loggin.php appears to be doing nothing

weekendrockstar · #1 02-13-2012, 03:00 PM

I feel embarrassed posting this as I am currently developing scripts with the Login Script as the 'back end' but I've run into a snag...

After entering login information in login.php and submitting the form just comes back up empty with no warning of invalid login credentials even though the credentials ARE correct. Although if I keep re-entering them and submitting every once in a while I will get notification that they are invalid. Even though I haven't changed from the initial admin username and password entered into the database at setup.

I'm just wondering if anyone ran into this and fixed it.

Wombat76 · #2 02-13-2012, 07:40 PM

Have you made any changes to the original login.php?

Is there a chance that your database has become corrupted or altered by another script?

The fact that it occasionally "works" with a response would make me look at handling of cookies and sessions.

weekendrockstar · #3 02-13-2012, 09:00 PM

Even when it 'works' it doesn't actually work as it is claiming that my credentials are incorrect. No, I have not changed login.php. All of the scripts I am writing to work in conjunction with Login Script are done in files that I create. I am avoiding to change any of the initial code (although I make one slight addition to admin.php where it checks for the existence of different files from the different features I am adding and if the file exists it creates a link in the admin page to work with the feature...but this doesn't affect its operation or login.php).

I will check over the database but I've not made any changes to the original 'users' table either for the reason that I want my scripts to work as seamlessly as possible and not have to change the parent software's code/data. I've only created two other tables that are used by the scripts that I am coding and I've dropped them both and got the same result with login.php.

It's just curious how it does submit to itself but 85% of the time the form just reloads empty with no error messages. The other 15% it will process but then tells me that my information is wrong even though it is correct.

Wombat76 · #4 02-13-2012, 10:26 PM

Something's got changed somewhere, hasn't it? I'd reload login.php from the original script. If that's still giving errors then I'd check the database record for the user you're trying to log in. If it looks OK I'd reload the database data from scratch and start again with fresh database data and script.

If that still doesn't work then maybe something changed on the server.

pbu · #5 02-15-2012, 06:13 PM

That means the form is not being posted at all. Two things could have happened here:

1. Look in login.php html code and in form action, it should be login.php specified

<form action="login.php">

2. If you have changed the label of submit button the the php code for validation wont work, causing blank page. check the php code in login.php

if ($_POST['Submit'] == 'Submit') {

weekendrockstar · #6 02-15-2012, 07:23 PM

I have no idea what happened or exactly how I fixed it but luckily I was able to so that I can finish up finishing up my first add-on. Releasing the add-on has been pushed back a bit as I am creating a new site for my programming and Web site design and of course I wanted to make use of the script on it so that my site can then make use of the add-ons I am creating for Login Script so in essence it creates a live demo just by people using the site.

I wish that I had a more concrete solution to post should someone else run into the same problem but again, I don't know what was causing it nor how I fixed it. I tried many different things and unfortunately I tried most of them at once instead of one at a time so I could know which change fixed it. I was just to desperate to get it working again.

RobHSK · #7 02-24-2012, 07:22 AM

Hi, don't be, were having teh same issue.
After entering login and pass... nothing happend..

I'm looking to a solution too but not found it yet, it looks like ofter submit the myaccount page doesn't open.
But soemtimes after a few hours or a day it works agian.

What I tried so far is to skip pasword lookup and than it opens, so can also be an error in the database... but unfortunatly I'm not a spe******t, just an older guy triingg to run a website for a choir.

What also might be posible, but not sure, that if to much people try to enter with wrong login it blocks for a while... don't know.

So cry for help from us too, keep in touch, I'm working on the solution too
Also try to reach the developer but no succes yet.

Regards
Rob

Wombat76 · #8 02-24-2012, 11:12 PM

It's very difficult to diagnose an intermittent problem, so the main thing is to pin down what is failing.

To do that I would add some code to login.php to display all the stored information and find out which piece of that information is missing or wrong. Something like this:

Code:

/******************** ERROR MESSAGES*************************************************
	  This code is to show error messages 
	  **************************************************************************/
	  if(!empty($err))  {
	   echo "<div class=\"msg\">";
	  foreach ($err as $e) {
	    echo "$e <br>";
	    }
	  echo "</div>";	
	   }
echo "<br />$GET variables:<br /><br />";
foreach($_GET as $key => $value) {
	echo $key." : ".filter($value)."<br />";
}
echo "<br />$POST variables:<br /><br />";
foreach($_POST as $key => $value) {
	echo $key." : ".filter($value)."<br />";
}
echo "<br />Database values:<br />";
echo "id : ".$id."<br />
pwd : ".$pwd."<br />
full_name : ".$full_name."<br />
approved : ".$approved."<br />
user_level : ".$user_level."<br />";
if (isset($pwd)){
echo "<br />Password check (these 2 values should be identical).<br />";
echo "pwd : ".$pwd."<br />Hash : ".PwdHash($pass,substr($pwd,0,9))."<br />";
}
echo "SESSION array:<br />";
if (isset($_SESSION['user_id'])){
print_r($_SESSION);
echo "<br />";
} else {
echo "SESSION array not set<br />";
}
echo "COOKIE array:<br />";
if (isset($_COOKIE['user_id'])){
print_r($_COOKIE);
echo "<br />";
} else {
echo "COOKIE array not set<br />";
}

	  /******************************* END ********************************/

Add the red code to your login.php file. It will then display the values of all the data created by the script. If any of it is missing or incorrect then you will have tracked down where the script is failing when it does. That should help in tracking down the error.

RobHSK · #9 02-25-2012, 10:40 AM

Thanks for the tip. I'll try it.
Kind regards
Rob

RobHSK · #10 02-25-2012, 10:56 AM

Just one more question,

I've seen that the database is running in MySQL version 4 while 5 is now the standard, might this be a problem, and can I update it to MySQL5?
or will this cause other problems?

Thanks for help and tips.
Rob

Wombat76 · #11 02-25-2012, 12:13 PM

Hi Rob.

As far as I know there are no problems running on MySQL 4 or 5, so updating shouldn't be an issue.

So are you running the server on your local computer as opposed to remote hosting?

Wombat76 · #12 02-26-2012, 10:09 AM

One more thing that occurred to me - is the script failing intermittently when logging in the SAME user? Or do some users' logins fail and not others?

If the latter then I would suspect the database records. Were some created before and some after making changes to the script, such as the password salt, salt length or password encryption function?

RobHSK · #13 02-26-2012, 01:38 PM

No, were running the site on a remote host.

Yesterday, it happened a gain that the login did not do anything than showing the login page, than I added your script to the login.php and tried again.
Unfortunately nothing happened, well the table/list showed very nice in the screen but that was all, nothing got filled on login with name and password.
I did try with a wrong name and password, this was perfectly displayed at the first two lines, so your script was working fine so far.
After a few login’s with the right name and pass suddenly it worked again, so its really something spooky, and is driving me really crazy

…. Specially for an old guy with so less knowledge of this like me.

Just thinking out load, Can it be that this has something to do with page protect are something in the dhc.php? As when a page is tried to be opened without login you are directed to login.php, this looks the same as what is happening

<?php
include 'dbc.php';
page_protect();
?>

Appreciate your help.

RobHSK · #14 02-26-2012, 01:40 PM

forgot to reply, if it doesn't work, it doesn't for all users.
Also I didn't change any of the password salt, salt length or password encryption functions.

Wombat76 · #15 02-26-2012, 03:17 PM

Quote:

Originally Posted by RobHSK

Yesterday, it happened a gain that the login did not do anything than showing the login page, than I added your script to the login.php and tried again.
Unfortunately nothing happened, well the table/list showed very nice in the screen but that was all, nothing got filled on login with name and password.

My additions to login.php above will merely display all the variables and $_SESSION and $_COOKIE data created by login.php. They won't cure any problem.

What you need to do when the login fails is to look at the variabes etc. displayed by my piece of code and see which ones have been created. Are any missing that should have been created by the script? Do any of the variables have a different value to what was expected? Were $_SESSION and $_COOKIE arrays created? If so, do they contain the expected values?

That might give a clue as to what is going wrong in the script. If the problem is with the remote server, however, then this probably won't help except to rule out errors in your script.

Can you paste your login.php script on here for me to look at?

RobHSK · #16 02-28-2012, 07:42 AM

Hi, Yesterday evening I used to do some more tests.
I noticed that when you remove page protect froom the myaccount.php and try to login while te problem has occured and than login with your name and password. the myaccount page does opens that mean that my username and password has been verified and mached with the database.
But on the myaccount page the left menu is missing and also the echo of the user name, and conform the script it mean that I'm not really logged in.
Looking at this I think it has someting to do with the very high protection level, maybe its a timing matter, don't know but sure it must go wrog in the script below. At least I do know for sure that when it looks that the login doesnt look to work you're directed to the login page every time you enter your name and pass.
Maybe this script is a little to high for a simple member login for a 60 man choir... and I have to look for a simple login script with less protection, and less headache...

tips and suggestions are very welcom!

PHP Code:


			
/**** PAGE PROTECT CODE  ********************************
This code protects pages to only logged in users. If users have not logged in then it will redirect to login page.
If you want to add a new page and want to login protect, COPY this from this to END marker.
Remember this code must be placed on very top of any html or php page.
********************************************************/

function page_protect() {
session_start();

global $db; 

/* Secure against Session Hijacking by checking user agent */
if (isset($_SESSION['HTTP_USER_AGENT']))
{
    if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT']))
    {
        logout();
        exit;
    }
}

// before we allow sessions, we need to check authentication key - ckey and ctime stored in database

/* If session not set, check for cookies set by Remember me */
if (!isset($_SESSION['user_id']) && !isset($_SESSION['user_name']) ) 
{
    if(isset($_COOKIE['user_id']) && isset($_COOKIE['user_key'])){
    /* we double check cookie expiry time against stored in database */
    
    $cookie_user_id  = filter($_COOKIE['user_id']);
    $rs_ctime = mysql_query("select `ckey`,`ctime` from `users` where `id` ='$cookie_user_id'") or die(mysql_error());
    list($ckey,$ctime) = mysql_fetch_row($rs_ctime);
    // coookie expiry
    if( (time() - $ctime) > 60*60*24*COOKIE_TIME_OUT) {

        logout();
        }
/* Security check with untrusted cookies - dont trust value stored in cookie.         
/* We also do authentication check of the `ckey` stored in cookie matches that stored in database during login*/

     if( !empty($ckey) && is_numeric($_COOKIE['user_id']) && isUserID($_COOKIE['user_name']) && $_COOKIE['user_key'] == sha1($ckey)  ) {
           session_regenerate_id(); //against session fixation attacks.
    
          $_SESSION['user_id'] = $_COOKIE['user_id'];
          $_SESSION['user_name'] = $_COOKIE['user_name'];
        /* query user level from database instead of storing in cookies */    
          list($user_level) = mysql_fetch_row(mysql_query("select user_level from users where id='$_SESSION[user_id]'"));

          $_SESSION['user_level'] = $user_level;
          $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
          
       } else {
       logout();
       }

  } else {
    header("Location: /phplogin_v2.3/login.php");
    exit();
    }
}
}



function filter($data) {
    $data = trim(htmlentities(strip_tags($data)));
    
    if (get_magic_quotes_gpc())
        $data = stripslashes($data);
    
    $data = mysql_real_escape_string($data);
    
    return $data;
}



function EncodeURL($url)
{
$new = strtolower(ereg_replace(' ','_',$url));
return($new);
}

function DecodeURL($url)
{
$new = ucwords(ereg_replace('_',' ',$url));
return($new);
}

function ChopStr($str, $len) 
{
    if (strlen($str) < $len)
        return $str;

    $str = substr($str,0,$len);
    if ($spc_pos = strrpos($str," "))
            $str = substr($str,0,$spc_pos);

    return $str . "...";
}    

function isEmail($email){
  return preg_match('/^\S+@[\w\d.-]{2,}\.[\w]{2,6}$/iU', $email) ? TRUE : FALSE;
}

function isUserID($username)
{
    if (preg_match('/^[a-z\d_]{5,20}$/i', $username)) {
        return true;
    } else {
        return false;
    }
 }    
 
function isURL($url) 
{
    if (preg_match('/^(http|https|ftp):\/\/([A-Z0-9][A-Z0-9_-]*(?:\.[A-Z0-9][A-Z0-9_-]*)+):?(\d+)?\/?/i', $url)) {
        return true;
    } else {
        return false;
    }
} 

function checkPwd($x,$y) 
{
if(empty($x) || empty($y) ) { return false; }
if (strlen($x) < 4 || strlen($y) < 4) { return false; }

if (strcmp($x,$y) != 0) {
 return false;
 } 
return true;
}

function GenPwd($length = 7)
{
  $password = "";
  $possible = "0123456789bcdfghjkmnpqrstvwxyz"; //no vowels
  
  $i = 0; 
    
  while ($i < $length) { 

    
    $char = substr($possible, mt_rand(0, strlen($possible)-1), 1);
       
    
    if (!strstr($password, $char)) { 
      $password .= $char;
      $i++;
    }

  }

  return $password;

}

function GenKey($length = 7)
{
  $password = "";
  $possible = "0123456789abcdefghijkmnopqrstuvwxyz"; 
  
  $i = 0; 
    
  while ($i < $length) { 

    
    $char = substr($possible, mt_rand(0, strlen($possible)-1), 1);
       
    
    if (!strstr($password, $char)) { 
      $password .= $char;
      $i++;
    }

  }

  return $password;

}


function logout()
{
global $db;
session_start();

if(isset($_SESSION['user_id']) || isset($_COOKIE['user_id'])) {
mysql_query("update `users` 
            set `ckey`= '', `ctime`= '' 
            where `id`='$_SESSION[user_id]' OR  `id` = '$_COOKIE[user_id]'") or die(mysql_error());
}            

/************ Delete the sessions****************/
unset($_SESSION['user_id']);
unset($_SESSION['user_name']);
unset($_SESSION['user_level']);
unset($_SESSION['HTTP_USER_AGENT']);
session_unset();
session_destroy(); 

/* Delete the cookies*******************/
setcookie("user_id", '', time()-60*60*24*COOKIE_TIME_OUT, "/");
setcookie("user_name", '', time()-60*60*24*COOKIE_TIME_OUT, "/");
setcookie("user_key", '', time()-60*60*24*COOKIE_TIME_OUT, "/");

header("Location: login.php");
}

// Password and salt generation
function PwdHash($pwd, $salt = null)
{
    if ($salt === null)     {
        $salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH);
    }
    else     {
        $salt = substr($salt, 0, SALT_LENGTH);
    }
    return $salt . sha1($pwd . $salt);
}

function checkAdmin() {

if($_SESSION['user_level'] == ADMIN_LEVEL) {
return 1;
} else { return 0 ;
}

}

?>

Wombat76 · #17 02-28-2012, 10:28 AM

Rob take a look at halosinfire posts here:

http://www.webmasterpals.com/showthr...?t=3220&page=2

This looks like a very similar problem. Could you be doing the same thing?

RobHSK · #18 03-04-2012, 01:30 PM

Hi, did read all through the problems over there, no its a completely different story. All that works fine, when this problem occure you keep the login page on your screen and you can fill in name and password again and again without you notice any thange (the page does refresh, so it is page protect that redirect you to the login page and that's very visable).

More members of the choir has login problems, and when it works on my side and I use there username and password it works fine.
Some people when I remove them form the database and add them again there problem ins solved, but is not a cure as it doesn't work all the time?

It also seem to vary by browser, if I try to login with for instance Avant browser... and when it doesn't work, I'll take Explorer and it works fine.
Than log out in Explore and try Avant again... and I can login and everything works fine...

I'm getting insane

Thanks for your help and time (do you have an other good script, less difficult)

polarexpress · #19 03-04-2012, 03:48 PM

All the features of log in script just work fine except the following:

Firefox, Google Chrome and Opera deny authenticity of authenticated / logged in users to grant access to the pages protected with following password protection code when it is included from any other sub directories with the right path.

An example is as following:

< ?php
include '../../../dbc.php';
page_protect(); ?>

Doesn't the above syntax support child directory page protection?

Wombat76 · #20 03-06-2012, 09:40 AM

Quote:

Originally Posted by polarexpress

All the features of log in script just work fine except the following:

Firefox, Google Chrome and Opera deny authenticity of authenticated / logged in users to grant access to the pages protected with following password protection code when it is included from any other sub directories with the right path.

An example is as following:

< ?php
include '../../../dbc.php';
page_protect(); ?>

Doesn't the above syntax support child directory page protection?

I suspect this is the same problem people are posting about elsewhere where session data is being lost by PHP across subdirectories.