staying logged in (cookie expiring/resetting issue)
have an in issue with my login script. what's happening is that the way it's working, it's causing the user to be logged out immediately after a successful login. i don't know how to fix this.for some reason the nav bar, which changes based on if you're logged in or out, is showing that one is logged out when loading the login success page. the next page shows the logged in nav bar, and the pageload after one is back to being logged out (showing in the nav bar)
i don't understand what's causing the logout to occur so fast since it's not time dependant. i've added (and since removed) a number of debugging lines thinking it was the expiration time on the cookies, but it's not. that's being done right. for some reason it's getting reset.
since the functions that are involved are varoius and mant, i'm showing the one i think is the most likly culprit below, with a link to a page with just the full functions used and the login script below that. (edited to prevent scrolling)
<?php
if($_COOKIE['login']){ # we're logged in
$db=mysql_connect($host, $login2, $pass2) or die(\"cannot access mysql\");
# get the sql connection
$fyd=mysql_select_db('findyourdesire', $db) or die(\"cannot connect to db\");
# select the db
$un=$_COOKIE['un']; $pw=$_COOKIE['pw']; # what we wont change on-the-fly
$fprefs=mysql_query(\"SELECT uid, gmt_offset, tds, login_duration, msgs
FROM users WHERE username='$un' AND password='$pw'\", $db); # get the prefs
if(mysql_num_rows($fprefs)>0){ # we can update the cookies
$prefs=mysql_fetch_array($fprefs); $gmto=$prefs['gmt_offset'];
$utds=$tds[$prefs['tds']];
$duration=$durr[$prefs['login_duration']]; $accepts=($prefs['msgs']*1);
$uid=$prefs['uid'];
$expire=(time()+($duration*60));
setcookie('un', $un, $expire); # set username
setcookie('pw', $pass, $expire); # set password
setcookie('login', 1, $expire); # set login
setcookie('gmto', $gmto, $expire); # set the gmt offset
setcookie('utds', $rtds, $expire); # set the time display style
$active=gmdate(\"Y-m-d H:i:s\", time());
$update=mysql_query(\"UPDATE users SET last_activity='$active' WHERE
username='$un'\", $db); # try to update users (we don't really care if it fails)
if($accepts){ # person accepts ims
if($accepts>5){ # the user wants them ALL
$fims=mysql_query(\"SELECT msg_id FROM msgs WHERE to_id='$uid' AND
viewed='0'\", $db);
$amtims=mysql_num_rows($fims);
if($amtims){ # we have ims
for($i=0;$i<$amtims;$i++){ # for each im
$gimid=mysql_fetch_array($fims); $ims=$gimid['msg_id']; # record
the msg_id
}
}
}else{ # user wants $accepts amount
$fims=mysql_query(\"SELECT msg_id FROM msgs WHERE to_id='$uid' AND
viewed='0' ORDER BY msg_id ASC LIMIT $accepts\", $db);
$amtims=mysql_num_rows($fims);
if($amtims){ # we have ims
for($i=0;$i<$amtims;$i++){ # for each im
$gimid=mysql_fetch_array($fims); $ims=$gimid['msg_id'];
# record the msg_id
}
}
}
}
}//else{ cookies('logout'); } # there was an error for some reason
} # end cookie updating
?>this is an update of a post elsewhere that's moving slowingin helping me solve this. to see what is up at the other place: http://forums.devnetwork.net/viewtopic.php?t=12379
and it's now a two page load set before it drops the person
POSIX. because a stable os that doesn't have memory leaks and isn't buggy is always good.
Mark Hensler posted this at 05:07 — 2nd September 2003.
He has: 4,048 posts
Joined: Aug 2000
What was the purpose to this:
<?phpif(isset($_POST['un'])){
if($login){
bgnpg($title); nav(); success($un, $linfo); clspg();
}else{
bgnpg($title); nav(); login($un, TRUE, $error); clspg();
}
}else{
bgnpg($title); nav(); login('', FALSE, FALSE); clspg();
}
?>
Mark Hensler
If there is no answer on Google, then there is no question.
ShaneS posted this at 18:34 — 2nd September 2003.
They have: 93 posts
Joined: Jun 2003
That might because of this?
if duration is 1, you only setting it for half a day from the Unix epoch, which would be wrong, because we are in the epoch. You need to set the cookie time properly
[Design Alpha] -Web Services : Design,Hosting,Advertising,Software
Ask about custom pricing on hosting!!
Site Assets: [UltraGaming.com] [Blades of Warcraft]
m3rajk posted this at 20:54 — 2nd September 2003.
They have: 461 posts
Joined: Jul 2003
mark: un comes from the user input. the first time it's not set so it simply wants your username and password, but if un was set, then the display is different, depending upon the information set up in the set before hand that does the db stuff, IF the username was set.
shane: the php function time() calls the CURRENT GMT EPOCH TIMESTAMP.
$durr is an array of duration choices. (2,5,15,30,60...) since the choices are in minuts, and $prefs['duration'] is an index, $durr[$prefs['duration']] is the number of minutes, time 60 seconds, added to time() is when i want it to expire. ($duration*60) is seconds that get added to a unix epoch timestamp.
so i'm perplexed as to what you meant by if duration is one it'll be half a day... 1 1 *60 there woutl be 60 seconds, not half a day, but only ONE MINUTE from when time() is called...i keep reading your post, but something about it escapes me. it's like you think i thinkk it's returning aug 25, 2003, 13:34:45 and i'm adding something to that.
i'm hoping that you were distracted by something because your post makes no sense to me unless you assumed a things that that are not true starting with me not knowing what a unix timestamp is and how it works. even then it still makes no sense because "if duration is 1, you only setting it for half a day from the Unix epoch, which would be wrong, because we are in the epoch" 60 will not be half a day, and you don't know jack about my $durr array (when you posted that) and "you only setting it for half a day " is a sentace fragment from there that exemplifies how much sense it makes to me
POSIX. because a stable os that doesn't have memory leaks and isn't buggy is always good.
Suzanne posted this at 21:13 — 2nd September 2003.
She has: 5,507 posts
Joined: Feb 2000
Back down m3rajk, if you want help, give people all the pieces.
Does your $durr array give the minutes, hours, days, then?
Regardless, the user/pass should be set in the cookie or a session. It should not be in the _POST only or it will be lost, resulting in what you're seeing -- they keep getting "logged out". In reality, unless you're hiding more, they were only briefly allowed to see the logged in condition, they were not actually logged in.
Mark Hensler posted this at 04:49 — 3rd September 2003.
He has: 4,048 posts
Joined: Aug 2000
$_POST cannot be carried between pages. Only $_SESSION and $_COOKIE can store data between page hits. $_SESSION will only retain the value as long as the browser (or a child of the session-initiating browser) stays open, $_COOKIE will only retain the value until the expiration time is reached.
Mark Hensler
If there is no answer on Google, then there is no question.
m3rajk posted this at 18:40 — 4th September 2003.
They have: 461 posts
Joined: Jul 2003
sorry. i just know it's not how i'm setting them initially because the join page has one set on the frist step, that was working. i didn't do anything again until the 4th step. but ast night there was an issue with that eone, even through several people including myself got through it in the past, even after i found this one.. the most recent being the day before.
the dur array is in minutes.
<?php# login durations
$durr=array(2, 5, 15, 30, 60, (60*2), (60*24), (60*24*365*5));
?>
the login script checks to see if $_POST['un'] is set because if it isn't, you're at the page the first time, if it is, you're trying to login, so it goes through that and figures out what, if any, error you should have....username not found, password doesn't match, or you've logged in. (i realized you can't use cookies the time you log them in, so i'm going to modify the nav bar and where the pagess are called so it can set the login to truefor the user, but i wanna get the issue with the coookies only lasting one pageload worked out first)
i have one cookie that's working, which is why these cookies not working is extremely frustrating. especially when someone said i'm setting it for half a day when i'm pretty sure i said i have an array of choices in minutes that i multiply by 60 seconds when i add it tot time, which is exactly what i was then told to do. that made his post really frustrating because it didn't address anything that i didn'tknow. maybe if i mentioned that i have the other cookie that works correctly the post would have been better..
i've been trying to fix this since last friday.
i i ONLY use cookies for things to carry between pages. i understand what stateless means and that get and post only work for the next page loaded.
POSIX. because a stable os that doesn't have memory leaks and isn't buggy is always good.
Mark Hensler posted this at 19:07 — 4th September 2003.
He has: 4,048 posts
Joined: Aug 2000
I still think that this is the problem:
<?phpif(isset($_POST['un'])){
if($login){
bgnpg($title); nav(); success($un, $linfo); clspg();
}else{
bgnpg($title); nav(); login($un, TRUE, $error); clspg();
}
}else{
bgnpg($title); nav(); login('', FALSE, FALSE); clspg();
}
?>
<?phpif(isset($_POST['un'])){
if($login){
bgnpg($title); nav(); success($un, $linfo); clspg();
}else{
bgnpg($title); nav(); login($un, TRUE, $error); clspg();
}
}else{
if ($_COOKIE['un']!='') {
bgnpg($title); nav(); success($un, $linfo); clspg();
}else{
bgnpg($title); nav(); login('', FALSE, FALSE); clspg();
}
}
?>
Mark Hensler
If there is no answer on Google, then there is no question.
m3rajk posted this at 20:17 — 4th September 2003.
They have: 461 posts
Joined: Jul 2003
i realized that's causing some comfusion so i chaged the login script so that it doesn't use that, and added a function specifically for the login when it's successful to do the navigation bar (it would be a pain in the *** to add something to nav() and go back through about 30 pages and add it to them all.
i hope the change makes things more clear. it's been reflected in the login.issues page
POSIX. because a stable os that doesn't have memory leaks and isn't buggy is always good.
Mark Hensler posted this at 04:43 — 5th September 2003.
He has: 4,048 posts
Joined: Aug 2000
Clear as mud. I have no idea what I'm looking at.
I have no idea how you're attempting to tracking users between pages.
I don't know what code is included where, or anything.
I'm assuming that the login.issue code is included on every page?
At any rate. I still think that your not checking your cookie data.
I'll re-write a section for you...
<?php
# variables used
$pass=MD5($_POST['pass']); $login=FALSE; $duration=NULL; $title='Login Page'; $error=FALSE; $gmto=NULL;
$uid=NULL; $linfo='';$expire='';
if(isset($_POST['un'])){ # check the db if this isn't the first loading of the page
$un=$_POST['un']; # what was the passed username?
$db=mysql_connect($host, $login2, $pass2) or die(\"cannot access mysql\"); # connect
$fyd=mysql_select_db('findyourdesire', $db) or die(\"cannot connect to db\"); # select the db
$lookup=mysql_query(\"SELECT * FROM users WHERE username='$un'\", $db);
if(mysql_num_rows($lookup)){ // we have a user (username is unique, it can only be 1 or 0 returned)
$info=mysql_fetch_array($lookup); # get all the info associated with the user
if($pass==$info['password']){ # the passwords match
$sa=$info['site_access'];
if((contains($sa, $regulars))||(contains($sa, $desireds))){ # you're not suspended
$login=TRUE; $duration=$info['login_duration']; $uid=$info['uid']; # set login, cookie duration, uid
$gmto=$info['gmt_offset']; $rtds=$info['tds']; $utds=$tds[$rtds]; # set the gmt offset & time display
$now=gmdate(\"Y-m-d H:i:s\", time()); $currip=$_SERVER['REMOTE_ADDR']; # get the new ip
$update=mysql_query(\"UPDATE users SET last_login_ip='$currip', last_login_date='$now' WHERE uid='$uid'\", $db); # update login date and ip
$aff=mysql_affected_rows($db);$errno=mysql_errno($db);$error=mysql_error($db);
$ll=$durr[$duration]; $uts=time(); $exp=gmdate(\"Y-m-d H:i:s\", (time()+(60*$durr[$duration]))); // debugging stuff
$expire=time()+(60*$durr[$duration]); # set expiration by formula time()+seconds*minutes*hrs*days*yrs
setcookie('un', $un, $expire); # set username
setcookie('pw', $pass, $expire); # set password
setcookie('login', 1, $expire); # set login
setcookie('gmto', $gmto, $expire); # set the gmt offset
setcookie('utds', $utds, $expire); # set the time display style
$linfo=\"<p>debug:<br />un:$un<br />gmto: $gmto<br />tds: $rtds--$utds<br />login length: $ll, exprire: $expire / $exp, now: $uts / $now</p><p>update: UPDATE users SET last_login_ip='$currip', last_login_date='$now' WHERE uid='$uid'<br />$aff<br />$errno<br />$error\"; // debugging stuff
bgnpg($title); nav2(); success($un, $linfo); clspg(); # show the successful login page
}else{ bgnpg($title); nav(); login($un, TRUE, 3); clspg(); } # the user is suspended
}else{ bgnpg($title); nav(); login($un, TRUE, 2); clspg(); } # the submitted password is wrong
}else{ bgnpg($title); nav(); login($un, TRUE, 1); clspg(); } # there was no user by that name
}else{ bgnpg($title); nav(); login('', FALSE, 0); clspg(); } # no failed login attempt
?>
<?php
// variables used
$duration = NULL;
$title = 'Login Page';
$error = FALSE;
$uid = NULL;
$linfo = '';
$expire = '';
if(isset($_POST['un'])) {
// check data from login form
$un = $_POST['un'];
$pass = md5($_POST['pass']);
$login = FALSE;
$gmto = NULL;
}
else {
// check data from cookie
$un = $_COOKIE['un'];
$pass = md5($_COOKIE['pw']);
$login = md5($_COOKIE['login']);
$gmto = md5($_COOKIE['gmto']);
$utds = md5($_COOKIE['utds']);
}
$db = mysql_connect($host, $login2, $pass2) or die(\"cannot access mysql\");
$fyd = mysql_select_db('findyourdesire', $db) or die(\"cannot connect to db\");
$lookup = mysql_query(\"SELECT * FROM users WHERE username='$un'\", $db);
if (mysql_num_rows($lookup)==0) {
// there was no user by that name
bgnpg($title); nav(); login($un, TRUE, 1); clspg();
exit;
}
// get all the info associated with the user
$info = mysql_fetch_array($lookup);
if ($pass!=$info['password']) {
// the submitted password is wrong
bgnpg($title); nav(); login($un, TRUE, 2); clspg();
exit;
}
$sa = $info['site_access'];
if (!contains($sa, $regulars) && !contains($sa, $desireds)) {
// the user is suspended
bgnpg($title); nav(); login($un, TRUE, 3); clspg();
exit;
}
// user login via form? or via cookie?
if (isset(_$POST['un'])) {
// set login, cookie duration, uid
$login = TRUE;
$duration = $info['login_duration'];
$uid = $info['uid'];
// set the gmt offset & time display
$gmto = $info['gmt_offset'];
$rtds = $info['tds'];
$utds = $tds[$rtds];
// get the new ip
$now = gmdate(\"Y-m-d H:i:s\", time());
$currip = $_SERVER['REMOTE_ADDR'];
// update login date and ip
$update = mysql_query(\"UPDATE users SET last_login_ip='$currip', last_login_date='$now' WHERE uid='$uid'\", $db);
$aff = mysql_affected_rows($db);
$errno = mysql_errno($db);
$error = mysql_error($db);
// debugging stuff
$ll = $durr[$duration];
$uts = time();
$exp = gmdate(\"Y-m-d H:i:s\", (time()+(60*$durr[$duration])));
// set expiration by formula time()+seconds*minutes*hrs*days*yrs
$expire = time()+(60*$durr[$duration]);
setcookie('un', $un, $expire); // set username
setcookie('pw', $pass, $expire); // set password
setcookie('login', 1, $expire); // set login
setcookie('gmto', $gmto, $expire); // set the gmt offset
setcookie('utds', $utds, $expire); // set the time display style
// debugging stuff
$linfo = \"<p>debug:<br />un:$un<br />gmto: $gmto<br />tds: $rtds--$utds<br />login length: $ll, exprire: $expire / $exp, now: $uts / $now</p><p>update: UPDATE users SET last_login_ip='$currip', last_login_date='$now' WHERE uid='$uid'<br />$aff<br />$errno<br />$error\";
}
// user is legit, welcome!
bgnpg($title); nav2(); success($un, $linfo); clspg();
?>
By telling the user that the username doesn't exist, or the password wasn't correct, you're simplifying it for a hacker.
Mark Hensler
If there is no answer on Google, then there is no question.
Suzanne posted this at 15:00 — 5th September 2003.
She has: 5,507 posts
Joined: Feb 2000
Please note how the white space, indents and comments make the script a LOT easier to read and understand? Good practice is something that helps everyone, especially the person needing help!
m3rajk posted this at 16:43 — 5th September 2003.
They have: 461 posts
Joined: Jul 2003
suzanne: noted. i'll try to comment it better.
mark: the only things in all the pages are what's Inside the section denoted as being from the include. the area you're telling has an issue with it being used as post is ONLY on the login page (after the functions from the included file)
since Suzanne has a good point with people trying to hack the site, i'll combine the two. it will make the code more compact, between that and adding comments, maybe with the next update it will be easier to follow what's happening.
POSIX. because a stable os that doesn't have memory leaks and isn't buggy is always good.
m3rajk posted this at 19:38 — 5th September 2003.
They have: 461 posts
Joined: Jul 2003
i realized something... there's no debugging things in bgnpg();
well... i added some debugging stuff and think i know what the problem is... the functions doesn't have one of two include files it needs.... so....while everything else was perfectly fine and executing properly....
but.....that didn't fix it.
first page after login:
so it should be lasting an hour for me, right? (all times gmt)
yet... next pageload:
now i'm really stumped.
POSIX. because a stable os that doesn't have memory leaks and isn't buggy is always good.
m3rajk posted this at 19:58 — 5th September 2003.
They have: 461 posts
Joined: Jul 2003
found it.
a friend asked me for the bgnpg() function inthe include file. pointed me to an extra character in a needed cookie value. when it was updating there was a slight error... probalby an accident from putting in the debugging stuff or something like that
POSIX. because a stable os that doesn't have memory leaks and isn't buggy is always good.
Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.