
$sql="SELECT * FROM $tbl_name WHERE username='$myusername'";
$result=mysql_query($sql);
?>
the session works but as soon as I close the browser and reopen it to my site I get a REDIRECT LOOP
here is the code that processes my form:
<?php
session_start();
//CHECK IF EITHER SESSION OR COOKIE EXISTS THEN REDIRECT TO LOGIN_SUCCESS ELSE CONTINUE TO FORM
function loggedin()
{
if (isset($SESSION['valid']) || isset($_COOKIE['myusername']))
{
$loggedin = TRUE;
return $loggedin;
}
}
if (loggedin())
{
header("Location: login_success.php");
}
// REST OF CODE IS PROCESSED AFTER USER CLICKS SUBMIT ON LOGIN FORM
if(isset($_POST['submit']))
{
$host="localhost"; // Host name
$username="root"; // Mysql username
$password="*****"; // Mysql password
$db_name="secure_login"; // Database name
$tbl_name="users"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form
$myusername=$_POST['username'];
$mypassword=$_POST['password'];
$rememberme=$_POST['rememberme'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$encrypted_mypassword=md5($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_mypassword'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
if(mysql_num_rows($result) == 1) //user exists
{
if ($rememberme=="on"){
setcookie("myusername", $myusername, time()+7200);
}
elseif ($rememberme==""){
$_SESSION['valid'] = 1;
}
header('Location: login_success.php');
exit();
}
if($myusername=="phillip.k@fixnode.ca" && $encrypted_mypassword=="a66d83940f5d22fa54ee51ce"){
header('Location: register.php');
}
else {
echo '<div class="alert">Incorrect Username or Password!</div>';
}
}
?>
so basically to wrap up, when a user enters a valid username and password AND clicks remember me then I like for the browser to redirect to login_success even if the user closes the browser (i.e. COOKIE from remember me button). But right now if a user closes a browser and reopens my site then the user gets a REDIRECT LOOP probably because of the cookie
ANY help is greatly appreciated
Phillip K
The problem is here:
if (!isset($_SESSION['valid'])|| !isset($_COOKIE['myusername']))Instead of ||, you should have &&. You never have them both set in the same time, hence the redirection loop.
Another problem I found quickly is you never seem to update the cookie “myusername” when user visits the page.
As suggested, you could use an existing solution but if you really want to do it yourself I would highly suggest splitting that code into reusable functions/classes.
Md5 is not a safe way to store user passwords, you should use bcrypt or similar existing solution.
I would also confirm the IP between each page visit as a countermeasure against session hijacking (this would require storing the session data on a database which is a good idea anyway).