Hey there everyone. I've been working on my new site which is coming along great, and my friend told me that it was bothering him that he had to log in twice before it would count him as logged in. That had been bothering me too, but I had put it on the back burner to write more fun features. Anyways, I snooped around and found out that it could possibly have something to do with either the fact that I redirect the page after confirming login, or the fact that my server might have session.auto_start turned on in the php.ini (which is inaccessible to me, could work through .htaccess). I've been getting pretty frustrated, so any help would be greatly appreciated. Here's the login.php script which is included by index.php (index.php has session_start(); and ob_start(); as the first line and second lines respectively, btw.): <?php $salt = 'woah, you don\'t get to see that!'; if (isset($_POST['submit'])) { $sendpass = md5($_POST['password'].$salt); $name = $_POST['username']; $query = mysql_query("SELECT * FROM members WHERE username='$name' AND password='$sendpass'"); if (mysql_num_rows($query)==1) { $query2 = mysql_query("SELECT * FROM members WHERE username='$name' AND password='$sendpass'"); $row = mysql_fetch_array($query2); $_SESSION['user'] = $row['username']; header("location:http://wanilla.net/site/index.php"); } else { echo 'Sorry, the username and password entered did not match. Please check them and try again.'; } } ?> <table cellpadding="0" cellspacing="0" width="685px" border="0"> <tr> <td valign="top" align="center"> <img src="images/bar/bar-login.png"> </td> </tr> <tr> <td bgcolor="#c9c9c9" valign="top" align="center" style="text-align: center; padding-left:10px; padding-right:10px;"><br> <center> <font size="2" face="sans-serif">Enter your account information below to log in. If you don't have a Wanilla account, you can create one <a href="?action=reg">here</a>.<br><br> <form method="post" action="?action=login"> <table border="0" cellspacing="5"> <tr><td width="50%"><b>Username: </b></font></td><td><input name="username" type="text" value="" size="25"></td></tr> <tr><td width="50%"><b>Password: </b><br><font size="-2">Password is case sensitive.</font></td><td><input name="password" type="password" value="" size="25"></td></tr> <tr><td align="center" colspan="2" width="100%"><input type="submit" name="submit" value="Submit" /></td></tr> </table> </form> </font> </center> </td> </tr> </table> PHP: Thanks!
Two issues i see: 1.) session_start(); isn't declared? -- EDIT sorry, noticed you said you added that. 2.) You should sanitize the username $_POST variable, could leed a nasty SQL injection attack. mysql_real_escape_string() will fix thst.
I'm not sure what causes the problem, but if I were you, I will . If i'm in shared host, I will make custom session handler to store session in database (default will store in some file in shared host, it's not good in any way). . Try to catch the bug by delete the header part, replace by echo something out, login for the first time, check session table in database if some data was written or not. . If username is written correctly, so probably you should delete the header part. Moreover, I believe header has been already sent at session_start() (it must have prompted some error). Delete header(), try redirect by javascript. . If username isn't written, so the problem must be session handlers. Find and use other session handlers. . That should help your problem. BTW, when you write username to $_SESSION, there is no need to make another query, as $name already stores the correct username . Hope that helps.
Not sure I understand what you mean. I've tried it without the header redirect. It still requires me to send the form twice. I've tried each different kind of redirect, all with the same result I'll give this a shot, thanks. Hah, that was something that my aforementioned friend threw in for whatever reason. I'll remove it. Thanks for your help, lets see if any of that works.
If you have a login box on index.php, it is probably loading because the if (isset($_SESSION['user'])) part. So what happens is the session is set, but the script doesnt realize it until after it loads the login box.
make sure youre not using header to redirect to a different level page. sometimes when people send to https (secure) they also have the same problem .. Is the login page a secure ? Anytime you switch from different folders public/private it could do this. Im just giving you somethin to check.. to see if the site is switching from www.yoursite.com to yoursite.com and however the server has their settings is acting as if its two seperate site domains. That way the person really isnt logged in at yoursite.com they're logged at different server level /folder. Once it redirects them to yoursite.com and then asks them again to login , then the second time they are logged in at that folder/domain setting. Watch when folders in your server change public/private ..and HTTPS , these things usually happen then.
Was supposed to be: If you have a login box on index.php, it is probably loading before the if (isset($_SESSION['user'])) part. So what happens is the session is set, but the script doesnt realize it until after it loads the login box.