Making a Login Work After Cache, Cookies, etc. Have Been Cleared

Hello,

I am using the code below for a user login. The first I try to login after cache / cookies, etc. have been cleared, the browser refreshes and the user name is not logged in. After that, logging in works fine.

Any idea how I can make it work the first time?

Thanks in advance,

John

index.php:

<?php 


        if($_SERVER['REQUEST_METHOD'] == "POST"){header('Location: http://www...com/.../index.php?username='.$username.'&password='.$password.'');} 



         require_once "header.php"; 
         include "login.php";
         require_once "footer.php";

        ?>

login.php:

<?php
if (!isLoggedIn())
{
    if (isset($_POST['cmdlogin']))
    {
        if (checkLogin($_POST['username'], $_POST['password']))
        {
            show_userbox();


        } else
        {
            echo "Incorrect Login information !";
            show_loginform();
        }
    } else
    {

        show_loginform();
    }

} else
{

    show_userbox();


}



?>

show_loginform function:

function show_loginform($disabled = false)
{

    echo '<form name="login-form" id="login-form" method="post" action="./index.php?'.$_SERVER['QUERY_STRING'].'"> 

    <div class="usernameformtext"><label title="Username">Username: </label></div> 
    <div class="usernameformfield"><input tabindex="1" accesskey="u" name="username" type="text" maxlength="30" id="username" /></div> 


    <div class="passwordformtext"><label title="Password">Password: </label></div> 
    <div class="passwordformfield"><input tabindex="2" accesskey="p" name="password" type="password" maxlength="15" id="password" /></div> 


    <div class="registertext"><a href="http://www...com/.../register.php" title="Register">Register</a></div> 
    <div class="lostpasswordtext"><a href="http://www...com/.../lostpassword.php" title="Lost Password">Lost password?</a></div> 

  <p class="loginbutton"><input tabindex="3" accesskey="l" type="submit" name="cmdlogin" value="Login" ';
    if ($disabled == true)
    {
        echo 'disabled="disabled"';
    }
    echo ' /></p></form>';


}

header.php includes this:

session_start();

here are the login credential check functions I’m using:

<?php

#### Login Functions #####


function isLoggedIn()
{

    if (session_is_registered('loginid') && session_is_registered('username'))
    {
        return true; // the user is loged in
    } else
    {
        return false; // not logged in
    }

    return false;

}

function checkLogin($u, $p)
{
global $seed; // global because $seed is declared in the header.php file

    if (!valid_username($u) || !valid_password($p) || !user_exists($u))
    {
        return false; // the name was not valid, or the password, or the username did not exist
    }

    //Now let us look for the user in the database.
    $query = sprintf("
        SELECT loginid 
        FROM login 
        WHERE 
        username = '%s' AND password = '%s' 
        AND disabled = 0 AND activated = 1 
        LIMIT 1;", mysql_real_escape_string($u), mysql_real_escape_string(sha1($p . $seed)));
    $result = mysql_query($query);
    // If the database returns a 0 as result we know the login information is incorrect.
    // If the database returns a 1 as result we know  the login was correct and we proceed.
    // If the database returns a result > 1 there are multple users
    // with the same username and password, so the login will fail.
    if (mysql_num_rows($result) != 1)
    {
        return false;
    } else
    {
        // Login was successfull
        $row = mysql_fetch_array($result);
        // Save the user ID for use later
        $_SESSION['loginid'] = $row['loginid'];
        // Save the username for use later
        $_SESSION['username'] = $u;
        // Now we show the userbox
        return true;
    }
    return false;
}

?>

A session doesnt store a file on the user’s computer. A session lives on the server.
A -cookie- is a file on the user’s computer.

Clearing the browser’s cache will always cause this problem - you’re manually destroying the session id (which is what gets stored in the cookie), so the server has to treat the user as a new user.

The only way around this would to do IP-based sessions, which you should not ever do. Ever. Period.

Sessions do use cookies when they can - but it’s important to note that a session itself is not stored on the user’s computer, only the identifier. That’s why it’s relatively safe to store things in the $_SESSION array without worrying about a user getting access to it - they dont have the data itself on their computer (as opposed to the user’s computer pushing things into $_COOKIE)

What? You are setting a session, which in turn stores little file on the users computer. Your script through the function ‘session_is_registered(‘loginid’)’ checks if this ‘file’ exists and matches the data you have provided.

So, when the user clears their cookies, this little file is gone. Thus, you have no ‘little file’ to indicate the existence of a cookie, therefore your function ‘isLoggedIn()’ returns it as false.

There are numerous sources on the web that suggest that Sessions do store a small cookie client side.

“Sessions still use a small cookie - this cookie simply holds a value that uniquely identifies the client to the server” - TuxRadar

“Most sessions set a cookie on your computer to uses as a key… it will look something like this: 350401be75bbb0fafd3d912a1a1d5e54.” About

PHP sessions can use cookies depending on how you configure them. Have a look at these settings:

session.use_cookies (boolean): specifies whether the module will use cookies to store the session id on the client side. Defaults to 1 (enabled).

session.use_only_cookies (boolean): specifies whether the module will only use cookies to store the session id on the client side. Enabling this setting prevents attacks involved passing session ids in URLs. This setting was added in PHP 4.3.0. Defaults to 1 (enabled) since PHP 5.3.0.

If you disable session cookies, a GET parameter is used instead