Login bug: 1 failed login blocks future logins

[steltek]

c.f. subject. If I try to login and mistype my password, I cannot login at all any more. I keep getting redirected to the login page even if I am 100% certain that I typed the correct userid and pw. Only after restarting the browser (or manually wiping out the ZMSESSID cookie) are logins possible again.

I have verified this on 2 machines running PHP 4.3.3/4.3.4 and Apache/1.3.29. Could it be a PHP configuration problem or is this a bug that other people see too?

[zoneminder]

Hi Michel,

Thanks for reporting this, I will look into it and try and get a fix in for the next release.

Phil,

[fernando]

this is an old "bug".. but i found this usefull to prevent unautorized logins..

[karlg]

this is actually really easy to fix.

in zp_funcs.php, line 38:

else
{
unset( $user );
}

add 2 lines:

else
{
unset( $user );
session_unset();
session_destroy();
}

[karlg]

also, for logic sake, looks like the session_write_close(); should be in the if statement that tests the results of the mysql query: (since, you're only going to write_close the session, only if the login is valid, otherwise it's going to unset/destroy the session)

if ( $db_user = mysql_fetch_assoc( $result ) )
{
$HTTP_SESSION_VARS['user'] = $user = $db_user;
<b>session_write_close();</b>
}

i've tested these 2 changes on my ZM, and seems to fix the broken login problem.