开发者

(PHP) User is being forced to RE-LOGIN after trying to do something on an admin page

I have created an admin panel for a client in PHP, which requires a login. Here is the code at the top of the admin page requiring the user to be logged in:

admin.php

<?php
session_start();
require("_lib/session_functions.php");
require("_lib/db.php");
db_connect();


//if the user has not logged in
if(!isLoggedIn())
{
    header('Location: login_form.php');
    die();
}
?>

Obviously, the if statement is what catches them and forces them to log i开发者_运维问答n. Here is the code on the resulting login page:

login_form.php

<form name="login" action="login.php" method="post">
    Username: <input type="text" name="username" />
    Password: <input type="password" name="password" />
    <input type="submit" value="Login" />
</form>

Which posts info to this controller page:

login.php

<?php
session_start(); //must call session_start before using any $_SESSION variables
include '_lib/session_functions.php';

$username = $_POST['username'];
$password = $_POST['password'];

include '_lib/db.php'; 
db_connect(); // Connect to the DB

$username = mysql_real_escape_string($username);

$query = "<grab username, hashed password from DB>;";
$result = mysql_query($query);

if(mysql_num_rows($result) < 1) //no such user exists
{
    header('Location: login_form.php?login=fail');
    die();
}

$userData = mysql_fetch_array($result, MYSQL_ASSOC);
db_disconnect();
$hash = hash('<myHashingFunction>', $password . $userData['salt']);

if($hash != $userData['password']) //incorrect password
{
    header('Location: login_form.php?login=fail');
    die();
}
else
{
    validateUser(); //sets the session data for this user
}

header('Location: admin.php');

?>

and the session functions page that provides login functions contains this:

session_functions.php

<?php
function validateUser()
{
    session_regenerate_id (); //this is a security measure
    $_SESSION['valid'] = 1;
    $_SESSION['userid'] = $username;
}

function isLoggedIn()
{
    if($_SESSION['valid'])
        return true;

    return false;
}

function logout()
{
    $_SESSION = array(); //destroy all of the session variables
    if (ini_get("session.use_cookies")) {
        $params = session_get_cookie_params();
        setcookie(session_name(), '', time() - 42000,
            $params["path"], $params["domain"],
            $params["secure"], $params["httponly"]
        );
    }
    session_destroy();
}
?>

I grabbed the sessions_functions.php code of an online tutorial, so it could be suspicious.

Any ideas why the user logs in to the admin panel, tries to do something, is forced to re-login, and THEN is allowed to do stuff like normal in the admin panel?


Be careful when using session_regenerate_id with redirects. In general. Don't.


remember to clear your browser cookies if the client switches servers :)


Is it just me, or is your isLoggedIn function really insecure? All you do is check for the existence of a session variable, which anyone could fake with a random value. You need to check the actual session ID/hash against a database of validated/logged in users.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜