(PHP) User is being forced to RE-LOGIN after trying to do something on an admin page

Posted by hatorade on Stack Overflow See other posts from Stack Overflow or by hatorade
Published on 2010-03-22T20:27:40Z Indexed on 2010/03/22 20:31 UTC
Read the original article Hit count: 301

Filed under:
|

I have created an admin panel for a client in PHP, which requires a login. Here is the code at the top of the admin page requiring the user to be logged in:

admin.php

<?php
session_start();
require("_lib/session_functions.php");
require("_lib/db.php");
db_connect();


//if the user has not logged in
if(!isLoggedIn())
{
    header('Location: login_form.php');
    die();
}
?>

Obviously, the if statement is what catches them and forces them to log in. Here is the code on the resulting login page:

login_form.php

<form name="login" action="login.php" method="post">
    Username: <input type="text" name="username" />
    Password: <input type="password" name="password" />
    <input type="submit" value="Login" />
</form>

Which posts info to this controller page:

login.php

<?php
session_start(); //must call session_start before using any $_SESSION variables
include '_lib/session_functions.php';

$username = $_POST['username'];
$password = $_POST['password'];

include '_lib/db.php'; 
db_connect(); // Connect to the DB

$username = mysql_real_escape_string($username);

$query = "SELECT password, salt
        FROM users
        WHERE username = '$username';";
$result = mysql_query($query);

if(mysql_num_rows($result) < 1) //no such user exists
{
    header('Location: login_form.php?login=fail');
    die();
}

$userData = mysql_fetch_array($result, MYSQL_ASSOC);
db_disconnect();
$hash = hash('sha256', $password . $userData['salt']);

if($hash != $userData['password']) //incorrect password
{
    header('Location: login_form.php?login=fail');
    die();
}
else
{
    validateUser(); //sets the session data for this user
}

header('Location: admin.php');

?>

and the session functions page that provides login functions contains this:

session_functions.php

<?php
function validateUser()
{
    session_regenerate_id (); //this is a security measure
    $_SESSION['valid'] = 1;
    $_SESSION['userid'] = $username;
}

function isLoggedIn()
{
    if($_SESSION['valid'])
        return true;

    return false;
}

function logout()
{
    $_SESSION = array(); //destroy all of the session variables
    if (ini_get("session.use_cookies")) {
        $params = session_get_cookie_params();
        setcookie(session_name(), '', time() - 42000,
            $params["path"], $params["domain"],
            $params["secure"], $params["httponly"]
        );
    }
    session_destroy();
}
?>

I grabbed the sessions_functions.php code of an online tutorial, so it could be suspicious.

Any ideas why the user logs in to the admin panel, tries to do something, is forced to re-login, and THEN is allowed to do stuff like normal in the admin panel?

© Stack Overflow or respective owner

Related posts about php

Related posts about login