help with login system

[garrensilverwing]

Now that I got my login system working (thanks a lot garrettroyce) I want people to be able to log in on every page of my website, I went through and added all the code to every page (very tedious) but it only works on the home page. When I try logging into any other page it just refreshes the page and doesnt create a session (there are no errors to speak of). However, If i log into the homepage it recognizes I am logged in on every other page and I can subsequently log out. here are the codes the first is the homepage's (brianwallchess.x10hosting.com) code and the second is for brianwallchess.x10hosting.com/news any help would be appreciated.

homepage:

Code:

<?php
if(isset($_SESSION['id']))
    {$user = $_SESSION['user'];
    echo "<span class=\"date\">You are currently logged in as $user! <a href=\"logout.php\">Click here to log out.</a></span>";}
    else{
        if(!$_POST['submit'])
            {
            ?><form method="post" action="http://www.brianwallchess.x10hosting.com" class="form">
            <span class="date">
            Username 
            <input type="text" name="username" maxlength="16" style="height: 19px; width: 90px" />
            Password 
            <input type="password" name="password" maxlength="16" style="height: 18px; width: 90px" />
            <input type="submit" name="submit" value="Login" style="height: 20px" class="date" />
            </span>
            </form>
            &nbsp;<a href="register">Register Here</a>
            <?php }
        else {
            $user = protect($_POST['username']);
            $pass = protect($_POST['password']);
            if($user && $pass)
                {
                $pass = md5($pass);
                $sql="SELECT id,username,first FROM `members` WHERE `username`='$user' AND `password`='$pass'";
                $query=mysql_query($sql) or die(mysql_error());
 
                    if(mysql_num_rows($query) == 1)
                        {
                         $row = mysql_fetch_assoc($query);
                         $_SESSION['id'] = $row['id'];
                        $_SESSION['user'] = $row['username'];
                    $_SESSION['first'] = $row['first'];
                    $first = $_SESSION['first'];
                    echo "<span class=\"date\">$first, you are now logged in!</span>";
                    }
                else {
                    echo "<span class=\"date\">The username and/or password you entered is invalid. ";
                    echo "<a href=\"javascript:history.go(-1)\">Try again</a> ";
                    echo "or <a href=\"register\">register</a></span>";
                    }

                }
            }
    }
?>

News homepage:

Code:

<?php
if(isset($_SESSION['id']))
    {$user = $_SESSION['user'];
    echo "<span class=\"date\">You are currently logged in as $user! <a href=\"../logout.php\">Click here to log out.</a></span>";}
    else{
        if(!$_POST['submit'])
            {
            ?><form method="post" action="http://www.brianwallchess.x10hosting.com/news" class="form">
            <span class="date">
            Username 
            <input type="text" name="username" maxlength="16" style="height: 19px; width: 90px" />
            Password 
            <input type="password" name="password" maxlength="16" style="height: 18px; width: 90px" />
            <input type="submit" name="submit" value="Login" style="height: 20px" class="date" />
            </span>
            </form>
            &nbsp;<a href="../register">Register Here</a>
            <?php }
        else {
            $user = protect($_POST['username']);
            $pass = protect($_POST['password']);
            if($user && $pass)
                {
                $pass = md5($pass);
                $sql="SELECT id,username,first FROM `members` WHERE `username`='$user' AND `password`='$pass'";
                $query=mysql_query($sql) or die(mysql_error());
 
                    if(mysql_num_rows($query) == 1)
                        {
                         $row = mysql_fetch_assoc($query);
                         $_SESSION['id'] = $row['id'];
                        $_SESSION['user'] = $row['username'];
                    $_SESSION['first'] = $row['first'];
                    $first = $_SESSION['first'];
                    echo "<span class=\"date\">$first, you are now logged in!</span>";
                    }
                else {
                    echo "<span class=\"date\">The username and/or password you entered is invalid. ";
                    echo "<a href=\"javascript:history.go(-1)\">Try again</a> ";
                    echo "or <a href=\"../register\">register</a></span>";
                    }
                }
            }
    }
?>

[dickey]

did you put the session_start() in every page?

also try to check that you are saving your document in utf-8 format as it is what is stipulated in your doc-type.

[garrensilverwing]

Code:

<?php
session_start();
require "../../db_connect.php";
?>

this is at the beginning of every page and i did them in notepad so there wont be any utf-8 in there
Edit:
its only happening on the pages that i have renamed index.php so i can have extentionless urls so maybe its something simple...
Edit:
ok looks like it has something to do with the form action, if i set it to index.php it works perfectly but if i set it to ../news so the URL is still extensionless it resets it i wonder if there is away around this, anyone?

[misson]

ok looks like it has something to do with the form action, if i set it to index.php it works perfectly but if i set it to ../news so the URL is still extensionless it resets it i wonder if there is away around this, anyone?

You could put the login form handler in its own script ("/login.php"), put a hidden field (here named "redirect") with the URL of the page in which the form is embedded, set the form action to the login form handler. Upon successful login, login.php will redirect to $_Request['redirect'].

While you're at it, put the login form in a separate script somewhere on the include_path so you don't need to duplicate code, just add "include('loginForm.php')" to your main pages.

Edit:
Be more consistent with your indent style (1TBS is my favorite). Yours is generally OK, but an "else" should be in the same column as the corresponding "if", as should a block closing bracket.

[quantum1]

A coworker showed me the best security / login setup in the world...that I know of right now. ;)

You only have index.php in your public_html / www / htdocs directory (whichever one matches your hosting setup). You use index.php for everything. This took me a while to grasp but it allows you to only have index.php in your public directory and everything else can be somewhere else. Example source code with some functionality is shown below.

Basically, the only thing you can get to is index.php. If you have not logged in (with your email address and password in this case) you will get the login screen. Once logged in the site takes over, using index.php to get whatever it needs. Using " return include 'somefile' " causes php to include the file and then exit index.php.

In general you use the url "index.php?req=request" where "request" is the action you wish to perform. That is, "request" is used to decide what to do, include, etc.

I'll let you and/or others review the code and let me know if you have questions or comments.

Code:

<?php
  session_start();
  include '../web-include/php_functions.php';
  $email = isset($_SESSION['email']) ? $_SESSION['email'] : false;
  $admin = isset($_SESSION['admin']) ? $_SESSION['admin'] : false;
  $req = isset($_GET['req']) ? $_GET['req'] : false;
  $force = isset($_GET['force']) ? $_GET['force'] : false;
  if($req=='logout')
  {
    // Unset all of the session variables.
    $_SESSION = array();
    // If it's desired to kill the session, also delete the session cookie.
    // Note: This will destroy the session, and not just the session data!
    if (isset($_COOKIE[session_name()])) {
        setcookie(session_name(), '', time()-42000, '/');
    }
    // Finally, destroy the session.
    session_destroy();
    // clear variables
    $email = '';
    $req = '';
    // redirect
    header('location: index.php');
  }
  if($email || ($force == 'true'))
  {
    if($admin || ($force == 'true'))
    {
      switch ($req)
      {
        case 'usermaint_js': return include '../web-include/usermaint.js';
        case 'usermaint_list_states_php': return include '../web-include/usermaint_list_states.php';
        case 'usermaint_list_all_states_php': return include '../web-include/usermaint_list_all_states.php';
        case 'usermaint_list_emails_php': return include '../web-include/usermaint_list_emails.php';
        case 'usermaint_list_last_names_php': return include '../web-include/usermaint_list_last_names.php';
        case 'usermaint_list_users_php':
        {
          $_SESSION['lookupfirstletter'] = isset($_GET['lookupfirstletter']) ? $_GET['lookupfirstletter'] : false;
          $_SESSION['lookupstate'] = isset($_GET['lookupstate']) ? $_GET['lookupstate'] : false;
          $_SESSION['lookupemailat'] = isset($_GET['lookupemailat']) ? $_GET['lookupemailat'] : false;
          return include '../web-include/usermaint_list_users.php';
        }
        case 'usermaint_get_user_data_php':
        {
          $_SESSION['lookupuserid'] = isset($_GET['lookupuserid']) ? $_GET['lookupuserid'] : false;
          return include '../web-include/usermaint_get_user_data.php';
        }
        case 'usermaint_update_user_data_php': return include '../web-include/usermaint_update_user_data.php';
        case 'usermaint_add_user_data_php': return include '../web-include/usermaint_add_user_data.php';
        case 'testuser':
        {
          $emailtest = isset($_GET['emailtest']) ? $_GET['emailtest'] : false;
          $firstnametest = isset($_GET['firstnametest']) ? $_GET['firstnametest'] : false;
          $lastnametest = isset($_GET['lastnametest']) ? $_GET['lastnametest'] : false;
          $_SESSION['emailtest'] = $emailtest;
          $_SESSION['firstnametest'] = $firstnametest;
          $_SESSION['lastnametest'] = $lastnametest;
          $_SESSION['admin'] = '';
          return include '../web-include/boardinvoiceclient.php';
        }
        default: return include '../web-include/usermaint.php';
      }
    }
    switch ($req)
    {
      case 'buildtree': return include '../web-include/buildtreedata.php';
      case 'buildtreejs': return include '../web-include/buildfiletree.js';
      case 'uploaddialogjs': return include '../web-include/Ext.ux.UploadDialog.js';
      case 'uploaddialogcss': return include '../web-include/Ext.ux.UploadDialog.css';
      case 'uploaddialogphp': return include '../web-include/upload-dialog-request.php';
      case 'server': return include '../web-include/boardinvoiceserver.php';
      case 'file': return include '../web-include/getfile.php';
      case 'backtoadmin':
      {
        $_SESSION['emailtest'] = '';
        $_SESSION['admin'] = '1';
        // redirect
        header('location: index.php');
      }
      default: return include '../web-include/boardinvoiceclient.php';
    }
  }
  switch ($req)
  {
    case 'loginjs': return include '../web-include/login.js';
    case 'login': return f_validate_user();
  }
  return include '../web-include/entrypoint.php';
?>