Confirm login keeps redirecting to login page

[dmacster]

Ok - I've screwed something up here, but can't figure out what. I want to make sure a user logs in to get to the form to update my db, but when I try to confirm login, I keep getting directed back to the login page, and even after entering a good user/password - redirects to login. If I remove the confirm login from the management page, I go right to the page without logging in and without the confirm_login on the management page, I can go to the login page, login and be redirected to the management page. Sounds confusing, but anyway

Here's what I have on the management page

<?php require_once("includes/session.php"); ?>
<?php require_once("includes/always.php"); ?>
<?php require_once("includes/functions.php"); ?>
<?php $cxn=mysqli_connect(DB_SERVER,DB_USER,DB_PASS,DB_NAME)	
or die ("Could'nt connect to server");	
?>
<?php confirm_logged_in(); ?>

and then the page info

Here's the login

<?php require_once("includes/session.php"); ?>
<?php require_once("includes/connection.php"); ?>
<?php require_once("includes/functions.php"); ?>
<?php
	
	if (logged_in()) {
		redirect_to("manageSC.php");
	}

	include_once("includes/form_functions.php");
	
	// START FORM PROCESSING
	if (isset($_POST['submit'])) { // Form has been submitted.
		$errors = array();

		// perform validations on the form data
		$required_fields = array('username', 'password');
		$errors = array_merge($errors, check_required_fields($required_fields, $_POST));

		$fields_with_lengths = array('username' => 30, 'password' => 30);
		$errors = array_merge($errors, check_max_field_lengths($fields_with_lengths, $_POST));

		$username = trim(mysql_prep($_POST['username']));
		$password = trim(mysql_prep($_POST['password']));
		$hashed_password = sha1($password);
		
		if ( empty($errors) ) {
			// Check database to see if username and the hashed password exist there.
			$query = "SELECT id, username ";
			$query .= "FROM users ";
			$query .= "WHERE username = '{$username}' ";
			$query .= "AND hashed_password = '{$hashed_password}' ";
			$query .= "LIMIT 1";
			$result_set = mysql_query($query);
			confirm_query($result_set);
			if (mysql_num_rows($result_set) == 1) {
				// username/password authenticated
				// and only 1 match
				$found_user = mysql_fetch_array($result_set);
				$_SESSION['id'] = $found_user['id'];
				$_SESSION['username'] = $found_user['username'];
				
				redirect_to("manageSC.php");
			} else {
				// username/password combo was not found in the database
				$message = "Username/password combination incorrect.<br />
					Please make sure your caps lock key is off and try again.";
			}
		} else {
			if (count($errors) == 1) {
				$message = "There was 1 error in the form.";
			} else {
				$message = "There were " . count($errors) . " errors in the form.";
			}
		}
		
	} else { // Form has not been submitted.
		if (isset($_GET['logout']) && $_GET['logout'] == 1) {
			$message = "You are now logged out.";
		} 
		$username = "";
		$password = "";
	}
?>

I know that's a lot, and there's more, but can anyone point me to what I'm confusing myself with here?

Thanks,
Donna

 

[southbeach]

Donna,

Why opening and closing PHP on every line? I know you know you can simply open PHP, write your code, close PHP ... you have that right on your code ... ???

What is confirm_logged_in()? What value is returned by logged_in() and based on what? When and where are these values set?

Add some echo on your code to see what you're looking at and help yourself troubleshoot a bit.

One thing I normally do is run my code with ?debug=1 on the URL, and I then check

if ($_REQUEST['debug'] == 1) {
  $ofile = fopen("c:/temp/debuglog.txt","a+");
  $wfile = fwrite($ofile,$log_msg."\r\n");
}

You can have this code on a UDF and call the function with the $log_msg as passed parameter. This simple couple of lines of code have helped me a lot.

Hope this helps!



--
SouthBeach
The good thing about not knowing is the opportunity to learn - Yours truly, 2008.

 

[hex6007]

Donna,

Are you calling a function called login()? if so, post the function, maybe we can help resolve your problem perhaps.

 

[jpadie]

pls post the redirect_to() function and the mysql_prep() function

and you are using mysql_calls having connected to the database with mysqli_*. i would recommend standardising on mysql_* until everything is working.

 

[dmacster]

Here's the prep and redirect

function mysql_prep( $value ) {
		$magic_quotes_active = get_magic_quotes_gpc();
		$new_enough_php = function_exists( "mysql_real_escape_string" ); // i.e. PHP >= v4.3.0
		if( $new_enough_php ) { // PHP v4.3.0 or higher
			// undo any magic quote effects so mysql_real_escape_string can do the work
			if( $magic_quotes_active ) { $value = stripslashes( $value ); }
			$value = mysql_real_escape_string( $value );
		} else { // before PHP v4.3.0
			// if magic quotes aren't already on then add slashes manually
			if( !$magic_quotes_active ) { $value = addslashes( $value ); }
			// if magic quotes are active, then the slashes already exist
		}
		return $value;
	}

	function redirect_to( $location = NULL ) {
		if ($location != NULL) {
			header("Location: {$location}");
			exit;
		}
	}

The session file with the confirm

<?php
	session_start();
	
	function logged_in() {
		return isset($_SESSION['id']);
	}
	
	function confirm_logged_in() {
		if (!logged_in()) {
			redirect_to("login.php");
		}
	}
?>

The session close is in the footer

I'll look over further once fully awake.

Thanks,
Donna

 

[jpadie]

those functions look ok. i assume you have magic_quotes_runtime() switched off.

footprint your code to check the outputs in each case.

 

[dmacster]

magic_quotes_runtime() is off.

Not sure what you mean by

footprint your code to check the outputs

Tutorial somewhere on this? Did a quick search on google, but was overwhelmed by returns.

Thanks,
Donna

 

[jpadie]

footprinting means forcing output of variables that you are worried about. there is a good FAQ on debugging php scripts in this forum.