I am creating a user login system similar to a client intranat. And when I try to access the main page I get a redirect loop in FF.
I am checking to see if a user is logged in with this:
if(($_SERVER['PHP_SELF'] != '/webmaster/index.php') && ($_SESSION['loggedin'] != '1234')){
header("Location: ".$domain."index.php?l=no");
exit();
}
Below is my process-login.php -> which is the file that handles client login:
<?php
ob_start();
session_start();
ini_set('display_errors', 1);
error_reporting(E_ALL | E_NOTICE);
include ("config.inc.php");
include ("jsonEncode.php");
// username and password sent from form
$username = '';
$password = '';
$username = mysql_real_escape_string($_GET['username']);
$password = mysql_real_escape_string($_GET['password']);
$sql = "SELECT * FROM clients WHERE username='$username' AND password='$password' LIMIT 1";
//echo $sql;
$result = mysql_query($sql);
$data = mysql_fetch_array($result);
$count = mysql_num_rows($result);
if($count==1){
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
$_SESSION['client_id'] = $data['c_id'];
$_SESSION['loggedin'] = "1234";
/*
echo $_SESSION['client_id'];
echo $_SESSION['password'];
echo $_SESSION['username'];
*/
echo $_SESSION['loggedin'];
// valid
$var = array('valid' => 1, 'username' => $username, 'password' => $password);
print php_json_encode($var);
}else{
// invalid
$var = array('valid' => 0, 'username' => $username, 'password' => $password);
print php_json_encode($var);
}
?>
The main index.php page has two forms one for clients and one for webmastsers, and if you are a client you are redirected to: clients/, and if you're a webmaster you're redirected to: webmaster/.
I have checked my login scripts and it is returning the right information and logging it in, but it keeps looping.
The form is submitted via ajax then returns JSON with a value of 1 being valid or 0 invalid to see if the user can continue.
If the form is submitted through AJAX are you sure that the session cookie is set accordingly? I know that Firefox will send cookie information together with asynchronous requests but are you confident that it will work the other way around?
if (($_SERVER['PHP_SELF'] != '/webmaster/index.php') &&
($_SESSION['loggedin'] != '1234')) { // I don't like this!
header("Location: ".$domain."index.php?l=no");
exit();
}
The $_SESSION['loggedin'] value would be != '1234' most of the time and this would be the case initially, you should check whether the value is undefined as well and act accordingly. What guarantees do you have right now that if the user requests index.php that $_SESSION['loggedin'] is not != '1234' if this is a new session? Otherwise you'll have a redirection loop which can be caused if the AJAX response doesn't set a session cookie accordingly, assuming you use session cookies to track user session?