I have created an admin panel for a client in PHP, which requires a login. Here is the code at the top of the admin page requiring the user to be logged in:
admin.php
<?php
session_start();
require("_lib/session_functions.php");
require("_lib/db.php");
db_connect();
//if the user has not logged in
if(!isLoggedIn())
{
header('Location: login_form.php');
die();
}
?>
Obviously, the if statement is what catches them and forces them to log in. Here is the code on the resulting login page:
login_form.php
<form name="login" action="login.php" method="post">
Username: <input type="text" name="username" />
Password: <input type="password" name="password" />
<input type="submit" value="Login" />
</form>
Which posts info to this controller page:
login.php
<?php
session_start(); //must call session_start before using any $_SESSION variables
include '_lib/session_functions.php';
$username = $_POST['username'];
$password = $_POST['password'];
include '_lib/db.php';
db_connect(); // Connect to the DB
$username = mysql_real_escape_string($username);
$query = "SELECT password, salt
FROM users
WHERE username = '$username';";
$result = mysql_query($query);
if(mysql_num_rows($result) < 1) //no such user exists
{
header('Location: login_form.php?login=fail');
die();
}
$userData = mysql_fetch_array($result, MYSQL_ASSOC);
db_disconnect();
$hash = hash('sha256', $password . $userData['salt']);
if($hash != $userData['password']) //incorrect password
{
header('Location: login_form.php?login=fail');
die();
}
else
{
validateUser(); //sets the session data for this user
}
header('Location: admin.php');
?>
and the session functions page that provides login functions contains this:
session_functions.php
<?php
function validateUser()
{
session_regenerate_id (); //this is a security measure
$_SESSION['valid'] = 1;
$_SESSION['userid'] = $username;
}
function isLoggedIn()
{
if($_SESSION['valid'])
return true;
return false;
}
function logout()
{
$_SESSION = array(); //destroy all of the session variables
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
session_destroy();
}
?>
I grabbed the sessions_functions.php code of an online tutorial, so it could be suspicious.
Any ideas why the user logs in to the admin panel, tries to do something, is forced to re-login, and THEN is allowed to do stuff like normal in the admin panel?
