I was tasked with cleaning up some errors on a site my company built quite a few years ago. I want to preface the code I post here with the caveat that I didn't write it, and I know it is not a very secure login system, but I have only been assigned to fix the bug at hand.
PROBLEM: When users go to login, after they submit the form the page appears to be refreshed, requiring them to retype their credentials. No login error is being reported. I could only duplicate this problem in Firefox and Safari so far. After a successful login, if one were to log out and log back in, everything seems to work fine. It's just after you initially start the browser and attempt to login the first time. I have duplicated this on different Macs/Windows PCs as well.
Here is the basic login page HTML. I am trimming out anything unnecessary, but can provide more code if needed.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
...
<body>
<form name="login" method="post" id="mainform" action="clogin.php">
<label for="username">Username:</label>
<input type="text" id="username" name="username"><br />
<label for="password">Password:</label>
<input type="password" id="password" name="password"><br />
<input type="submit" name="Submit" class="button" style="float:right;" value="Login">
</form>
</body>
Here is the PHP, also trimmed for fat:
<?php
$db = mysql_connect('***', '***', '***') or die("Couldn't connect to the database.");
mysql_select_db('***') or die("Couldn't select the database");
$result = mysql_query("SELECT count(id) FROM merchants WHERE passw='$_POST[password]' AND usern='$_POST[username]'") or die("Couldn't query the user-database.");
$num = mysql_result($result, 0);
if (!$num) {
// When the query didn't return anything,
// display the login form.
$message = "Login Failed: Incorrect username or password";
header('Location: login.php?message='.$message);
} else {
// Start the login session
session_start();
// All output text below this line will be displayed
// to the users that are authenticated. Since no text
// has been output yet, you could also use redirect
// the user to the next page using the header() function.
header('Location: merchants/index.php');
}
Does anyone have an idea at where I should start looking? My first thought is that maybe the form isn't actually fully submitting? How could I tell if that was happening? Any hints or pointers would be great. I personally can't find a "code" problem that could be causing this.