Jump to content

Weird Session Anomaly

NomadicJosh

By NomadicJosh
in PHP Coding Help

 Share

Recommended Posts

NomadicJosh Member

NomadicJosh

Posted
Posted

I am having this weird session anomaly. When logged is as a regular user, all is well until I get to this one page in particular. Once I click the link to get to this page, I become logged in as someone else. The domain is consistent across, and session_start(); is present on all pages. Is there some check that I can use to figure out why this happens every time? Thanks.

Link to comment
Share on other sites
NomadicJosh Member

NomadicJosh

Posted
  • Author
Posted

Here is some code, but it is going to be long.

 

project.php

<?php 
// Starts the session.
session_start();
define('access',true);
include(dirname(dirname(__FILE__)) . '/config.inc.php');
include(PM_DIR . 'pm-includes/global.inc.php');
require(PM_DIR . 'pm-includes/functions.php');

// Checks if user is logged in; if not redirect to login page.
if($current_user->hasPermission('access_site') != true) { pm_redirect(PM_URI . '/index.php'); }
is_id_set( $_GET['p_id'], get_project_meta($_GET['p_id'],'p_id'), '/projects/list_projects.php' );

include(PM_DIR . 'pm-includes/header.php');

// Enable for error checking and troubleshooting.
# display_errors();

$sql = pmdb::connect()->select( DB . 'projects', '*', 'p_id = "' . $_GET['p_id'] . '"', null ) or die(pmdb::connect()->is_error());

while($row = $sql->fetch_array()) {
?>

			<div id="page-title">
				<img src="<?php _e( PM_URI ); ?>/images/projects.png" alt="" />
				<h1>
					<?php _e(get_project_meta($_GET['p_id'],'project_name')); ?>
					<?php if($current_user->hasPermission('edit_projects')) { _e( '<span id="header-link"><a href="edit_project.php?p_id=' . $_GET['p_id'] . '">Edit Project</a></span>' ); } ?>
				</h1>
			</div>

			<?php _e( get_project_tabs() ); ?>

			<div id="middle">
			<div id="groups-page"> 
				<table cellspacing="0" cellpadding="0">
					<tr class="list">
						<th scope="row"><span class="list-name"><?php _e( _( 'Description' ) ); ?></span></th>
						<td><?php _e( $row['project_description'] ); ?></td>
					</tr>

					<tr class="list">
						<th scope="row"><span class="list-name"><?php _e( _( 'Contact Email' ) ); ?></span></th>
						<td><a href="mailto:<?php _e( $row['contact_email'] ); ?>"><?php _e( $row['contact_email'] ); ?></a></td>
					</tr>

					<tr class="list">
						<th scope="row"><span class="list-name"><?php _e( _( 'Members' ) ); ?></span></th>
						<td>This project has <?php get_project_member_count(); ?> members</td>
					</tr>
				</table>

			</div>
			</div>
<?php } ?>


<?php include(PM_DIR . 'pm-includes/footer.php');

 

functions-projects.php

<?php

function get_project_tabs() {
	$pmem = pmdb::connect()->select( DB . 'project_members', '*', 'pp_id = "' . $_GET['p_id'] . '" AND pm_user = "' . is_session_set('username') . '"', null ) or die(pmdb::connect()->is_error());
	$plead = pmdb::connect()->select( DB . 'project_leaders', '*', 'p_id = "' . $_GET['p_id'] . '" AND pl_user = "' . is_session_set('username') . '"', null ) or die(pmdb::connect()->is_error());
	if($pmem->num_rows != 0 || $plead->num_rows != 0) {
	?>

			<div id="tabs">
				<ul>
					<li <?php if (active_link() == "project.php?p_id=".$_GET['p_id']) _e( "class='active_link'" );?>>
						<a href="<?php _e( PM_URI ); ?>/projects/project.php?p_id=<?php _e( $_GET['p_id'] ); ?>"><span><?php _e( _( 'Project' ) ); ?></span></a>
					</li>
					<li <?php if (active_link() == "discussions.php?p_id=".$_GET['p_id']) _e( "class='active_link'" );?>
						<?php if (active_link() == "add_ptopic.php?p_id=".$_GET['p_id']) _e( "class='active_link'" );?>>
						<a href="<?php _e( PM_URI ); ?>/projects/forum/discussions.php?p_id=<?php _e( $_GET['p_id'] ); ?>"><span><?php _e( _( 'Forum' ) ); ?></span></a>
					</li>
					<li <?php if (active_link() == "contact.php?p_id=".$_GET['p_id']) _e( "class='active_link'" );?>>
						<a href="<?php _e( PM_URI ); ?>/projects/contact.php?p_id=<?php _e( $_GET['p_id'] ); ?>"><span><?php _e( _( 'Email' ) ); ?></span></a>
					</li>
					<li <?php if (active_link() == "filemanager.php?p_id=".$_GET['p_id']) _e( "class='active_link'" );?>>
						<a href="<?php _e( PM_URI ); ?>/projects/filemanager.php?p_id=<?php _e( $_GET['p_id'] ); ?>"><span><?php _e( _( 'Docs' ) ); ?></span></a>
					</li>
					<li <?php if (active_link() == "project_members.php?p_id=".$_GET['p_id']) _e( "class='active_link'" );?>>
						<a href="<?php _e( PM_URI ); ?>/projects/project_members.php?p_id=<?php _e( $_GET['p_id'] ); ?>"><span><?php _e( _( 'Members' ) ); ?></span></a>
					</li>
				</ul>
			</div>

<?php
	}
}

function get_project_member_count() {
	$pm = pmdb::connect()->select( DB . 'project_members', 'COUNT(pm_user)', 'pp_id = "' . $_GET['p_id'] . '"', null ) or die(pmdb::connect()->is_error());

	while($rpm = $pm->fetch_array()) {
		if($rpm['COUNT(pm_user)'] > 0) {
			echo "<font color='#f00'>". $rpm['COUNT(pm_user)']."</font>"; 
		} else {
			echo $rpm['COUNT(pm_user)'];
		}
	}
}

function get_project_meta($id,$field) {
        $result = pmdb::connect()->query("SELECT " . $field . " FROM " . DB . "projects WHERE p_id = '" . $id . "'") or die(pmdb::connect()->is_error());
       		while($r = $result->fetch_object()) {
               $info = $r->$field;
       		return $info;
    	}
}

function get_project_leader_meta($field) {
	$result = pmdb::connect()->query("SELECT" . $field . " FROM " . DB . "project_leaders WHERE p_id = '" . $_GET['p_id'] . "'") or die(pmdb::connect()->is_error());
		while($r = $result->fetch_object()) {
               $plead = $r->$field;
       		echo $plead;
    	}
}

function getFileType($extension) {
	$images = array('jpg', 'gif', 'png', 'bmp');
	$docs 	= array('txt', 'rtf', 'doc', 'pdf');
	$apps 	= array('zip', 'rar', 'tar');

	if(in_array($extension, $images)) return "Images";
	if(in_array($extension, $docs)) return "Documents";
	if(in_array($extension, $apps)) return "Applications";
	return "";
}

function formatBytes($bytes, $precision = 2) { 
    	$units = array('B', 'KB', 'MB', 'GB', 'TB'); 
   
    	$bytes = max($bytes, 0); 
    	$pow = floor(($bytes ? log($bytes) : 0) / log(1024)); 
    	$pow = min($pow, count($units) - 1); 
   
    	$bytes /= pow(1024, $pow); 
   
    	return round($bytes, $precision) . ' ' . $units[$pow]; 
}

function is_id_set($id, $getID, $redirect) {
	if(!isset($id) || $id != $getID) {
		 pm_redirect( PM_URI . $redirect );
	}
}

 

Here is the login function and I am using PHPass:

<?php
function pm_login($username, $password, $remember = NULL) {

	//$hasher = new PasswordHash(8, FALSE);

	$user = strtolower(pmdb::connect()->escape($username));
	$pass = pmdb::connect()->escape($password);

	$results = pmdb::connect()->get_row( "SELECT * FROM ". DB ."members WHERE username = '$user'" );

	// Use to set cookie session for domain.
	$cookiedomain = $_SERVER['SERVER_NAME']; 
	$cookiedomain = str_replace('www.', '', $cookiedomain);

		if(isset($_POST['login'])) {
			if(pm_check_password( $pass, $results->password, $results->username )) {

			do_action( 'pm_login_form_script' );
			session_start();
			$_SESSION['logged'] = 1; // Sets the session.
			$_SESSION['username'] = $results->username; // Sets the username session.
			$_SESSION['userID'] = $results->user_id;
			$_SESSION['remember_me'] = $remember; // Sets a remember me cookie if remember me is checked.

		if(isset($remember)){
      			setcookie("pm_cookname", $user, time()+60*60*24*120, "/", $cookiedomain);
      			setcookie("pm_cookpass", pm_hash_password($pass), time()+60*60*24*120, "/", $cookiedomain);
   			}
			pm_redirect(PM_URI . "/index.php");

			} else {

			setcookie("pm_cookname", $user, time()+3600*24);
      			setcookie("pm_cookpass", pm_hash_password($pass), time()+3600*24);
		}
			pm_redirect(PM_URI . "/index.php");
	}
      return apply_filter( 'login', $username, $password, $remember );
 }

 

And last pm-logout.php

<?php

session_start();
session_unset();

session_destroy();
header('Location: pm-login.php');

Link to comment
Share on other sites
NomadicJosh Member

NomadicJosh

Posted
  • Author
Posted

I did have some simular problem with some code I used. Trying desperatly to remember what was wrong.

 

Which is the page that causes it to display you as another user?

 

The page that is the issue is project.php. But when you click the link it will take you to project.php?p_id=[project_id]. If the id is not set or does not exist, it will redirect the user to list_projects.php. You can see tabs in the functions-projects.php above.

Link to comment
Share on other sites
NomadicJosh Member

NomadicJosh

Posted
  • Author
Posted

Can you also post this function: pm_check_password

 

Sure, please see below. Also, when just using md5 without PHPass or any of the functions related to it, the same anomaly occurs.

 

<?php
function pm_hash_password($password) {
	// By default, use the portable hash from phpass
	$pm_hasher = new PasswordHash(8, FALSE);

		return $pm_hasher->HashPassword($password);
}

 function pm_check_password($password, $hash, $username) {

	// If the hash is still md5...
	if ( strlen($hash) <= 32 ) {
		$check = ( $hash == md5($password) );
	if ( $check && $username ) {
		// Rehash using new hash.
		pm_set_password($password, $username);
		$hash = pm_hash_password($password);
	}

	return apply_filter('check_password', $check, $password, $hash, $username);
	}

	// If the stored hash is longer than an MD5, presume the
	// new style phpass portable hash.
	$pm_hasher = new PasswordHash(8, FALSE);

	$check = $pm_hasher->CheckPassword($password, $hash);

		return apply_filter('check_password', $check, $password, $hash, $username);
}

 function pm_set_password( $password, $username ) {

	$hash = pm_hash_password($password);
	pmdb::connect()->update( DB . 'members', array( 'password' => $hash ), array( 'username', $username ));

}

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

What exactly is the relationship between the correct logged in user and this other user you get switched to when you go to a specific page? Is this other user one that you have previously logged in as or is it something like the first or last user stored in your database table?

Link to comment
Share on other sites
NomadicJosh Member

NomadicJosh

Posted
  • Author
Posted

What exactly is the relationship between the correct logged in user and this other user you get switched to when you go to a specific page? Is this other user one that you have previously logged in as or is it something like the first or last user stored in your database table?

 

Here is what is in the database so far in this order (user_id, username, first_name, last_name)

 

1, danielparker, Daniel, Parker

5, joshmac3, Joshua Parker, Null

 

And the passwords for both users are the same.

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

That's not an answer to the question that was asked.

 

The reason we ask specific questions is because we are not standing right next to you and don't know how you got to this point or what you observed in front of you. When you don't supply the information that is asked for, there's little chance of anyone helping you.

Link to comment
Share on other sites
NomadicJosh Member

NomadicJosh

Posted
  • Author
Posted

That's not an answer to the question that was asked.

 

The reason we ask specific questions is because we are not standing right next to you and don't know how you got to this point or what you observed in front of you. When you don't supply the information that is asked for, there's little chance of anyone helping you.

 

Oh, sorry if I misunderstood your question, but I found the issue. Thanks.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.