Jump to content

i am always logged out when i change my password


etsted
 Share

Recommended Posts

why does this cript keep logging me out when i change my password?

$errorPass = $successPass = $oldPass = $newPass = $repeatNewPass="";        // this is used to change someones password        if(isset($_POST['changePass'])){            // check to make sure they have written in their old password            if(empty($_POST['oldPass'])){                $errorPass .= "Fill out Old password field<br>";            } else {                $oldPass = mysqli_real_escape_string($con, $_POST['oldPass']);            }                        // check to make sure they have written in their new password            if(empty($_POST['newPass'])){                $errorPass .= "Fill out New password field<br>";            } else {                $newPass = mysqli_real_escape_string($con, $_POST['newPass']);            }            // check to make sure they have reapeated their new password            if(empty($_POST['repeatNewPass'])){                $errorPass .= "Fill out Repeat new password field<br>";            } else {                $repeatNewPass = mysqli_real_escape_string($con, $_POST['repeatNewPass']);                                // check to make sure that $newPass and $repeatNewPass matches                if($newPass != $repeatNewPass){                    $errorPass .= "Your new passwords does not match<br>";                }            }                        // hash the password, before testing it against the DB                    function protect_pass($val) {                        return md5($val);                    }                        if(empty($errorPass)){                                    $pass_hash = protect_pass($oldPass);                                // check to make sure their old password is correct                $sql = "SELECT password FROM register WHERE password='$pass_hash'";                $query = mysqli_query($con, $sql);                $numrows = mysqli_num_rows($query);                if($numrows < 1){                    $errorPass .= "Your old password is not correct<br>";                } else {                                        $pass_hash = protect_pass($newPass);                                        $sql = "UPDATE register SET password='$pass_hash' WHERE u_name='$log_username'";                    $query = mysqli_query($con, $sql);                    if($query == true){                        $successPass = "Your password has been changed<br>";                    } else {                        $errorPass .= "Some unexpected error occured while trying to change your password<br>";                    }                                    }                            }
Edited by etsted
Link to comment
Share on other sites

Is it the all code? I cant see anything in this code which can do like it.

Link to comment
Share on other sites

this is the form you have to fill out

<form action="" method="post" name="changePass" id="changePass">            Old password: <input type="password" name="oldPass" style="margin-left: 50px;">            <br>            New password: <input type="password" name="newPass" style="margin-left: 43px;">            <br>            Repeat new password: <input type="password" name="repeatNewPass" style="margin-left: 1px;">            <br><br>            <input type="submit" name="changePass" value="Change password">        </form>
Link to comment
Share on other sites

actually i dint fix it

here is the updated code:

 $errorPass = $successPass = $oldPass = $newPass = $repeatNewPass="";        // this is used to change someones password        if(isset($_POST['changePass'])){            // check to make sure they have written in their old password            if(empty($_POST['oldPass'])){                $errorPass .= "Fill out Old password field<br>";            } else {                $oldPass = mysqli_real_escape_string($con, $_POST['oldPass']);            }                        // check to make sure they have written in their new password            if(empty($_POST['newPass'])){                $errorPass .= "Fill out New password field<br>";            } else {                $newPass = mysqli_real_escape_string($con, $_POST['newPass']);            }            // check to make sure they have reapeated their new password            if(empty($_POST['repeatNewPass'])){                $errorPass .= "Fill out Repeat new password field<br>";            } else {                $repeatNewPass = mysqli_real_escape_string($con, $_POST['repeatNewPass']);                                // check to make sure that $newPass and $repeatNewPass matches                if($newPass != $repeatNewPass){                    $errorPass .= "Your new passwords does not match<br>";                }            }                        // hash the password, before testing it against the DB            function protect_pass($val) {                            return md5($val);            }                        if(empty($errorPass)){                                    $password = protect_pass($oldPass);                                // check to make sure their old password is correct                $sql = "SELECT password FROM register WHERE password='$password'";                $query = mysqli_query($con, $sql);                $numrows = mysqli_num_rows($query);                if($numrows < 1){                    $errorPass .= "Your old password is not correct<br>";                } else {                                        $password = protect_pass($newPass);                                        $sql = "UPDATE register SET password='$password' WHERE u_name='$log_username'";                    $query = mysqli_query($con, $sql);                    if($query == true){                        $successPass = "Your password has been changed<br>";                                                // make a new cookie with their password, else they will be logged out                        $expire=time()+60*60*24*30;                        setcookie("password", $password, $expire);                    } else {                        $errorPass .= "Some unexpected error occured while trying to change your password<br>";                    }                                    }                            }

Here is the script that checks to see if the user is logged in

<?php session_start();        // include DB connection    include_once "connect.php";    // This script checks to see if a user is logged in        $user_status = false;    $log_username = "";    $log_password = "";        function eval_user($con, $user, $pass) {        $sql = "SELECT u_name, password FROM register WHERE u_name='$user' AND password='$pass' AND activated='1' ";        $query = mysql_query($sql);        $numrows = mysql_num_rows($query);                if($numrows > 0){            return true;        }    }        if(isset($_SESSION['username']) && isset($_SESSION['password']))        {            $log_username = preg_replace('#[^a-z0-9]#i', '', $_SESSION['username']);            $log_password = preg_replace('#[^a-z0-9.!#%&]#i', '', $_SESSION['password']);                        // verify the user            $user_status = eval_user($con, $log_username, $log_password);        }    else if(isset($_COOKIE['username']) && isset($_COOKIE['password']))        {            $_SESSION['username'] = preg_replace('#[^a-z0-9]#i', '', $_COOKIE['username']);            $_SESSION['password'] = preg_replace('#[^a-z0-9.!#%&]#i', '', $_COOKIE['password']);            $log_username = $_SESSION['username'];            $log_password = $_SESSION['password'];                                    // verify the user            $user_status = eval_user($con, $log_username, $log_password);        }?>
Edited by etsted
Link to comment
Share on other sites

It isn't clear to me that you know what a session variable is or what it is for. Why is the password assigned to a session variable? Why is the password assigned to a cookie?

Link to comment
Share on other sites

Never put a password in a cookie. A cookie with a username/password pair is exactly the same as someone having the password. If that cookie gets stolen then the attacker has access. If you're going to use cookies like that then you need to store a unique token that ties the cookie to that computer so that it can't be stolen and used elsewhere.I also don't see a reason to store the password in the session either.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...