i am always logged out when i change my password

[etsted]

why does this cript keep logging me out when i change my password?

$errorPass = $successPass = $oldPass = $newPass = $repeatNewPass="";        // this is used to change someones password        if(isset($_POST['changePass'])){            // check to make sure they have written in their old password            if(empty($_POST['oldPass'])){                $errorPass .= "Fill out Old password field<br>";            } else {                $oldPass = mysqli_real_escape_string($con, $_POST['oldPass']);            }                        // check to make sure they have written in their new password            if(empty($_POST['newPass'])){                $errorPass .= "Fill out New password field<br>";            } else {                $newPass = mysqli_real_escape_string($con, $_POST['newPass']);            }            // check to make sure they have reapeated their new password            if(empty($_POST['repeatNewPass'])){                $errorPass .= "Fill out Repeat new password field<br>";            } else {                $repeatNewPass = mysqli_real_escape_string($con, $_POST['repeatNewPass']);                                // check to make sure that $newPass and $repeatNewPass matches                if($newPass != $repeatNewPass){                    $errorPass .= "Your new passwords does not match<br>";                }            }                        // hash the password, before testing it against the DB                    function protect_pass($val) {                        return md5($val);                    }                        if(empty($errorPass)){                                    $pass_hash = protect_pass($oldPass);                                // check to make sure their old password is correct                $sql = "SELECT password FROM register WHERE password='$pass_hash'";                $query = mysqli_query($con, $sql);                $numrows = mysqli_num_rows($query);                if($numrows < 1){                    $errorPass .= "Your old password is not correct<br>";                } else {                                        $pass_hash = protect_pass($newPass);                                        $sql = "UPDATE register SET password='$pass_hash' WHERE u_name='$log_username'";                    $query = mysqli_query($con, $sql);                    if($query == true){                        $successPass = "Your password has been changed<br>";                    } else {                        $errorPass .= "Some unexpected error occured while trying to change your password<br>";                    }                                    }                            }

Edited May 15, 2014 by etsted

[birbal]

Is it the all code? I cant see anything in this code which can do like it.

[etsted]

this is the form you have to fill out

<form action="" method="post" name="changePass" id="changePass">            Old password: <input type="password" name="oldPass" style="margin-left: 50px;">            <br>            New password: <input type="password" name="newPass" style="margin-left: 43px;">            <br>            Repeat new password: <input type="password" name="repeatNewPass" style="margin-left: 1px;">            <br><br>            <input type="submit" name="changePass" value="Change password">        </form>

[Ingolme]

Where's the code that's making sure you're logged in? Something with session_start() in it.

[etsted]

I think i fixed it

[etsted]

actually i dint fix it

here is the updated code:

 $errorPass = $successPass = $oldPass = $newPass = $repeatNewPass="";        // this is used to change someones password        if(isset($_POST['changePass'])){            // check to make sure they have written in their old password            if(empty($_POST['oldPass'])){                $errorPass .= "Fill out Old password field<br>";            } else {                $oldPass = mysqli_real_escape_string($con, $_POST['oldPass']);            }                        // check to make sure they have written in their new password            if(empty($_POST['newPass'])){                $errorPass .= "Fill out New password field<br>";            } else {                $newPass = mysqli_real_escape_string($con, $_POST['newPass']);            }            // check to make sure they have reapeated their new password            if(empty($_POST['repeatNewPass'])){                $errorPass .= "Fill out Repeat new password field<br>";            } else {                $repeatNewPass = mysqli_real_escape_string($con, $_POST['repeatNewPass']);                                // check to make sure that $newPass and $repeatNewPass matches                if($newPass != $repeatNewPass){                    $errorPass .= "Your new passwords does not match<br>";                }            }                        // hash the password, before testing it against the DB            function protect_pass($val) {                            return md5($val);            }                        if(empty($errorPass)){                                    $password = protect_pass($oldPass);                                // check to make sure their old password is correct                $sql = "SELECT password FROM register WHERE password='$password'";                $query = mysqli_query($con, $sql);                $numrows = mysqli_num_rows($query);                if($numrows < 1){                    $errorPass .= "Your old password is not correct<br>";                } else {                                        $password = protect_pass($newPass);                                        $sql = "UPDATE register SET password='$password' WHERE u_name='$log_username'";                    $query = mysqli_query($con, $sql);                    if($query == true){                        $successPass = "Your password has been changed<br>";                                                // make a new cookie with their password, else they will be logged out                        $expire=time()+60*60*24*30;                        setcookie("password", $password, $expire);                    } else {                        $errorPass .= "Some unexpected error occured while trying to change your password<br>";                    }                                    }                            }

Here is the script that checks to see if the user is logged in

<?php session_start();        // include DB connection    include_once "connect.php";    // This script checks to see if a user is logged in        $user_status = false;    $log_username = "";    $log_password = "";        function eval_user($con, $user, $pass) {        $sql = "SELECT u_name, password FROM register WHERE u_name='$user' AND password='$pass' AND activated='1' ";        $query = mysql_query($sql);        $numrows = mysql_num_rows($query);                if($numrows > 0){            return true;        }    }        if(isset($_SESSION['username']) && isset($_SESSION['password']))        {            $log_username = preg_replace('#[^a-z0-9]#i', '', $_SESSION['username']);            $log_password = preg_replace('#[^a-z0-9.!#%&]#i', '', $_SESSION['password']);                        // verify the user            $user_status = eval_user($con, $log_username, $log_password);        }    else if(isset($_COOKIE['username']) && isset($_COOKIE['password']))        {            $_SESSION['username'] = preg_replace('#[^a-z0-9]#i', '', $_COOKIE['username']);            $_SESSION['password'] = preg_replace('#[^a-z0-9.!#%&]#i', '', $_COOKIE['password']);            $log_username = $_SESSION['username'];            $log_password = $_SESSION['password'];                                    // verify the user            $user_status = eval_user($con, $log_username, $log_password);        }?>

Edited May 17, 2014 by etsted

[davej]

It isn't clear to me that you know what a session variable is or what it is for. Why is the password assigned to a session variable? Why is the password assigned to a cookie?

[justsomeguy]

Never put a password in a cookie. A cookie with a username/password pair is exactly the same as someone having the password. If that cookie gets stolen then the attacker has access. If you're going to use cookies like that then you need to store a unique token that ties the cookie to that computer so that it can't be stolen and used elsewhere.I also don't see a reason to store the password in the session either.