I can't figure out why this is happening, as I do similar things throught my site that doesn't do this.
Here's what's happening...
I am implementing a random second step for identity verification via a security question and answer. When a user first logs in with their username and password, if they are deemed legit then a test is run to see if they will be randomly asked to answer their security question as a second step. Everything works ok until I actually answer the security question. After I hit submit, it seems that the variables $_SESSION['my_username'] and $_SESSION['my_password'] lose their data. I have no unset commands anywhere in the page and I cannot for the life of me figure out what stupid thing I probably did to cause this.
Here's the code:
<?php
session_start();
$link = mysql_connect('wouldn't you like to know');
if ($link)
{
}
else
{
die('Could not connect: ' . mysql_error());
}
$link = mysql_select_db("XXXXXXXX");
if ($link)
{
}
else
{
die('Could not connect: ' . mysql_error());
}
/*if I try to echo the 2 session variables here I will get them prior to submiting the answer, but after the answer is submited, the variables are empty*/
if(isset($_SESSION['my_username'])&&(isset($_SESSION['my_password'])))
{
$my_password=$_SESSION['my_password'];
$my_username=$_SESSION['my_username'];
$query_string="SELECT code, sec_q FROM staff WHERE password = '$my_password' && username= '$my_username'";
$result=mysql_query("$query_string")or die("<b>A fatal MySQL error occured</b>.\n<br />Query: " . $query_string . "<br />\nError: (" . mysql_errno() . ") " . mysql_error());
if(mysql_num_rows($result)==1)
{
$r=mysql_fetch_array($result);
$code=$r['code'];
$sec_q=$r['sec_q'];
$query_string="UPDATE staff SET active='F' WHERE password = '$my_password' && username= '$my_username'";
$result=mysql_query("$query_string")or die("<b>A fatal MySQL error occured</b>.\n<br />Query: " . $query_string . "<br />\nError: (" . mysql_errno() . ") " . mysql_error());
}
if(isset($_POST['sec_test']))
{
$sec_a=$_POST['sect_a'];
$query_string="SELECT * FROM staff WHERE password = '$my_password' && username= '$my_username' && sec_a='$sec_a'";
$result=mysql_query("$query_string")or die("<b>A fatal MySQL error occured</b>.\n<br />Query: " . $query_string . "<br />\nError: (" . mysql_errno() . ") " . mysql_error());
if(mysql_num_rows($result)>0)
{
$_SESSION['random_test']='PASS';
$query_string="UPDATE staff SET active='Y' WHERE password = '$my_password' && username= '$my_username'";
$result=mysql_query("$query_string")or die("<b>A fatal MySQL error occured</b>.\n<br />Query: " . $query_string . "<br />\nError: (" . mysql_errno() . ") " . mysql_error());
if(mysql_affected_rows() > 0)
{
echo "<body onLoad=\"javascript
arent.navigation.location.href='}
}
else
{
$test='fail';
}
}
if(!isset($_POST['sec_test'])||(isset($test)&&('fail'==$test)))
{
echo"
<body>
A random Identity Verification Test has been requested<br />
<font color='red'>You will not be able to log into the web system until you complete this.</font><br />
Please answer your security question below to confirm your identity.";
if($test=='fail')
{
echo "<font color='red'>Incorrect Answer, Please try again.</font>";
}
echo"
<form name='id_test' method='post' action=' target='navigation'>
<table>
<tr>
<td>
Security Question: </td><td><input type='text' name='sec_q' size='50' maxlength='55' style='border: 2px solid black' value='$sec_q' readonly='readonly'/><font color='red' size='-1'>*This is the question you setup yourself when you logged in for the first time*</font>
</td>
</tr>
<tr>
<td>
Security Question Answer: </td><td><input type='text' name='sec_a' size='20' maxlength='25' style='border: 2px solid black'/><font color='red' size='-1'>*This should be the answer you provided to the above question*</font><br />
</td>
</tr>
<tr><td colspan='2' align='center'><input type='submit' name='sec_test' value='Submit'/><input type='reset' name='reset' value='Reset'/></td></tr></table></form>";
}
}
else
{
echo"There was a problem somewhere with username and password";
}
?>
This code starts off as an include, and then loops back into itself (essentially removing the page the called it originally) until the user correctly answers the question. It also changes the users status so even if they attempt to close the window and log in again, they will be redirected back to this security section.
Mayhaps the problem lies in this code being an include first off and then becoming the primary page after answering the security question, i'm not sure.
Any help would be greatly apprectiated.
I'll also be happy to add any clarification to what I'm doing if need be.
PS: This is all done via php and mysql.
Here's what's happening...
I am implementing a random second step for identity verification via a security question and answer. When a user first logs in with their username and password, if they are deemed legit then a test is run to see if they will be randomly asked to answer their security question as a second step. Everything works ok until I actually answer the security question. After I hit submit, it seems that the variables $_SESSION['my_username'] and $_SESSION['my_password'] lose their data. I have no unset commands anywhere in the page and I cannot for the life of me figure out what stupid thing I probably did to cause this.
Here's the code:
<?php
session_start();
$link = mysql_connect('wouldn't you like to know');
if ($link)
{
}
else
{
die('Could not connect: ' . mysql_error());
}
$link = mysql_select_db("XXXXXXXX");
if ($link)
{
}
else
{
die('Could not connect: ' . mysql_error());
}
/*if I try to echo the 2 session variables here I will get them prior to submiting the answer, but after the answer is submited, the variables are empty*/
if(isset($_SESSION['my_username'])&&(isset($_SESSION['my_password'])))
{
$my_password=$_SESSION['my_password'];
$my_username=$_SESSION['my_username'];
$query_string="SELECT code, sec_q FROM staff WHERE password = '$my_password' && username= '$my_username'";
$result=mysql_query("$query_string")or die("<b>A fatal MySQL error occured</b>.\n<br />Query: " . $query_string . "<br />\nError: (" . mysql_errno() . ") " . mysql_error());
if(mysql_num_rows($result)==1)
{
$r=mysql_fetch_array($result);
$code=$r['code'];
$sec_q=$r['sec_q'];
$query_string="UPDATE staff SET active='F' WHERE password = '$my_password' && username= '$my_username'";
$result=mysql_query("$query_string")or die("<b>A fatal MySQL error occured</b>.\n<br />Query: " . $query_string . "<br />\nError: (" . mysql_errno() . ") " . mysql_error());
}
if(isset($_POST['sec_test']))
{
$sec_a=$_POST['sect_a'];
$query_string="SELECT * FROM staff WHERE password = '$my_password' && username= '$my_username' && sec_a='$sec_a'";
$result=mysql_query("$query_string")or die("<b>A fatal MySQL error occured</b>.\n<br />Query: " . $query_string . "<br />\nError: (" . mysql_errno() . ") " . mysql_error());
if(mysql_num_rows($result)>0)
{
$_SESSION['random_test']='PASS';
$query_string="UPDATE staff SET active='Y' WHERE password = '$my_password' && username= '$my_username'";
$result=mysql_query("$query_string")or die("<b>A fatal MySQL error occured</b>.\n<br />Query: " . $query_string . "<br />\nError: (" . mysql_errno() . ") " . mysql_error());
if(mysql_affected_rows() > 0)
{
echo "<body onLoad=\"javascript
arent.navigation.location.href='}}
else
{
$test='fail';
}
}
if(!isset($_POST['sec_test'])||(isset($test)&&('fail'==$test)))
{
echo"
<body>
A random Identity Verification Test has been requested<br />
<font color='red'>You will not be able to log into the web system until you complete this.</font><br />
Please answer your security question below to confirm your identity.";
if($test=='fail')
{
echo "<font color='red'>Incorrect Answer, Please try again.</font>";
}
echo"
<form name='id_test' method='post' action=' target='navigation'>
<table>
<tr>
<td>
Security Question: </td><td><input type='text' name='sec_q' size='50' maxlength='55' style='border: 2px solid black' value='$sec_q' readonly='readonly'/><font color='red' size='-1'>*This is the question you setup yourself when you logged in for the first time*</font>
</td>
</tr>
<tr>
<td>
Security Question Answer: </td><td><input type='text' name='sec_a' size='20' maxlength='25' style='border: 2px solid black'/><font color='red' size='-1'>*This should be the answer you provided to the above question*</font><br />
</td>
</tr>
<tr><td colspan='2' align='center'><input type='submit' name='sec_test' value='Submit'/><input type='reset' name='reset' value='Reset'/></td></tr></table></form>";
}
}
else
{
echo"There was a problem somewhere with username and password";
}
?>
This code starts off as an include, and then loops back into itself (essentially removing the page the called it originally) until the user correctly answers the question. It also changes the users status so even if they attempt to close the window and log in again, they will be redirected back to this security section.
Mayhaps the problem lies in this code being an include first off and then becoming the primary page after answering the security question, i'm not sure.
Any help would be greatly apprectiated.
I'll also be happy to add any clarification to what I'm doing if need be.
PS: This is all done via php and mysql.