I have a basic log in set up for users to access a document request form. It works fine, except the first time I log in. The first time, I get redirected to the correct page with the $_GET vars clearly showing the login was a success, but the Session has been killed/regenerated somehow, so it includes the login form instead of the account page. It only happens the first time I log in after opening a browser.
This has been giving me a headache for days. I have session_start(); on top before everything, nothing is being sent before headers, so I don't get it. Below is the code.
partner_login.php
<?php session_start();
$_SESSION['logtoken']=sha1(microtime('get_as_float'));
$_SESSION['reqtoken']=sha1(microtime('get_as_float'));
//I set some text vars here
if(isset($_SESSION['loginsuccess'])&&($_SESSION['loginsuccess']=="1")){
include_once('sqlconnect.php');
$thisuser=$_SESSION['username'];
$query="SELECT * FROM userinfo WHERE username='$thisuser'";
$result=$mysqli->query($query);
$row = $result->fetch_assoc();
$firstname=$row['firstname'];
$lastname=$row['lastname'];
}
$thiscontent=(isset($_SESSION['loginsuccess'])&&$_SESSION['loginsuccess']=="1")?include('account.php'):include('loginform.php');
$insideCONTENTHOLDER="
<div id='CONTENT' style='width:741px;min-height:800px;background-color:white;float:right;border-right:4px solid #a0a0a0;border-top:4px solid #a0a0a0;padding:20px;'>
".$txt['TITLE']."<p>".$txt['TEXT']."<p>".$thiscontent."</div><!--END CONTENT DIV-->";
include_once('template.php');
?>
logingate.php
<?php session_start();
if (!isset($_SESSION['logtoken'])||!isset($_POST['token'])||(empty($_SESSION['logtoken']))||(empty($_POST['token']))||($_SESSION['logtoken'] != $_POST['token'])) {
$_SESSION['loginsuccess'] = "0";
header( "Location: partner_login.php?loginfail=1&err=6" );//err 6 == session token!=post token
}
elseif (!isset($_POST['username']) || !isset($_POST['password'])) {
header( "Location: partner_login.php?loginfail=1&err=0" );//err 0 == one of them was not set
}
elseif (empty($_POST['username']) || empty($_POST['password'])) {
header( "Location: partner_login.php?loginfail=1&err=00" );//err 00 == one of them was empty
}
else{
//connect to database $db, char set UTF_8
include_once('sqlconnect.php');
//sql injection protect
function clean($thisvar){
$thisvar=$mysqli->real_escape_string($thisvar);
return $thisvar;
}
//escape all input
$user = $mysqli->real_escape_string($_POST['username']);
$pass = $mysqli->real_escape_string($_POST['password']);
//salt and hash password from table
$query="SELECT * FROM userinfo WHERE username='$user'";
$result1=$mysqli->query($query);
$row = $result1->fetch_assoc();
$passhash = sha1($pass.$row['salt']);
//check that at least one row was returned
$query2="SELECT * FROM userinfo WHERE username='$user' and passwordhash='$passhash'";
$result=$mysqli->query($query2);
$rowCheck = $result->num_rows;
if($rowCheck > 0){
//session variables
$_SESSION['username'] = $user;
$_SESSION['loginsuccess'] = "1";
header( "Location: partner_login.php?lsuccess=1&user=$user" );
}
else {
header( "Location: partner_login.php?loginfail=1&err=9" ); //err 9 == username and password don't match in table
}
}
?>
Here is the phpinfo() section on sessions:
Session Support enabled Registered save handlers files user sqlite
Registered serializer handlers php php_binary wddx Directive Local Value Master Value session.auto_start Off Off session.bug_compat_42 On On session.bug_compat_warn On On session.cache_expire 180 180 session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_httponly Off Off session.cookie_lifetime 0 0
session.cookie_path / / session.cookie_secure Off Off
session.entropy_file no value no value session.entropy_length 0 0
session.gc_divisor 100 100 session.gc_maxlifetime 1440 1440
session.gc_probability 1 1 session.hash_bits_per_character 4 4
session.hash_function 0 0 session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files session.save_path /tmp /tmp
session.serialize_handler php php session.use_cookies On On
session.use_only_cookies Off Off session.use_trans_sid 0 0
Thank you for you help!
