I wrote a simple login script- done this many times before. for some reason, it works on the second try, but not the first. ..
Here's what happens... So I go to the login page, enter the correct usern/passw and it logs in successfully, but the session var is not saved, thus it gets kicked back out with status "not logged." The second time I submit, it goes through fine. erp??? Here's the code:
LOGIN PAGE:
CHECKLOGIN ACTION SCRIPT:
CLASS/FUNCTION FILE:
It's probably something stupid and simple, but I'm definitely missing it. Any ideas??
Here's what happens... So I go to the login page, enter the correct usern/passw and it logs in successfully, but the session var is not saved, thus it gets kicked back out with status "not logged." The second time I submit, it goes through fine. erp??? Here's the code:
LOGIN PAGE:
HTML:
<form action="?action=checklogin" method="post" name="login">
<input type="hidden" name="redirect_to" value="<?=$_GET['redirect_to']?>" />
<p><label for="ksjdk">Email Address</label><br/>
<input type="text" name="username" class="t" id='ksjdk' value="<?=($_GET['username'])?$_GET['username']:''?>" maxlength="50" /></p>
<p>
<label for="oowoow">Password</label><br/>
<input type="password" name="password" class="t" id="oowoow" maxlength="30" /><br/>
<div style="font-size: 11px;"><input type="checkbox" name="keep_logged_in" value="yes" id="yadda" checked align="middle" /> <label for='yadda'>Keep me signed in</label></div>
</p>
<p><a href="javascript:;" onclick="document.login.submit();" class="button">Log In</a> <span style="font-size: 11px;"><a href="/forgot_password" title="Reset Your Password">Forgot Password?</a></span>
</p>
</form>CHECKLOGIN ACTION SCRIPT:
PHP:
<?
//this script checks login and redirects to appropriate page
$success=0;
if ($_GET['redirect_to'])
$_SESSION['redirect_to'] = $_GET['redirect_to'];
//check for session variables
if (isset($_POST['username']) && isset($_POST['password'])) {
$_POST['username']=strtolower($_POST['username']);
$success = $me->login($_POST['username'], $_POST['password'], ($_POST['keep_logged_in']=='yes') );
}
if ($success) {
$content = ($_SESSION['redirect_to']) ? 'content='.$_SESSION['redirect_to'] : 'content=userhome';
//unset($_SESSION['redirect_to']);
} else {
$content="content=login&state=tryagain&username=".$_POST['username'];
}
//session_write_close();
redirect("?$content");
?>CLASS/FUNCTION FILE:
Code:
<?
function needpw($permission = '') {
global $me,$page_content;
$allow = 0;
// simple function to call. exit to login page if not logged in, permit if you are.
if ($me->logged_in && !empty($me->permissions)) {
if ($permission=='')
$allow = 1;
else
$allow = has_permission($permission);
}
elseif ($me->logged_in && !has_permission($permission)) {
redirect("?content=userhome&state=noperm"); }
if (!$allow) redirect("?content=login&redirect_to=".$page_content."&state=notlogged");
}
function has_permission($permission_name=''){
global $me,$aperm;
//return permission true or false. very simple. if permission_name is not set to true, it is default deny rule.
if (strstr($me->permissions,'super-admin'))
return 1;
else
//must exist in master and current user
return (in_array($permission_name,$aperm) && strstr($me->permissions,$permission_name));
}
function logout() {
global $me,$db;
if ($me->user_id != 0)
$t = $db->query("UPDATE users SET last_ip='', last_session='' WHERE id='".$me->user_id."'");
setcookie('login');
session_destroy();
unset($me);
}
class user {
var $logged_in = false;
var $firstname = '';
var $lastname = '';
var $fullname = '';
var $permissions = '';
function login($username,$password,$keep_logged_in = false) {
global $db,$Config;
if ($username=='') return 0;
$sql="
SELECT users.*,users_permissions.* FROM users
LEFT JOIN users_permissions ON users.id=users_permissions.user_id
WHERE LOWER(users.email)='".strtolower($db->real_escape_string($username))."'
AND password='".md5($password)."'";
if ($r = $db->query($sql)) {
$t = $r->fetch_object();
if ($t->active == 0) { redirect("?content=login&state=inactiveuser"); }
else {
$expires = ($keep_logged_in)
? time() + $Config->login_expiration
: time() + 3600; //an hour
$user['session_id']=session_id();
$user['ip'] = $_SERVER['REMOTE_ADDR'];
$user['user_id'] = $t->id;
$user['email'] = $username;
$cookie = serialize($user);
//setcookie('login',$cookie,$expires,'/','.'.$Config->domain);
//update user's database record
$r = $db->query("UPDATE users SET
last_session='".$user['session_id']."',
last_ip='".$user['ip']."',
last_login='".NOW."'
WHERE id='".$t->id."'");
//set variables
foreach ($t as $key=>$val)
if ($key!='password') $this->$key = stripslashes($val);
$this->logged_in = true;
$_SESSION['user']['logged_in'] = 1;
$_SESSION['user']['permissions'] = $this->permission_names;
$this->permissions = $this->permission_names; //alias
$_SESSION['user']['firstname'] = $this->firstname;
$_SESSION['user']['lastname'] = $this->lastname;
$_SESSION['user']['id'] = $t->id;
$this->id = $t->id;
$this->user_id = $t->id;
//these lines are for the TinyMCE
$_SESSION['MyIsLoggedInState'] = true;
return 1;
}
} else {
return 0;
}
}
function test_logged_in_status() {
global $db;
$ret = false;
$login_cookie = unserialize($_COOKIE['login']);
print_r($_COOKIE['login']);
//does the cookie match the current state?
if ($login_cookie['ip']==$_SERVER['REMOTE_ADDR']) {
$r = $db->query("SELECT id,email,last_ip,last_session FROM users
WHERE id='".$login_cookie['user_id']."'");
$t = $r->fetch_object();
if ($t->last_ip == $login_cookie['ip'])
$ret = true;
$this->user_id = $t->id;
$this->id = $t->id;
$this->email = $t->email;
}
return $ret;
}
//CONSTRUCTOR
function __construct() {
if ($_SESSION['user']['logged_in']) {
$this->logged_in = 1;
$this->firstname = $_SESSION['user']['firstname'];
$this->lastname = $_SESSION['user']['lastname'];
$this->fullname = $this->firstname.' '.$this->lastname;
$this->user_id = $_SESSION['user']['id'];
$this->id = $_SESSION['user']['id'];
$this->permissions = $_SESSION['user']['permissions'];
}
}
}
?>It's probably something stupid and simple, but I'm definitely missing it. Any ideas??
