Login Browser Security Issues

[masterjake]

My site is http://masterjake.co.nr/. For some reason, for people to login, they have to either have their privacy level on low or my site in their allow list. I put a tutorial on the login page on how to lower your security or allow my site but can someone help me with a login system that doesn't require low browser security. Thanks!

[conker87]

What is the code that you're using to login? I can see it's php, but can you post the code?

[masterjake]

I have a page called login.php with a form on it. The action of the form goes to a page called do_login.php?login=yes where everything takes place. This is the do_login code:

------------------------------------------------------------------------
<?php session_start(); ?>
<?php
$username=$_POST['username'];
$password=$_POST['password'];
$login=$_GET['login'];
if ($login=='yes') {
$con = mysql_connect('localhost','my_user_here','my_pass_ here');
mysql_select_db('my_db_here');
$get = mysql_query("Select count(id) FROM users WHERE username='$username' AND password='$password'");
$result = mysql_result($get,0);

if ($result != 1) {

header ("Location: login_failed.php");
}else{

$_SESSION['username']=$username;
header ("Location: login_success.php");
}

}
?>
------------------------------------------------------------------------

[mr kennedy]

you have the php header at the wrong location :p

should be like this:
<?php

<?php session_start(); ?>
$username=$_POST['username'];
$password=$_POST['password'];
$login=$_GET['login'];
if ($login=='yes') {
$con = mysql_connect('localhost','my_user_here','my_pass_ here');
mysql_select_db('my_db_here');
$get = mysql_query("Select count(id) FROM users WHERE username='$username' AND password='$password'");
$result = mysql_result($get,0);

if ($result != 1) {

header ("Location: login_failed.php");
}else{

$_SESSION['username']=$username;
header ("Location: login_success.php");
}

}


?>

you should have the <?php before your php codes...

[Slothie]

There is nothing wrong with his php headers. He already does have <?php tags in case you haven't noticed and there is nothing wrong with multiple <?php ?>s.
Apart from relative URL's in the header bits I can't see much that's wrong.

[masterjake]

Yeah theres nothing wrong with multiples, that code you posted didn't really work. Thanks for your help though. Browser security on medium protects people from logging into sites with content that is able to be dangerous to them i guess. Is it because my database stores their ip when they register? Is that why the can't login because it retrieves that from the database somehow?

[Slothie]

No, database logging is fine, in fact most systems use databases to store member information.

[masterjake]

Yeah I like the my database. I just don't understand. Every browser will allow people to login fine except Internet Explorer. On it, you have to lower your security or add me to your allow list. I just don't get why that happens.

[Thewinator]

You could try echoing a meta redirect if the header information is the problem like this:

PHP Code:

if ($result != 1) 
{
    echo '<meta http-equiv="refresh" content="0;URL=login_failed.php" />';
}
else
{
    $_SESSION['username']=$username;
    echo '<meta http-equiv="refresh" content="0;URL=login_success.php" />';
} 


But I don't think any of this should mater, becouse this is a server side script and has nothing to do with the clients security level.