First of all, I'm a little bit at a wits end. I've been scouring the net for solutions and can find nothing but dead trail that don't seem to help. I am an amateur developer working on a large and established website.
The following code snippets show our login system.
HTML Login
<form action="/script.php" method="post" id="loginvbform">
<div>
<input type="hidden" name="function" value="Login" />
<input type="submit" id="logins" value="<?php echo $t['loginbox_login']?>" />
<input type="text" class="logininput" name="name" placeholder="<?php echo $t['general_username']?>" required="required" /><br />
<input type="password" class="logininput" name="pass" placeholder="<?php echo $t['general_password'];?>" required="required" /><br />
</div>
</form>
<p><a href="/forgotpass.php"><?php echo $t['loginbox_forgot_password'];?></a> | <a href="/register.php"><?php echo $t['loginbox_register'];?></a></p>
</div>
Script file (relevant function)
// Remove spaces from the entered username, so that the few péople with former spaces can login without problems
$p_name = str_replace(' ', '', $p_name);
echo $p_name;
$user_info = db_get_result(db_query("SELECT user_id, username, pword, auth_verified, user_status, pword_new FROM users WHERE username = '$p_name'"));
$user_found = false;
if($user_info == null) $cs->WriteNote(false, $t['login_error'], $t['login_error_faulty_username']);
else if(isset($user_info['pword_new'])) if(password_verify("$pass", $user_info['pword_new'])) $cs->WriteNote(false, $t['login_error'], str_replace(array('[link_resetpassword]', '[/link]'), array('<a href="/forgotpass.php">', '</a>'), $t['login_error_wrong_password']));
else if($user_info['pword'] != md5($pass)) $cs->WriteNote(false, $t['login_error'], str_replace(array('[link_resetpassword]', '[/link]'), array('<a href="/forgotpass.php">', '</a>'), $t['login_error_wrong_password']));
else if($user_info['user_status'] == 0) $cs->WriteNote(false, $t['login_error'], str_replace(array('[link_contact]', '[/link]'), array('<a href="/support.php">', '</a>'), $t['login_error_user_suspended']));
// Everything is fine, we can log this user in
else
{
// in January 2016, we upgraded password security. In order to do this, we needed to force all users to log-in again so that we could hash their passwords from the raw password. This code does the hashing if they have no updated password hash.
if(empty($user_info['pword_new']))
{
$pword_new = password_hash("$pass", PASSWORD_DEFAULT)."
";
db_query("UPDATE users SET pword_new = '$pword_new' WHERE username = '$p_name'");
}
$_SESSION['user_id'] = $user_info['user_id'];
$cs->WriteNote(true, $t['login_success']);
$user_found = true;
$redirect = "/user/" . $_SESSION['user_id'];
}
if(!$user_found) { sleep(4);}
Checking for login (this file is loaded on every single page)
session_start();
...
if(isset($_SESSION['user_id']))
{
if(is_numeric($_SESSION['user_id']))
{
$uid = $_SESSION['user_id'];
$login_data = db_get_result(db_query("SELECT * FROM users JOIN skins USING(skin_id)
WHERE users.user_id = $uid AND users.user_status > 0"));
if($login_data)
{
$logged_in = true;
$user_id = $uid;
*****Then there's some personal user data related stuff that you don't need to see*****
}
}
}
Now on to the issue.
SOMETIMES, this system doesn't work. The several instances of $cs->WriteNote functions are used to write error messages and login notifications to the user in this case, however when the login system fails, none of these are displayed. This system works flawlessly like 85% of the time.
Browser does not appear to play a part, as people have reported this bug on Chrome, Firefox, Edge (idk about Opera). Browsers with cookies allowed still experience this bug.
Even when logins fail, the $redirect = "/user/" . $_SESSION['user_id']; is actually set correctly and redirects to the correct page, however the session does not preserve through the redirect.
I have locked the website so that every page must use the www. domain, as I thought that may be the issue. It does not appear to help.
The following is our php configuration regarding sessions:
Directive | Local Value | Master Value
session.auto_start Off Off
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_httponly Off Off
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file /dev/urandom /dev/urandom
session.entropy_length 32 32
session.gc_divisor 1000 1000
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.hash_bits_per_character 5 5
session.hash_function 0 0
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path no value no value
session.serialize_handler php php
session.upload_progress.cleanup On On
session.upload_progress.enabled On On
session.upload_progress.freq 1% 1%
session.upload_progress.min_freq 1 1
session.upload_progress.name PHP_SESSION_UPLOAD_PROGRESS PHP_SESSION_UPLOAD_PROGRESS
session.upload_progress.prefix upload_progress_ upload_progress_
session.use_cookies On On
session.use_only_cookies On On
session.use_strict_mode Off Off
session.use_trans_sid 0 0
If you need more information, feel free to ask and I'll do my best to divulge.
Does anybody have any idea on the reasoning that our login system isn't working SOMETIMES?
