Login System - Works in Firefox but not in IE, Chrome etc

Question

I have a login system which only seems to be able to login using Firefox, I have tried in Internet Explorer and Chrome using the same login details and it doesn't allow me to login (Verification failed! Password incorrect, please try again.")

Here in the code for the login page:

<body class="ui-state-processing">
<div id="cp-wrapper-div">
<div id="cp-topheader-div" class="ui-widget-header">
    <div id="cp-topheader-content-div">
        <img class="cp-topheader-customer-logo left" alt="Logo" src="images/logo.png" />
        <img class="cp-topheader-marandy-logo right" alt="Powered by CompanyName" src="images/powered_by_compname.png" />
    </div>
</div>
<div class="clear"></div>
<div id="login-page-wrap">
    <div id="login-wrapper" class="ui-corner-all page-div">
        <div id="login-input-wrapper" class="div-row-style">
            <div id="login-title-top" class="centre-div">
                <div id="login-title-icon">
                    <img src="images/padlock.png" alt="Online Booking Login" class="left" />
                </div>
                <div id="login-title-text">
                    <h1 class="drk-grey left">Online Booking Login</h1>
                </div>
            </div>
            <form action="?" method="post" id="frm-useracc-login" name="frm-useracc-login" >
                <div id="login-username-wrap" >
                    <div class="login-input-item left">
                        <div class="div-search-label left">
                            <div id="div-leftheader-wrap">
                                <p class="a-topheader-infotext left"><strong>Username: </strong></p>
                            </div>
                        </div>
                        <div class="login-input-content left div-subrow-style ui-corner-all">
                            <input type="text" tabindex="1" name="txt-username" id="txt-username" class="input-txt-med required addr-search-input txt-username left">
                        </div>
                    </div>
                </div>
                <div id="login-password-wrap" >
                    <div class="login-input-item left">
                        <div class="div-search-label left">
                            <div id="div-leftheader-wrap">
                                <p class="a-topheader-infotext left"><strong>Password: </strong></p>
                            </div>
                        </div>
                        <div class="login-input-content left div-subrow-style ui-corner-all">
                            <input type="password" tabindex="1" name="txt-password" id="txt-password" class="input-txt-med required addr-search-input txt-password left">
                        </div>
                    </div>
                </div>
                <div id="login-btn-bottom" class="centre-div">
                    <div id="login-btn-right">
                        <button name="btn-login" id="btn-login" class="btn-med ui-button ui-state-default ui-button-text-only ui-corner-all btn-hover-anim btn-row-wrapper left">Login</button>
                        <button name="btn-cancel" id="btn-cancel" class="btn-med ui-button ui-state-default ui-button-text-only ui-corner-all btn-hover-anim btn-row-wrapper left">Cancel</button><br /><br />
                    </div>
                </div>
            </form>
        </div>
        <p id="login-status" class="fail-text"><strong><? echo $_SESSION['login-status']; ?></strong></p>
    </div>
</div>

And this is my session.controller.php:

<?php

require_once("controllers/server.filter.php");
require_once('models/server.php');
require_once("models/useraccount.php");
require_once("models/sql.php");

class SessionController {

private static $login_status;
private static $redirect_url;
public static $form_action;

## Getters ##

private static function get_loginstatus() {return self::$login_status;}

## Setters ##

private static function set_loginstatus($in_str) {self::$login_status = $in_str;}

## Functions ##

public static function validate_user() {

    UserAccount::set_username($_REQUEST['txt-username']);
    UserAccount::set_password($_REQUEST['txt-password']);

    $pdo = new SQL();
    $dbh = $pdo->connect(Database::$serverIP, Database::$serverPort, Database::$dbName, Database::$user, Database::$pass);

    try {

        // Does user exist?
        $query = "SELECT COUNT(UserName) FROM tblusers WHERE UserName = :in_username";

        $stmt = $dbh->prepare($query);

        $param = Filter::san_str_html(UserAccount::get_username());

        $stmt->bindParam(':in_username', $param, PDO::PARAM_STR);

        $stmt->execute();

        $number_of_rows = $stmt->fetchColumn();

        $stmt->closeCursor();



        if ($number_of_rows <= 0) {

            self::set_loginstatus("The user does not exist in our database, please try again.");
            $_SESSION['login-status'] = self::get_loginstatus();
            self::redirect(false);

        } else {

            // User verified, check password...
            self::verify_password();

        }

    }

    catch (PDOException $pe) {
        die("Error: " .$pe->getMessage());
    }

    $pdo = null;

}

private static function verify_password() {

    $pdo = new SQL();
    $dbh = $pdo->connect(Database::$serverIP, Database::$serverPort, Database::$dbName, Database::$user, Database::$pass);

    try {

        // Does the password given match the password held?
        $query = "SELECT COUNT(*) FROM tblusers WHERE UserName = :in_username AND Password = :in_password";

        $stmt = $dbh->prepare($query);

        $param1 = UserAccount::get_password();
        $param2 = Filter::san_str_html(UserAccount::get_username());

        $stmt->bindParam(':in_username', $param2, PDO::PARAM_STR);
        $stmt->bindParam(':in_password', $param1, PDO::PARAM_STR);

        $stmt->execute();

        $number_of_rows = $stmt->fetchColumn();

    }

    catch (PDOException $pe) {
        die("Error: " .$pe->getMessage());
    }

    $pdo = null;

    if ($number_of_rows == 1) {

        $_SESSION['username'] = UserAccount::get_username();

        // Begin verification..
        self::set_useraccount(true);

    } else {

        self::set_loginstatus("Verification failed! Password incorrect, please try again.");
        $_SESSION['login-status'] = self::get_loginstatus();
        self::redirect(false);

    }

}

private static function verify_account() {

    // Account types: 9 = Disabled, 0 = Normal/Restricted, 1 = Administrative
    if (UserAccount::get_accounttype() == 9) {
        self::set_loginstatus("Verification failed! This account has been disabled."); ## Account disabled
        $_SESSION['login-status'] = self::get_loginstatus();
        self::redirect(false);

    } else

        // User login types: 9 = Disabled, 0 = Normal/Restricted, 1 = Administrative
        if (UserAccount::get_usertype() == 9) {
            self::set_loginstatus("Verification failed! This login has been disabled."); ## User login disabled
            $_SESSION['login-status'] = self::get_loginstatus();
            self::redirect(false);

        } else {

            // Set redirect url here
            if (UserAccount::get_accounttype() == 1) {
                self::$redirect_url = 'controlpanel.php';
            }

            if (UserAccount::get_accounttype() == 0 && UserAccount::get_usertype() == 1) {
                self::$redirect_url = 'controlpanel.php';
            }

            if (UserAccount::get_accounttype() == 0 && UserAccount::get_usertype() == 0) {
                self::$redirect_url = 'newbooking.php';
            }

            // All ok, set user and account properties
            return true;

        }

}

public static function set_useraccount($redirect_bool) {

    // If username session is set...
    if (isset($_SESSION['username'])) {

        UserAccount::set_username($_SESSION['username']);

        // Query Database for the rest of the data
        $pdo = new SQL();
        $dbh = $pdo->connect(Database::$serverIP, Database::$serverPort, Database::$dbName, Database::$user, Database::$pass);

        try {

            $query = "SELECT AccountName
                      FROM tblusers
                      WHERE UserName = :in_username";

            $stmt = $dbh->prepare($query);

            $param1 = UserAccount::get_username();

            $stmt->bindParam(':in_username', $param1, PDO::PARAM_STR);

            $stmt->execute();

            // Parse
            $row = $stmt->fetch(PDO::FETCH_BOTH);

            $stmt->closeCursor();

        }

        catch (PDOException $pe) {
            die("Error: " .$pe->getMessage());
        }

        UserAccount::set_accountname($row['AccountName']);

        try {

            $query = "SELECT a.Id, a.AccountName, a.AccountNumber, a.AccountEmail, a.AccountTel,
                             a.AccountContact, a.AccountType, a.PaymentType, u.UserName,
                             u.FullName, u.UserEmail, u.UserTel, u.UserType
                      FROM tblaccounts a JOIN tblusers u
                      ON a.AccountName = u.AccountName
                      WHERE a.AccountName = :in_accname
                      AND u.UserName = :in_username";

            $stmt = $dbh->prepare($query);

            $param2 = UserAccount::get_accountname();
            $param3 = UserAccount::get_username();

            $stmt->bindParam(':in_accname', $param2, PDO::PARAM_STR);
            $stmt->bindParam(':in_username', $param3, PDO::PARAM_STR);

            $stmt->execute();

            // Parse
            $row = $stmt->fetch(PDO::FETCH_BOTH);

        }

        catch (PDOException $pe) {
            die("Error: " .$pe->getMessage());
        }

        // Set properties and sessions variables
        UserAccount::set_id($row['Id']);
        UserAccount::set_accountname($row['AccountName']);
        UserAccount::set_accountnumber($row['AccountNumber']);
        UserAccount::set_accountemail($row['AccountEmail']);
        UserAccount::set_fullname($row['FullName']);
        UserAccount::set_accounttel($row['AccountTel']);
        UserAccount::set_accountcontact($row['AccountContact']);
        UserAccount::set_accounttype((int)$row['AccountType']);
        UserAccount::set_paymenttype((int)$row['PaymentType']);
        UserAccount::set_useremail($row['UserEmail']);
        UserAccount::set_usertel($row['UserTel']);
        UserAccount::set_usertype((int)$row['UserType']);

        if (self::verify_account()) {

            switch (UserAccount::get_paymenttype()) {
                case 0:
                $_SESSION['ua-paymenttype-asstr'] = 'Credit/Debit Card';
                self::$form_action = 'addressdetails.php';
                break;
                case 1:
                $_SESSION['ua-paymenttype-asstr'] = 'Account';
                self::$form_action = 'makebooking.php';
                break;
                case 2:
                $_SESSION['ua-paymenttype-asstr'] = 'Cash';
                self::$form_action = 'makebooking.php';
                break;
            }

            switch (UserAccount::get_usertype()) {
                case 9:
                $_SESSION['ua-usertype-asstr'] = 'Disabled/Suspended';
                break;
                case 0:
                $_SESSION['ua-usertype-asstr'] = 'Standard';
                break;
                case 1:
                $_SESSION['ua-usertype-asstr'] = 'Account Administrator';
                break;
            }

            switch (UserAccount::get_accounttype()) {
                case 9:
                $_SESSION['ua-accounttype-asstr'] = 'Disabled/Suspended';
                break;
                case 0:
                $_SESSION['ua-accounttype-asstr'] = '  ';
                break;
                case 1:
                $_SESSION['ua-accounttype-asstr'] = '(SA)';
                break;
            }

            // Redirect
            if ($redirect_bool) {
                self::redirect(true);
            }

        }

    } else {

        //self::set_loginstatus("Pre-requisite failure! Browser not supporting cookies!"); **Removed**
        $_SESSION['login-status'] = self::get_loginstatus();

        self::redirect(false);

    }

}

private static function redirect($auth_bool) {

    //parent::set_sessionstate(true); ## Set session to active -- persistance to DB

    //self::$determine_session_type(); ## Set session type --  persistance to DB

    if ($auth_bool == true) {

        $doc_root = $_SERVER['DOCUMENT_ROOT'];
        self::set_loginstatus('');
        $_SESSION['login-status'] = self::get_loginstatus();

        header("Location: ".self::$redirect_url);

    } else {

         header("Location: login.php");

    }

}


}

?>

Anybody got any idea why it only seems to be working in Firefox?

Answer 1

Where is your code which detects the POST request for the login attempt?

Normally this occurs when you are triggering your login procedure on detecting the $_POST/$_REQUEST variable for a button or submit field. IE in particular will not always post this with the rest of your form.

The best way to resolve this is to submit a hidden field along with your form:

<form method = "post" >

<input type = "text" name = "username" value = "1" />
<input type = "password" name = "password" value = "1" />
<input type = "hidden" name = "login_attempt" value = "1" />

<input type = "submit" value = "submit" name = "submit" />
</form>
<?php

if($isset($_POST['login_attempt'])){


    $User->login();
}

?>

Try submitting a form like this in a few of the big browsers by either hitting enter or clicking submit, the only field which is not reliable will be submit.