User Getting Logged Out After Making First Comment

Question

Hello,

I am using a login system that works well. I am also using a comment system. The comment function does not show up unless the user is logged in (as shown in commentformonoff.php below).

When a user makes a comment, the info is passed from the function "show_commentbox" to the file comments2a.php. Then, the info is passed to the file comments2.php.

When the site is first pulled up on a browser, after logging in and making a comment, the user is logged out. After logging in a second time during the same browser session, the user is no longer logged out after making a comment.

How can I keep the user logged in after making the first comment?

Thanks in advance,

John

Login function:

function show_loginform($disabled = false)
{

    echo '<form name="login-form" id="login-form" method="post" action="./index.php?'.$_SERVER['QUERY_STRING'].'"> 

    <div class="usernameformtext"><label title="Username">Username: </label></div> 
    <div class="usernameformfield"><input tabindex="1" accesskey="u" name="username" type="text" maxlength="30" id="username" /></div> 


    <div class="passwordformtext"><label title="Password">Password: </label></div> 
    <div class="passwordformfield"><input tabindex="2" accesskey="p" name="password" type="password" maxlength="15" id="password" /></div> 


    <div class="registertext"><a href="http://www...com/.../register.php" title="Register">Register</a></div> 
    <div class="lostpasswordtext"><a href="http://www...com/.../lostpassword.php" title="Lost Password">Lost password?</a></div> 

  <p class="loginbutton"><input tabindex="3" accesskey="l" type="submit" name="cmdlogin" value="Login" ';
    if ($disabled == true)
    {
        echo 'disabled="disabled"';
    }
    echo ' /></p></form>';


}

Commentformonoff.php:

<?php
if (!isLoggedIn())
{
    if (isset($_POST['cmdlogin']))
    {
        if (checkLogin($_POST['username'], $_POST['password']))
        {
            show_commentbox($submissionid, $submission, $url, $submittor, $submissiondate, $countcomments, $dispurl);
        } else
        {
            echo "<div class='logintocomment'>Login to comment</div>";

        }
    } else
    {

        echo "<div class='logintocomment'>Login to comment</div>";
    }

} else
{
    show_commentbox($submissionid, $submission, $url, $submittor, $submissiondate, $countcomments, $dispurl);
}
?>

Function "show_commentbox":

function show_commentbox($submissionid, $submission, $url, $submittor, $submissiondate, $countcomments, $dispurl)
{
echo '<form  action="http://www...com/.../comments/comments2a.php" method="post"> 
    <input type="hidden" value="'.$_SESSION['loginid'].'" name="uid">
    <input type="hidden" value="'.$_SESSION['username'].'" name="u">
    <input type="hidden" value="'.$submissionid.'" name="submissionid">  
    <input type="hidden" value="'.stripslashes($submission).'" name="submission">
    <input type="hidden" value="'.$url.'" name="url">
    <input type="hidden" value="'.$submittor.'" name="submittor">
    <input type="hidden" value="'.$submissiondate.'" name="submissiondate">
    <input type="hidden" value="'.$countcomments.'" name="countcomments">
    <input type="hidden" value="'.$dispurl.'" name="dispurl">



    <label class="addacomment" for="title">Add a comment:</label>

    <textarea class="checkMax" name="comment" type="comment" id="comment" maxlength="1000"></textarea>  

    <div class="commentsubbutton"><input name="submit" type="submit" value="Submit"></div> 
</form>
'; 
}

Included in comments2a.php:

$uid = mysql_real_escape_string($_POST['uid']);
$u = mysql_real_escape_string($_POST['u']);

$query = sprintf("INSERT INTO comment VALUES (NULL, %d, %d, '%s', NULL)", $uid, $subid, $comment);

mysql_query($query) or die(mysql_error());

$lastcommentid = mysql_insert_id();
header("Location: comments2.php?submission=".$submission."&submissionid=".$submissionid."&url=".$url."&submissiondate=".$submissiondate."&comment=".$comment."&subid=".$subid."&uid=".$uid."&u=".$u."&submittor=".$submittor."&countcomments=".$countcomments."&dispurl=".$dispurl."#comment-$lastcommentid");
exit(); 

Included in comments2.php:

if($_SERVER['REQUEST_METHOD'] == "POST"){header('Location: http://www...com/.../comments/comments2.php?submission='.$submission.'&submissionid='.$submissionid.'&url='.$url.'&submissiondate='.$submissiondate.'&submittor='.$submittor.'&countcomments='.$countcomments.'&dispurl='.$dispurl.'');}

$uid = mysql_real_escape_string($_GET['uid']);
$u = mysql_real_escape_string($_GET['u']);

EDIT: Someone said that these might be useful so I'm posting them.

function isLoggedIn()
{

    if (session_is_registered('loginid') && session_is_registered('username'))
    {
        return true; // the user is loged in
    } else
    {
        return false; // not logged in
    }

    return false;

}

function checkLogin($u, $p)
{
global $seed; // global because $seed is declared in the header.php file

    if (!valid_username($u) || !valid_password($p) || !user_exists($u))
    {
        return false; // the name was not valid, or the password, or the username did not exist
    }

    //Now let us look for the user in the database.
    $query = sprintf("
        SELECT loginid 
        FROM login 
        WHERE 
        username = '%s' AND password = '%s' 
        AND disabled = 0 AND activated = 1 
        LIMIT 1;", mysql_real_escape_string($u), mysql_real_escape_string(sha1($p . $seed)));
    $result = mysql_query($query);
    // If the database returns a 0 as result we know the login information is incorrect.
    // If the database returns a 1 as result we know  the login was correct and we proceed.
    // If the database returns a result > 1 there are multple users
    // with the same username and password, so the login will fail.
    if (mysql_num_rows($result) != 1)
    {
        return false;
    } else
    {
        // Login was successfull
        $row = mysql_fetch_array($result);
        // Save the user ID for use later
        $_SESSION['loginid'] = $row['loginid'];
        // Save the username for use later
        $_SESSION['username'] = $u;
        // Now we show the userbox
        return true;
    }
    return false;
}

Answer 1

It would be nice to see more about what's happening. These are just the snippets you thought might be important, not the whole thing.

There are some questions related to the code you submitted: - How does the commentformonoff.php connects to the other php files you submitted? - What happens in isLoggedIn() and checkLogin() functions? - Why do you split the functions to comments2.php and comments2a.php? Redirecting without a reason just adds delay to the execution. Is there a reason you cannot process the request there? - the comment values goes directly into the query without sanitation in comments2a.php, that is a serious security breach. - In comments2a.php you create a redirection and pass variables by GET and in comments2.php you check for POST and redirect if a post request is found. Why do you do this?

Check out Smarty if you can, that's not a big overhead and you don't have to write functions spitting out html forms. Or, you could include html code directly in the code if there are no parameters inside, with closing and reopening the php tags.

Answer 2

I think your error is in isLoggedIn() could you post this. Because you have two paths to write the comment box. Which could mean that on login the first path is chosen, but on refresh, when you were supposed to get to the second path it doesn't.

The error could also be in checkLogin, not setting a session variable?

please post both isLoggedIn() and checkLogin() :)

<?php
if (!isLoggedIn()) // most likely the place of error
{
    if (isset($_POST['cmdlogin']))
    {
        if (checkLogin($_POST['username'], $_POST['password'])) // setting session variable correctly?
        {
            // path one
            // are you supposed to set some session variables here? or in checkLogin()?
            show_commentbox($submissionid, $submission, $url, $submittor, $submissiondate, $countcomments, $dispurl);
        } else
        {
            echo "Login to comment";

        }
    } else
    {

        echo "Login to comment";
    }

} else
{
    // path two
    show_commentbox($submissionid, $submission, $url, $submittor, $submissiondate, $countcomments, $dispurl);
}
?>

Edit: In isLoggedIn() use isset() instead of session_is_registered(). session_is_registered() is deprecated as of PHP 5.3.0. if(isset($_SESSION['loginid']) && isset($_SESSION['username'])

On the bottom of the file CommentOnOff.php can you put in this code? var_dump($_SESSION) It should print out everything that is contained in the session. Then you can see if the loginind and username is actually stored in the session :)

Answer 3

I had very similar symptoms in a web app I was developing.

Try adding a favicon.ico file (an empty one is OK) to the root directory of your application.

These are the symptoms that I was experiencing...

Firefox:

User logs in, first "logged in" page appears. User clicks link and is no longer logged in. User logs in again and gets first "logged in" page. User clicks link and is still logged in. User continues to use the application as logged in user without problem.

Chrome:

User logs in, first "logged in" page appears. User clicks link and is no longer logged in. User logs in again and gets first "logged in" page. User clicks link and is logged out again. User simply cannot stay logged in after first "logged in" page.

I checked the error logs and saw that every request was looking to get the favicon.ico file. I added an empty favicon.ico file to my applications root directory and the problem stopped.