0

After user logs in, data is posted into login_db.php file consisting of the following code which checks the login and stores it into session variables. Depending on login type the self.location line takes it to irrespective location.

In each location1.php, location2.php, and location3.php session_start is written in first line of each file.

    <?php
    session_start();
    extract($_POST);
    include_once 'login/utils/conn.php';

    if(isset($_POST['login']))
    { 
         $name = $_POST['name'];
         $password = $_POST['password'];
         $sql = "SELECT ad_pk,ad_uname,ad_pwd,ad_type FROM adminlogin WHERE ad_uname ='$name' AND ad_pwd ='$password'";
         $result = mysql_query($sql);

         if($res = mysql_fetch_array($result))
         {  
            //print_r($_POST);exit;
            if ($res["ad_type"] == 'telecall') 
            {
                $_SESSION["ad_uname"] = $res["ad_type"];
                $_SESSION["adminid"] = $res["ad_pk"];
                echo $dt=date("Y-m-d",time());
                $pk=$res['ad_pk'];
                $uk=$res['ad_uname'];
                echo  $sql_ins_log = "insert into login_info(user_id,user_name,login_date)values('$pk','$uk','$dt')";
                $result_log = mysql_query($sql_ins_log);
                echo "<script>self.location='location1.php';</script>";
            }
            else if ( $res["ad_type"] == 'admin') 
            {
                $_SESSION["ad_uname"] = $res["ad_type"];
                $_SESSION["adminid"] = $res["ad_pk"];
                echo $dt=date("Y-m-d",time());
                $pk=$res['ad_pk'];
                $uk=$res['ad_uname'];
                echo  $sql_ins_log = "insert into login_info(user_id,user_name,login_date)values('$pk','$uk','$dt')";
                $result_log = mysql_query($sql_ins_log);
                echo "<script>self.location='location2.php';</script>";

            }
            else if ( $res["ad_type"] == 'bussuser') 
            {
                   $_SESSION["ad_uname"] = $res["ad_type"];
                   $_SESSION["adminid"] = $res["ad_pk"];
                   echo $dt=date("Y-m-d",time());
                   $pk=$res['ad_pk'];
                   $uk=$res['ad_uname'];
                   echo  $sql_ins_log = "insert into login_info(user_id,user_name,login_date)values('$pk','$uk','$dt')";
                   $result_log = mysql_query($sql_ins_log);
                   echo "<script>self.location='location3.php';</script>";
            }
            else
            {
                    echo "<script>alert('Incorrect username or password');self.location='login.php';</script>";
            } 
        } 
    }
    ?>

    Here i can see session data on print_r($_SESSION);

    After self.location is executed control goes to 3 different pages. At the start of page the session_start line is written. Still the session data is lost and Access denied message is displayed on login.


    <?
    session_start();
    error_reporting(E_ALL ^ E_NOTICE ^ E_WARNING);
    //echo "helllooo".$_SESSION["ad_uname"];
    print_r($_SESSION);// line returns empty array

    if($_SESSION["ad_uname"]=='telecall')// if type of logged in user telecall show a different form
    {
    ?>
       // some form displayed and further actions executed.
    <? 
    } 
    else
    {
       echo "<script>alert('Access Denied');self.location='login.php';</script>";
    }
    ?>

    The session id seems to change.. dont know why.can anyone guide me where i am going wrong? and why is the session_id returning 2 different ids on the login_db.php file and the location1/2/3.php files?

Now I have an .htaccess file (purpose to remove the .php extension in url except for posting data from files, hence the line: RewriteCond %{REQUEST_METHOD} =POST) which contains following code: which when removed session works successfully..

The htaccess needs to remove .php extension but then not affect the session or posting of data.

I am new to writing the htaccess code . hence need guidance why my htaccess is contradicting and clearing session and creating two different session id's. Help will make my day. :)

RewriteEngine On
RewriteCond %{REQUEST_METHOD} =POST
RewriteRule ^ - [L]

# Unless directory, remove trailing slash
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([^/]+)/$ http://yourdomain.com/$1 [R=301,L]

# Redirect external .php requests to extensionless url
RewriteCond %{REQUEST_FILENAME} ^(.+)\.php([#?][^\ ]*)?\ HTTP/
RewriteRule ^(.+)\.php$ http://yourdomain.com/$1 [R=301,L]

# Redirect external .php requests to extensionless url
RewriteCond %{THE_REQUEST} ^(.+)\.php([#?][^\ ]*)?\ HTTP/
RewriteRule ^(.+)\.php$ http://yourdomain.com/$1 [R=301,L]

# Resolve .php file for extensionless php urls
RewriteRule ^([^/.]+)$ $1.php [L]

Thanks in advance.

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
user3445120
  • 9
  • 1
  • Your code is vulnerable to SQL injections. You should read on [how to prevent them in PHP](http://stackoverflow.com/q/60174/53114). – Gumbo Mar 23 '14 at 07:27

1 Answers1

0

POST data is discarded on redirect as a client will perform a GET request to the URL specified by the 301

Similar question on stackoverflow which suggests the below,

One option is to catch POST requests to the url to be redirected and pass it off to a page to handle the redirect. You'd need to do the transposition of the parameters in code then issue the redirect header with the parameter appended new url that way.

W3C reference about how 301 redirect works.

Community
  • 1
  • 1
Sudhir Mishra
  • 578
  • 2
  • 16