2

I have a very simple session-based login system in PHP. I have used similar systems a lot in the past and there was never any problem. However, now I'm running into a very strange occurrence - when I type in my username and password for the first time, nothing happens. But when I type it for the second, third, and every consecutive time, it works fine!

Let me illustrate with two files. In index.php I have a standard login form:

<form id="lform" action="login.php" method="post">
                <table cellpadding='1' cellspacing='0'>
                    <tr>
                        <td width='60'>
                            EMAIL<br/>(or Username)
                        </td>
                        <td width='120'>
                            <input type="text" name="email" id="l_email" class="keylog" />
                        </td>
                    </tr>
                    <tr>
                        <td>
                            PASSWORD
                        </td>
                        <td>
                            <input type="password" name="password" id="l_password" class="keylog" />
                        </td>
                    </tr>
                </table>
<!-- submit button, forgotten-password etc go here, not really relevant -->
            </form>

As you see, it submits to login.php. In that file, I first check the username and password against the DB. If it checks out (and it does check out correctly) then this happens:

//get the user's database entry in an array named $row

//create session variables
$_SESSION['username']=$row[username];
$_SESSION['user_id']=$row['id'];
$_SESSION['user_level']=$row['account_type'];

//store login in database
mysql_query("update members set last_login='$today' where id='$row[id]' ");
mysql_query("insert into login_log set member_id='$row[id]' ");

//redirect back to index.php
header("location: ".$url."en/index.php");
exit;

At this point, everything seems fine. The MySQL queries execute correctly, saving the login into the database. If I do var_dump($_SESSION) here (instead of redirecting back) it prints out the session array including all the variables I have set above. So here the session exists, and it looks like:

array(3) { ["username"]=> string(9) "monsignor" ["user_id"]=> string(1) "2" ["user_level"]=> string(1) "2" }

The problem occurs after the redirect. In the top of index.php I have placed:

session_start();
var_dump($_SESSION);

Here (after the first login) the var_dump just shows array(0) { }! It's like the session gets destroyed during the redirect for some reason.

What's even stranger is that, if I now proceed to type my username/password again and submit the form, after the redirect it shows the correct session values in index.php:

array(3) { ["username"]=> string(9) "monsignor" ["user_id"]=> string(1) "2" ["user_level"]=> string(1) "2" }

From this point on, the login session remains active and works fine.

So, to sum up, after the first login attempt, the session variables seem to disappear between the login script and the page it redirects to, but on every consecutive attempt it works fine! Then, if I don't log in for a couple of hours (I haven't timed it exactly), the first next attempt doesn't work again, the second one does etc.

I hope someone can help me out here because I am stumped by this.

EDIT:

Here is the full code of login.php and index.php, I put it on pastebin because it's too large to display nicely here.

login.php index.php

EDIT Pt 2:

When I open index.php, then try to log in for the first time, the above problem happens. But when I open index.php, reload the page once, then try to log in for the first time, it works. So the problem isn't with the redirect, it's something to do with the page itself.

sveti petar
  • 3,637
  • 13
  • 67
  • 144
  • This is a possibe duplicate of http://stackoverflow.com/questions/17242346/php-session-lost-after-redirect – GuyT Jan 17 '14 at 11:31
  • @GuyT I have gone through all the options suggested by the answer to that question and eliminated all of them as a possible cause here. Note also that the second, third and consecutive redirects don't nullify the session, only the first. – sveti petar Jan 17 '14 at 12:31
  • 1
    Post your full code of `index.php` and `login.php` – GuyT Jan 17 '14 at 12:34
  • First of all: use `PDO` instead of `mysql_*`(mysql is deprecated). Second: you're vulnerable to SQL injection `mysql_query("select * from medals_awarded where member_id='$_SESSION[user_id]' && medal_id='$medal_id' && type='gold' order by date_time desc ");` ALWAYS check and escape the input(also from `$_SESSION`). Please don't do this: `elseif($password=="sp36HHFF652b"){//echo 2;` use a user level to determine if a user has admin rights. Last issue: where is the form? I don't see it in the `index.php`? – GuyT Jan 17 '14 at 12:58
  • Thanks, I'll fix the injection issue; as for `mysql` VS `pdo` it uses `mysql_` because it's pretty old code. I'll look into that later, right now I'd like to concentrate on the login problem. The "master password" is only for my testing purposes, that part will be removed completely. – sveti petar Jan 17 '14 at 13:01
  • Here is the updated paste, with the login form (though I don't think the form itself matters, it's just 2 fields and a submit button): [link](http://pastebin.com/rYiakcXP) – sveti petar Jan 17 '14 at 13:06
  • @GuyT I forgot to mention - this isn't specific to one server either, I tried moving it to a different server and the same thing happens. – sveti petar Jan 17 '14 at 13:27
  • New info added to the question (under "edit pt 2"). – sveti petar Jan 17 '14 at 14:38
  • Is the problem already solved? Is there a possibility that `config.php` or `functions.php`is giving the problem(because you include them before you dump the session)? – GuyT Jan 18 '14 at 15:34
  • Did you ever find the cause of this issue? I am having the same problem with my PHP login form.It never works the first time the form is submitted - only consecutive submissions return true. – Purple Lady Apr 25 '17 at 17:33

1 Answers1

2

try starting the session at the top of login.php before setting $_SESSION values

cecilozaur
  • 695
  • 5
  • 6
  • Chances are the SESSION isn't be started until you've redirected once to login.php - on the second time the SESSION is started and sets correctly. – Ryan Jan 17 '14 at 11:31
  • The session is already being started at the top of login.php, the first line is `session_start()`. I don't know why it would make a difference whether the page is opened once or twice? – sveti petar Jan 17 '14 at 12:29