php header/session problem

marcphisto

Hi,

I have a problem with a section of a cms that I am writing.

This is the final section of the cms whereby administration users can be added and edited for the cms.

My problem is that when I either add or edit a user I am logged out automatically and cannot log back in without restarting my browser. (I have tried it for firefox, opera and ie - all windows)

here is the offending code

[php]
require('php/session.php');
require('php/settings.php');

$name = $_POST[name];
$email = $_POST[email];
$username = $_POST[username];
$password = $_POST[password];
$accessType = $_POST[accessType];

$sql = "insert into users (name, email, username, password, access_type)
values ('$name','$email','$username','$password','$accessType')";

mysql_query($sql) or die(mysql_error());

header('Location: admin_viewusers.php');
[/php]

php/session.php contains
[php]
session_start();
header("Cache-control: private"); // IE 6 Fix.
$usernameVAR = "username";
$passwordVAR = "password";

if($_SESSION!=$usernameVAR || $_SESSION!=$passwordVAR)
{
header('location: index.php');
}
[/php]

php/settings.php contains general settings like the database connection and some variables that need to accessed by most of the files etc.

I have used this technique all through the site and this doesn't happened yet it does here.

If anyone can offer any help/advice I would greatly appreciate it [/email]

stas

Are you sure it's not your redirect losing the session?
To avoid such things I always use this function for redirects:
[php]
function redirect($to) {
if (defined('SID') && strlen(SID)){
if (false === strpos($to, '?'))
$to .= '?'.SID;
else $to .= '&'.SID;
}
header("Location: $to");
}[/php]

fatlog

are you running this on a live server or locally on your PC? i had an issue before with sessions where the php.ini file had some incorrect settings and everytime i called session_start() in a different script it overwrote the session variables. like your example i had a redirect if the session variables weren't correct and i kept getting dumped out to the login screen and like you i needed to open a new browser window to start again.

try checking/outputting the session variables along the way to see if they are correct.

thats what i get for continually messing around with php.ini.
i had messed around with the file so much i ended up copying in a fresh php.ini from scratch. that'll learn me!!

rsynnott

It's SQL Injection-tastic. Seriously, fix this. (Hint: addslashes/stripslashes)

zoro

no - it looks like when he resubmits the new user's details, they're overwriting his currently logged in variables

In your add/edit code, change the username and password form fields to AddUserName or EditUserName or NewUserName or anything other than "username" and "password"
Once you submit the new data, you can manipulate it how you want, but if you don't modify the names first, they will become the new username and password of the currently logged in user

Draupnir

you get a job yet Dan?

zoro

If you're talking to me ... then yeah I'm in with Precision Software

But I know all the sql/php stuff cause of www.unreal.ie (I wrote it and its CMS system, with some help of course)
Whos you?