Fun with sessions

Question

I've a problem that annoy me very much. It's because I'm trying to make a PHP login script. But when I log in correctly, it'll not let me in.

If I comment out some lines (I'll mark them), the script works, but that's the code I was planning to use to check in on every page, so people don't can come in if they don't should have access.

Below, I've posted the code.

---

index.php

<?php
function __autoload($class_name) {
 require_once "./functions/" . $class_name . ".php";
}
$functions = new functions;
$functions->header("Log ind",0);
$login = new login;
$login->showLogin();
$functions->footer();
?>

---

/functions/functions.php

<?php
// Define class functions
class functions {
 function header($titel,$needlogin = 1) {
  session_start();
  echo $_SESSION['navn'];
// The following lines can be commented out, and it's working
  if($needlogin == 1) {
   if(!isset($_SESSION['id'])) {
    header("Location: http://hansensopskrifter.co.cc/");
    exit;
   }
  }
  ?>
  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"&gt;
  <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >
   <head>
    <title><?php echo $titel; ?> - Hansens Opskrifter</title>
    <meta http-equiv="content-type" content="text/html; charset=utf-8">
   </head>
   <body>
    <h1>Hansens Opskrifter</h1>
  <?php
// The above lines can be commented out, and it's working
 }

 function footer() {
  ?>
   </body>
  </html>
  <?php
 }
}
?>

---

/functions/mysql.php

<?php
// Create the class MySQL
class mysql {
 function __construct() {
  $this->mysqlconnect();
 }

 function mysqlconnect() {
  $conn = mysql_connect("localhost","user","pass");
  if(!$conn) {
   die("Noget gik galt - kontakt Kristoffer og vis ham den følgende meddelelse: " . mysql_error());
  }
  if(!mysql_select_db("db",$conn)) {
   die("Noget gik galt - kontakt Kristoffer og vis ham den følgende meddelelse: " . mysql_error());
  }
 }

 function mysqlquery($query) {
  $result = mysql_query($query);
  if($result) {
   return $result;
  }
 }
}
?>

---

login.php

<?php
function __autoload($class_name) {
 require_once "./functions/" . $class_name . ".php";
}
$name = $_REQUEST['name'];
$pass = $_REQUEST['pass'];
$login = new login;
$l = $login->doLogin($name,$pass);
if($l == TRUE) {
 header("Location: http://hansensopskrifter.co.cc/loggedin.php");
} else {
 exit;
}
?>

---

/functions/login.php

<?php
class login {
 function __autoload($class_name) {
  require_once($class_name . ".php");
 }
 function showLogin() {
  ?>
  <h2>Log ind</h2>
  <form action="./login.php" method="post">
   Navn:<input type="text" name="name" />
   Kode:<input type="password" name="pass" />
   <input type="submit" value="Log ind" />
  </form>
  <p><a href="./forgotpass.php" alt="Glemt kode" title="Glemt kode">Glemt kode?</a></p>
  <?php
 }

 function doLogin($name,$pass) {
  $mysql = new mysql;
  $n = mysql_real_escape_string($name);
  if(!$n) {
   $functions = new functions;
   $functions->header("Intet navn indtastet",0);
   echo "Du glemte at indtaste dit navn.";
   $this->showLogin();
   $functions->footer();
   return false;
  } elseif(!$pass) {
   $functions = new functions;
   $functions->header("Ingen adgangskode indtastet",0);
   echo "Du glemte at indtaste din adgangskode.";
   $this->showLogin();
   $functions->footer();
  }
  $query = "SELECT `id`, `navn`, `kode` FROM `users` WHERE `navn` = '".$n."' ";
  $result = $mysql->mysqlquery($query);
  while($row = mysql_fetch_assoc($result)) {
   $k = sha1($pass);
   $navn = $row['navn'];
   $kode = $row['kode'];
   $n = ucfirst(strtolower($n));
   if($navn == $n && $kode == $k) {
    $_SESSION['id'] = $row['id'];
    $_SESSION['navn'] = $row['navn'];
    return true;
   } else {
    $functions = new functions;
    $functions->header("Forkert navn eller kode",0);
    echo "Det indtastede navn eller kode er forkert.";
    $this->showLogin();
    $functions->footer();
    return false;
   }
  }
 }
}
?>

---

loggedin.php

<?php
function __autoload($class_name) {
 require_once ("./functions/" . $class_name . ".php");
}
header( "refresh:2;url=./panel/index.php",0);
$functions = new functions;
$functions->header("Logger ind...");
?>
<p>Du er nu logget ind. Du vil automatisk blive viderestillet om omkring 5 sekunder. Hvis du er tr&aelig;t af at vente kan du <a href="./panel/index.php" alt="Opskrifter" title="Opskrifter">klikke her</a>.</p>
<?php
$functions->footer();
?>

---

I've tried a lot of things, and now, I just hope you can help me. I've checked that there is a cookie that's created called PHPSESSID on my computer.

Thank you very much in advance.

Answer 1

The only thing I see after a quick look is that you do this:

echo $_SESSION['navn'];

before you run

header("Location: http://hansensopskrifter.co.cc/");

That will not work. You can't output anything before you write an HTTP header. Remove that echo, or put it after the header().

Answer 2

That's a huge wall of text, but it would appear the flaw's in your index.php:

$login = new login;
$login->showLogin();

You unconditionally create a login object and display the login form, without ever checking if a previous login attempt succeeded. I don't know if the $_SESSION['id'] and $_SESSION['navn'] you set in the login class are to indicate a successful login or not, but assuming they are, you should have something like:

if (isset($_SESSION['id'])) {
    // not logged in, show the form
    $login = new login;
    $login->showLogin();
    exit();
}
// show logged in content here

Answer 3

Hi, I think only isset is not enough. Even if a variable is 0 then also isset returns true.

Try using the following code:

if ((isset($_SESSION['id']))&&($_SESSION['id']!=0)) {

$login = new login;

$login->showLogin();

exit(); }