Some users having to login Twice to get to restricted area - please help

Hi,

I have a restricted area for customers of my work’s company. This is an area where registered customers with their own user name and password can access to download manuals and technical documents etc.

I am hearing some reports that users will have to login twice to get to the area - This happens in Chrome, IE 7/8 and some Firefox’s.

It has only happened to me once or twice. Does anyone know why this may be?

Any help or ideas would be greatly appreciated.

What are they getting in their browser when they log in the first time?

Hi,

The login form is on the index page. When they login and submit the page seems to refresh the index page ( or goes back to there).

When they then log in again, it will take them to the restricted directory page

Here is the code for the log in form. This is on the index page:



 <form name="login_form" method="post" action="log.php?action=login">
<p>Login:<br /> <input type="text" name="user" /> </p>

<p>Password: <br /><input type="password" name="pwd" />  </p>

<p class="submit">
 <input type="submit" value="Submit" name="submit" class="submit" />
</p>

 </form>


Here is the PHP (log.php) (with personal details taken out):



<?php

	$hostname = "IP:3306";
	$username = "name";
	$password = "password";
	$database = "db_name";

	$link = MYSQL_CONNECT($hostname,$username,$password);
	
	mysql_select_db($database);	
?>

<?
session_name("MyWebsiteLogin");
session_start();

if($_GET['action'] == "login") {
$conn = mysql_connect("213.171.218.228:3306","db_name","password");
$db = mysql_select_db("db_name"); //Your database name goes in this field.
$name = $_POST['user'];
$q_user = mysql_query("SELECT * FROM customer WHERE username='$name'");

?>

<?
               $insert_query = ("INSERT INTO login(username) VALUES ('$name');");
               mysql_query($insert_query) or die('Error, insert query failed');

?>

<?
if(mysql_num_rows($q_user) == 1) {

$query = mysql_query("SELECT * FROM customer WHERE username='$name'");
$data = mysql_fetch_array($query);
if($_POST['pwd'] == $data['password']) {
session_register("name");
header("Location: http://#/download/index.php?un=$name"); // This is the page that you want to open if the user successfully logs in to your website.
exit;
} else {
header("Location: login.php?login=failed&cause=".urlencode('Wrong Password'));
exit;
}
} else {
header("Location: login.php?login=failed&cause=".urlencode('Invalid User'));
exit;
}
}

// if the session is not registered
if(session_is_registered("name") == false) {
header("Location: login.php");
}
?>


Without seeing the code your login form submits to, it’s really a guess as to what the problem is.

Normally, the script doing the username/password authentication will set a session variable (for login confirmation on restricted access pages) if the username/password are correct and then redirect to user to the restricted access area. If the username/password are not correct or invalid, the session variable is not created and the user is sent back to the login page. So it sounds like you have a system problem with how sessions are handled or there is a logic error in the code doing the username/password authentication. I suspect it’s the latter, but without seeing your code I can’t be sure.

Edit:

I didn’t see your post with the code until I posted this post

Thanks for your reply.

Please see code above.

ok, you have at least a few issues there.

  1. session_register is deprecated and should not be used. You should be using session_start() as you have elsewhere in your code.

  2. you are attempting to start a session with session_start() and session_register() at different parts of your code. That is not correct.
    session_start() should be at the very top of your script as the first line after your opening php tag <?php.

If the username/password are correct, then set a session variable should be set. I don’t see this variable in your code. Then at the top of each page where a user needs to be logged in, first check if the session variable exists and has the correct value. If it does, then continue loading the page. If it doesn’t, then abort loading the page and display a message saying the user must be logged in to view the page.

  1. You are mixing short and long php tags. That is not a good idea generally. Usually it’s safer to use long php tags (<?php…?>) as short php tags can cause issues if your server is not configured correctly (but I’m not an expert on that side of things, or anything really come to think of it :)).

  2. For a login script, I’m not sure why you need to insert any records like in your code.

So to summarise, apart from the incorrect way you are attempting to start a session, you have logic errors in your code that need to be fixed.

Thanks!

I will look into this now and will post changes.

Hi,

I have tried editing this, but running into some difficulties when removing session register ().

I have taken the last if statement out from the bottom, that is ok, as I dont think it was needed!

When I take session_register(“name”); out, or change it to session register the login does not work:

Here is what the updated code looks like currently:


<?php

	$hostname = "IP:3306";
	$username = "user";
	$password = "password";
	$database = "db_name";

	$link = MYSQL_CONNECT($hostname,$username,$password);
	
	mysql_select_db($database);	
?>

<?php
session_name("MyWebsiteLogin");
session_start();

if($_GET['action'] == "login") {
$conn = mysql_connect("IP:3306","user","password");
$db = mysql_select_db("db_name"); //Your database name goes in this field. 
$name = $_POST['user'];
$ip=$_SERVER['REMOTE_ADDR'];
$country = file_get_contents('http://api.hostip.info/country.php?ip='.$ip);
$q_user = mysql_query("SELECT * FROM customer WHERE username='$name'");

?>

<?php
               $insert_query = ("INSERT INTO login(username, ip, country) VALUES ('$name','$ip','$country');");
               mysql_query($insert_query) or die('Error, insert query failed');

?>

<?php
if(mysql_num_rows($q_user) == 1) {

$query = mysql_query("SELECT * FROM customer WHERE username='$name'");
$data = mysql_fetch_array($query);
if($_POST['pwd'] == $data['password'])
{
session_register("name");
header("Location: http://#/download/index.php?un=$name"); // This is the page that you want to open if the user successfully logs in to your website.
exit;
} else {
header("Location: login.php?login=failed&cause=".urlencode('Wrong Password'));
exit;
}
} else {
header("Location: login.php?login=failed&cause=".urlencode('Invalid User'));
exit;
}
}


?>


Also, when I took out the insert statement the login would not work.

Any help would be much appreciated.

You haven’t made all the changes I suggested.

Did you write all that code or is this someone else’s code you are trying to fix?

It was a downloaded script by someone else and I am tasked with getting it all ironed out.

I didn’t understand what you meant with some bits that I didn’t change.

Would you mind explaining a little more about it please? I am currently just learning php at the moment, all advice would be gladly received

The issue you mentioned is usually caused then the “login page” is on non SSL, and redirect the member to SSL as it log him/her in.

If you are using SSL, make certain that the user is redirected to SSL on the login page if he enterer it without using SSL.

For your issues with sessions, put the session_start at the top of the page right before your database login info, then remove session_name and use $_SESSION[‘name’] = true; instead of session_register.

I would also recommend you to read some tutorials on PHP before continuing with your work, it will most probably make a lot more sense if you do that.

Update!

This has been fixed now!

I had two duplicate files which were conflicting - one (an older log.php file) in the root directory and one in the restricted directory. I removed the one ion the root directory and kept the other in the restricted directory.

They were causing the whole problem.

I = noob,

but at least I am learning.

I also swatted up on books and videos and removed lots of garbage code that wasn’t needed.

Make sure you do update to put session_start(); at the very beginning of your document. The problem you had could easily be caused by this, as session_start(); Begins your session. If you are applying a name to the session prior to session_start(); Then it might only get the session name the second time around.

It should be as close to the top of your page as you can get it.