Description: I have a portal protected by a login page. Upon successful login, you are then redirected to the home home page [php]<?php header('Location: home/'); ?>[/php] I then use very simplistic session security to navigate through the portal. Once you click logout, the session variables are destroyed.
Problem: If I log in to my portal, then log out, then immediately log back in, I can access the home page like I normally would. However, I get sent to my access denied page if I navigate away from the home page. (this only seems to be happening in Firefox and Chrome, NOT IE) The access_denied page only occurs if your session variables aren’t set. I’m not sure if this is a logic error in my code, or perhaps there is a setting that needs to be changed in the php config file. Here is the code.
Login Page (index.php)
[php]
<?php
session_start();
// Check if the username and Pasword Post variables contain data
if(isset($_POST['username']) && isset($_POST['password']))
{
//If user tried to login
$username = $_POST["username"];
$password = $_POST["password"];
// Connect to the db server and select the default database
require('security/dbconnect.php');
db_connect();
//mysql_real_escape_string used to avoid SQL Injection attacks
$sql = "SELECT * FROM users
WHERE user='". mysql_real_escape_string($username)."'
AND pass='". mysql_real_escape_string(md5($password))."'
LIMIT 1";
// Run the SQL query
$result = mysql_query($sql) or die(mysql_error());
// If mysql_num_rows returns a result, then the user exists in the database
// and the password entered was correct
if(mysql_num_rows($result))
{
//Get the first name of user
$row = mysql_fetch_object($result);
$fullName = $row->full_name;
$removeLastName = explode(" ", $fullName);
$firstName = $removeLastName[0];
//Create a salt (this is not the real salt)
$salt = '******************';
//Create Security Token
$tokenString = (string) date('W') . $salt;
$token = sha1($tokenString);
//Declare Session Variables
$_SESSION['token'] = $token;
$_SESSION['valid_user'] = $firstName;
//Regenerate session ID when privileges change, such as successful login
session_regenerate_id();
header('Location: home/');
}
else
{
$invalid = 'Could not log you in';
}
}
?>
[/php]
Each Page then requires this file, and calls function check_valid_user() (user_auth.php)
[php]
<?php
session_start();
function check_valid_user()
{
if (!isset($_SESSION['token']))
{
header('Location: http://www.firebirdsmail.com/testfiles/new_portal/security/access_denied.php');
}
}
?>
[/php]
Finally, the logout page (logout.php)
[php]
<?php
require_once('user_auth.php');
check_valid_user();
$user = $_SESSION['valid_user'];
//Destroy the session
unset($_SESSION['token']);
unset($_SESSION['valid_user']);
session_destroy();
if(!empty($user))
{
$logout = 'You have successfully logged out ' . $user;
}
else
{
//In theory, this will never occur
$logout = 'Could not log you out';
}
?>
[/php]
Let me know if you need more details. Any help or advice would be greatly appreciated.