sessions from my login system are not working

Question

I am developing a website and I have a problem with my login system. Consider two users, user1 and user2. if user1 gets access to his account and, in the same browser, if user2 gets access to his account, user1 must be logged out from his session but this does not happen in my system, moreover, the system thinks that user1 is user2 because user2 is connected. This is the following code for the login page and the authentication:

Login code

<html>
<body>
<div class="wrap">
<div id="content">
   <div id="main">
     <div class="full_w">
    <form action="login_oficial.php" method="post" autocomplete="off">
       <label for="login">Usuario:</label>
         <input id="login" name="login" class="text" />
       <label for="pass">Contraseña:</label>
         <input id="pass" name="pass" type="password" class="text" />
       <input type="submit" class="ok" name="acceso_cuenta" value="Acceder"></button>
    </form>
      </div>
     </div>
    </div>
   </div>
  </body>
 </html>

Authentication code (login_oficial.php)

<?php
session_start();
require('incluye.php');
$usuario = $_POST['login'];

$_SESSION['user']=$usuario; 
$error = '';
$form = $_POST['acceso_cuenta'];
$password = $_POST['pass'];

    $query1 = "SELECT user FROM data1 WHERE user='$usuario' and passwort='$password'"; 

$result=pg_query($conn,$query1);

if( isset($form) ) {

if( isset($usuario) && isset($password) && $usuario !== '' && $password !== '' ) {

if(pg_num_rows($result) != 0 ) { //success

   $_SESSION['logged-in'] = true;

   header('location: http://localhost/public_html/website/normal_user.php');   
   exit;    

}else { $error = "Your information is wrong."; }

} else { $error = 'Please, do not leave blank spaces.';}
   }
 ?>
<html>
<body>
<div class="wrap">
<div id="content">
  <div id="main">
    <div class="full_w">
      <form action="<?php $PHP_SELF; ?>" method="post">
    <label for="login">Usuario:</label>
       <input id="login" name="login" class="text" autocomplete="off" />
         <label for="pass">Contraseña:</label>
           <input id="pass" name="pass" type="password" class="text" />
          <div class="sep"></div>
           <input type="submit" class="ok" name="acceso_cuenta" value="Acceder"></button>              
    </form>
       </div><!--END OF FULL-->
     <?php  echo "<br /><span style=\"color:red\">$error</span>";?>
        </div><!--END OF MAIN-->
   </div><!--END OF CONTENT-->
      </div><!--END OF WRAP-->
     </body>
    </html>

code for incluye.php

<?
if($_POST['acceso_cuenta']){
 $strconn="dbname=postgres port=5432 host=127.0.0.1 user=xxxxxx password=*****";
 $conn=pg_Connect($strconn);
  }
if(!$conn){
 // echo "Error connection!!!";
}else{
  //echo "Connection succesful!!!"; 
}
  ?>

User's page

  <?php
  session_start();
  require('incluye.php');
// is the one accessing this page logged in or not?
  if ( !isset($_SESSION['logged-in']) || $_SESSION['logged-in'] !== true) {
// not logged in, move to login page
session_destroy();
header('Location: login_oficial.php');
exit;}
 ?>

<html lang="en">   
<body class=""> 
<div class="navbar">
    <div class="navbar-inner">
            <ul class="nav pull-right">  
                <li id="fat-menu" class="dropdown">
                 <li ><a href="logout.php">Logout</a></li> 
                        <i class="icon-user"></i> <?  echo "Welcome user  {$_SESSION['user']} " ; ?>
                    </a>
                </li>   
            </ul>
 </div>
 </body>
 </html>

Logout.php

session_start();

// if the user is logged in, unset the session

if (isset($_SESSION['logged-in'])) {

unset($_SESSION['logged-in']);

}

// now that the user is logged out,

// go to login page

header('Location: login.html');

?>

All suggestions are welcome and feel free to give any other suggestion you consider appropriate. Cheers.

I kill my session once the user logs into his account. I will add that section now. — user119177, Jul 24 '13 at 06:12
You're wide open to [**SQL injection**](http://stackoverflow.com/a/60442/342740) and [**XSS attacks.**](http://stackoverflow.com/questions/6080022/php-self-and-xss) — Prix, Jul 24 '13 at 06:12
I've heard about SQL injection but I don't know how to avoid those attacks. Sorry for my ignorance but what are XSS attacks? — user119177, Jul 24 '13 at 06:13
Click on the above links and you will know how to prevent and how they happen. — Prix, Jul 24 '13 at 06:14
But why should the other user sign in when there is already an active login? So you have to provide a possiblity to logout and afterwards the user can login again. — Tobias Golbs, Jul 24 '13 at 06:15
What about the cookies? Can I use cookies to identify which user is logging in? — user119177, Jul 24 '13 at 06:20
Try to edit logout to sth like this `session_unset(); session_destroy(); session_write_close(); setcookie(session_name(),'',0,'/'); session_regenerate_id(true);` instead of `unset($_SESSION['logged-in']);` — Jakolcz, Jul 24 '13 at 06:26

score 1 · Answer 1 · answered Jul 24 '13 at 06:34

In login_oficial.php you set these sessions

$_SESSION['user']=$usuario; 
$_SESSION['logged-in'] = true;

but in logout.php you unset only the logged-in session. Try this code, it should reset all the sessions.

session_start();
session_unset();
session_destroy();
session_write_close();
setcookie(session_name(),'',0,'/');
session_regenerate_id(true);

BTW i think that you should not set $_SESSION['user'] before you check if the user exists in DB.

sessions from my login system are not working

1 Answers1