Sure.
The site is here: http://www.nilsson-online.net/fh/
I've set up a test-account: Username [ test1 ], Password [ password ]
I've enabled debugoutput with print_r of session and cookie in the top of every page.
I'll paste the functions i'm using to login and verify users:
# memberLogin
function memberLogin()
{
/*
rosterID (int)
memberLogin (text)
memberPasswordMD5 (text)
memberPasswordCrypt (text)
memberPasswordExpire (int - time())
memberStoreCookie (int - 0/1)
memberIpMD5 (text)
memberIpAllowChange (int - 0/1)
memberCallsign (text)
memberIsAdmin (int - 0/1)
*/
DB_Connect();
$SQL = "SELECT * FROM " . TABLE_MEMBERS . " WHERE memberLogin = '" . $_POST['username'] . "'";
$Q = mysql_query($SQL);
$R = mysql_fetch_object($Q);
$N = mysql_num_rows($Q);
DB_Disconnect();
if ($N == "1")
{
if (md5($_POST['password']) == $R->memberPasswordMD5)
{
# Cookie-Expire, 30 days
$cookieExpire = time() + 2592000;
# SessionID, ID, EMail, Time, md5-hash
$sessionID = md5($R->rosterID . $R->memberEMail . time() . $cookieExpire);
# User IP, md5-hash
$userIP = md5($_SERVER['REMOTE_ADDR']);
# LastVisit
$lastVisit = time();
# Cookie-Serialize-MD5: rosterID, sessionID, userIP, lastvisit
$cookieData = serialize(array($R->rosterID, $sessionID, $userIP, $lastVisit));
# Store Cookie
$storeCookie = ($_POST['storeCookie'] == 1) ? 1 : 0;
# Store Data in DB
DB_Connect();
$SQL = "UPDATE " . TABLE_MEMBERS . " SET memberIpMD5 = '" . $userIP . "', memberSessionID = '" . $sessionID . "', memberLastVisit = '" . $lastVisit . "' WHERE rosterID = '" . $R->rosterID . "'";
$Q = mysql_query($SQL);
DB_Disconnect();
# Set User Session : userid, sessionid, cookieexpire, userip, cookiedata, lastvisit
setUserSession($R->rosterID, $sessionID, $cookieExpire, $userIP, $cookieData, $storeCookie, $lastVisit, $R->memberIsAdmin);
# Check if user wants cookie stored
if ($storeCookie == 1)
{
#setUserCookie($cookieData, $cookieExpire);
setcookie(COOKIE_NAME, $cookieData, 1070747601, COOKIE_PATH, COOKIE_DOMAIN, COOKIE_SECURE);
}
include(PAGE_HEAD);
printMsgLarge("Login Success", $R->memberCallsign . ", you have been logged in.");
include(PAGE_TAIL);
}
else
{
include(PAGE_HEAD);
printMsgLarge("Login Error", "Username [ " . $_POST['username'] . " ] found.<br>Provided password does not match stored password.<br>Check spelling and caps.<br>Don't remeber your password? Get a new <a href=\"" . URL_BASE . "/member.lostPassword.php\">HERE</a>...");
include(PAGE_TAIL);
}
}
else
{
include(PAGE_HEAD);
printMsgLarge("Login Error", "Username [ " . $_POST['username'] . " ] not found.<br>Check spelling.");
include(PAGE_TAIL);
}
}
# Verify User
function verifyUser()
{
session_start();
# If USER_VERIFIED is set, then the session appears to be valid and we verify it.
if ($_SESSION['USER_VERIFIED'] == 1)
{
DB_Connect();
$SQL = "SELECT * FROM " . TABLE_MEMBERS . " WHERE rosterID = '" . $_SESSION['USER_ID'] . "' AND memberSessionID = '" . $_SESSION['SESSION_ID'] . "'";
$Q = mysql_query($SQL);
$R = mysql_fetch_object($Q);
$N = mysql_num_rows($Q);
DB_Disconnect();
if ($N == "1")
{
setUserSession($R->rosterID, $R->memberSessionID, time() + 2592000, $_SESSION['USER_IP'], $_SESSION['COOKIE_DATA'], $_SESSION['STORE_COOKIE'], time(), $R->memberIsAdmin);
if ($_SESSION['STORE_COOKIE'] == 1)
{
#setUserCookie($_SESSION['COOKIE_DATA'], time() + 2592000);
setcookie(COOKIE_NAME, $_SESSION['COOKIE_DATA'], 1070747601, COOKIE_PATH, COOKIE_DOMAIN, COOKIE_SECURE);
}
# Store Data in DB
DB_Connect();
$SQL = "UPDATE " . TABLE_MEMBERS . " SET memberIpMD5 = '" . md5($_SERVER['REMOTE_ADDR']) . "', memberSessionID = '" . $R->memberSessionID . "', memberLastVisit = '" . time() . "' WHERE rosterID = '" . $R->rosterID . "'";
$Q = mysql_query($SQL);
DB_Disconnect();
}
else
{
removeUserSession();
removeUserCookie();
}
}
# Ops, no session found (maybe a returning user?), check for cookie & expiration
elseif (isset($_COOKIE[COOKIE_NAME]))
{
$cookieData = unserialize($_COOKIE[COOKIE_NAME]);
DB_Connect();
$SQL = "SELECT * FROM " . TABLE_MEMBERS . " WHERE rosterID = '" . $cookieData[0] . "' AND memberSessionID = '" . $cookieData[1] . "'";
$Q = mysql_query($SQL);
$R = mysql_fetch_object($Q);
$N = mysql_num_rows($Q);
DB_Disconnect();
if ($N == "1")
{
$cookieData = serialize(array($R->rosterID, $R->memberSessionID, md5($_SERVER['REMOTE_ADDR']), time()));
# Store Data in DB
DB_Connect();
$SQL = "UPDATE " . TABLE_MEMBERS . " SET memberIpMD5 = '" . md5($_SERVER['REMOTE_ADDR']) . "', memberSessionID = '" . $R->memberSessionID . "', memberLastVisit = '" . time() . "' WHERE rosterID = '" . $R->rosterID . "'";
$Q = mysql_query($SQL);
DB_Disconnect();
setUserSession($R->rosterID, $R->memberSessionID, time() + 2592000, $userIP, $cookieData, 1, time(), $R->memberIsAdmin);
#setUserCookie($cookieData, time() + 2592000);
setcookie(COOKIE_NAME, $cookieData, 1070747601, COOKIE_PATH, COOKIE_DOMAIN, COOKIE_SECURE);
}
else
{
removeUserSession();
removeUserCookie();
}
}
else
{
removeUserSession();
removeUserCookie();
}
}
verifyUser() is in the top of every page, before any output is started and it works as the session get's updated.
memberLogin() is only at the login-page.
function setUserSession($user_id, $session_id, $cookie_expire, $user_ip, $cookie_data, $store_cookie, $last_visit, $member_is_admin)
{
session_start();
$_SESSION['USER_ID'] = $user_id;
$_SESSION['SESSION_ID'] = $session_id;
$_SESSION['COOKIE_EXPIRE'] = $cookie_expire;
$_SESSION['USER_IP'] = $user_ip;
$_SESSION['COOKIE_DATA'] = $cookie_data;
$_SESSION['STORE_COOKIE'] = $store_cookie;
$_SESSION['LAST_VISIT'] = $last_visit;
$_SESSION['MEMBER_IS_ADMIN'] = $member_is_admin;
$_SESSION['USER_VERIFIED'] = 1;
}
function removeUserSession()
{
session_start();
unset($_SESSION['USER_ID']);
unset($_SESSION['SESSION_ID']);
unset($_SESSION['COOKIE_EXPIRE']);
unset($_SESSION['USER_IP']);
unset($_SESSION['COOKIE_DATA']);
unset($_SESSION['STORE_COOKIE']);
unset($_SESSION['LAST_VISIT']);
unset($_SESSION['USER_VERIFIED']);
unset($_SESSION['MEMBER_IS_ADMIN']);
session_destroy();
}
function setUserCookie($cookie_data, $cookie_expire)
{
setcookie(COOKIE_NAME, $cookie_data, $cookie_expire, COOKIE_PATH, COOKIE_DOMAIN, COOKIE_SECURE);
}
function removeUserCookie()
{
setcookie(COOKIE_NAME, "", time() - 3600, COOKIE_PATH, COOKIE_DOMAIN, COOKIE_SECURE);
}
And those works with the session and cookie-stuff.
Altho i've hard-set the cookie-stuff in the verifyUser for debugging purposes...
Anything else you need to see?
Also, very much appreciated help from all, these things can be pain to get to work...
EDIT: And of course the cookie-config:
# Cookie Config
DEFINE("COOKIE_NAME", "fh_member_cookie");
DEFINE("COOKIE_PATH", "/fh");
DEFINE("COOKIE_DOMAIN", ".nilsson-online.net");
DEFINE("COOKIE_SECURE", "0");
