$_SESSION['SecurityAssist_UserID = 1

Every different userID and Password combination (This was UserID 15) on the security assist login page results in the $_SESSION['SecurityAssist_UserID = 1.

I believe it was working at some point but, I probably changed something. Any ideas of what I did?


FROM LOGIN.PHP



<?php
if ((isset($_POST["LogIn_submit"]) || isset($_POST["LogIn_submit_x"]))) {
$WAFV_Redirect = "".($_SERVER["REQUEST_URI"]) ."?invalid=true";
$_SESSION['WAVT_login_Errors'] = "";
if ($WAFV_Redirect == "") {
$WAFV_Redirect = $_SERVER["PHP_SELF"];
}
$WAFV_Errors = "";
$WAFV_Errors .= WAValidateRQ((isset($_POST["Log_In_group_2_Password"])?$_POST["Log_In_group_2_Password"]:"") . "",true,1);
$WAFV_Errors .= WAValidateEL((isset($_POST["Log_In_group_2_Password"])?$_POST["Log_In_group_2_Password"]:"") . "",6,500,true,2);

if ($WAFV_Errors != "") {
PostResult($WAFV_Redirect,$WAFV_Errors,"login");
}
}
?>
<?php
$Authenticate = new WA_MySQLi_Auth($nmedia3_mysqli);
$Authenticate->Action = "authenticate";
$Authenticate->Trigger = ($_SERVER["REQUEST_METHOD"] === "POST");
$Authenticate->Name = "authenticate";
$Authenticate->Table = "pcms2_users";
$Authenticate->addFilter("UserEmail", "=", "s", "".((isset($_POST["Log_In_group_Email"]))?$_POST["Log_In_group_Email"]:"") ."");
$Authenticate->addFilter("UserPassword", "=", "s", "".((isset($_POST["Log_In_group_2_Password"]))?$_POST["Log_In_group_2_Password"]:"") ."");
$Authenticate->storeResult("UserID", "SecurityAssist_UserID");
$Authenticate->RememberMe = (isset($_POST["Log_In_group_3_Remember_my_information"]));
$Authenticate->SaveLogin = (isset($_POST["Log_In_group_4_Log_me_in_automatically"]));
$Authenticate->AutoLogin = true;
$Authenticate->AutoReturn = true;
$SuccessRedirect = "index.php";
$FailedRedirect = "login.php?failedLogin=1";
if (function_exists("rel2abs")) $SuccessRedirect = $SuccessRedirect?rel2abs($SuccessRedirect,dirname(__FILE__)):"";
if (function_exists("rel2abs")) $FailedRedirect = $FailedRedirect?rel2abs($FailedRedirect,dirname(__FILE__)):"";
$Authenticate->SuccessRedirect = $SuccessRedirect;
$Authenticate->FailRedirect = $FailedRedirect;
$Authenticate->execute();
?>



RESULTS FROM INDEX.PHP

$_SESSION['SecurityAssist_UserID = 1

Dump Sessions

array(4) { ["WAENCRYPTEDRETURNUSED"]=> bool(false) ["WAENCRYPTEDRETURNSUCCESS"]=> bool(false) ["WA_AUTH_authenticate"]=> array(1) { [0]=> string(21) "SecurityAssist_UserID" } ["SecurityAssist_UserID"]=> int(1) }





FROM INDEX.PHP

<?php require_once('../Connections/XXXXXXX_mysqli.php'); ?>
<?php require_once('../webassist/mysqli/rsobj.php'); ?>
<?php require_once( "../webassist/security_assist/helper_php.php" ); ?>
<?php
if (!WA_Auth_RulePasses("Logged in to pcms2_users")){
WA_Auth_RestrictAccess("login.php");
}
?>
<?php @session_start(); ?>
<?php
$orbUser = $_SESSION['SecurityAssist_UserID'];
$Recordset1 = new WA_MySQLi_RS("Recordset1",$nmedia3_mysqli,0);
$Recordset1->setQuery("SELECT DISTINCT partnerID, pName, pLogo,pID FROM postView WHERE partnerID=$orbUser ORDER BY pName ASC");
$Recordset1->execute();
?>
<!doctype HTML>




Thanks,

Maybe you have auto-login enabled with user 1? That would explain why they are always logged in...

I'd need FTP access and a URL to reproduce to debug this further.

Please see private reply

Those logins seem to fail for me. That might be consistent with my autologin theory. I couldn't fully test because you didn't include an ftp password.

See private message

The email addresses in the database have a space in front like:

" 15@warn.com"

That is why they are failing login. You are probably automatically logging in with an old password.

If you add the space in front of the email address to match the database, then the login will work properly.

Originally Said By: Ray Borduin

  The email addresses in the database have a space in front like:

" 15@warn.com"

That is why they are failing login. You are probably automatically logging in with an old password.

If you add the space in front of the email address to match the database, then the login will work properly.  

see private message

It was a password manager putting login info AFTER I had entered another user as it was being submitted.

As always, thanks for your help!.