Session caching problem

Question

I have a strange problem with php sessions. I use them for authorization on my site. I store two variables - currently logged in user's id and username in session. When I log in with one username, than log out and log in again with another username the previous user's id is returned using the session variable instead of the current user.

The most strange thing is that this happens only when it comes to insert some data into database. When I directly echo this variable the correct id is displayed, but when I insert new record into database this variable sends incorrect id.

Here is the php code I use for sending data into database:

<?php
session_start();
//connect database
require_once 'dbc.php';

$authorID = $_SESSION['user_id'];
if ( $authorID != 0 ) {
        $content = htmlentities($_POST["answ_content"],ENT_COMPAT,'UTF-8');
        $dro = date('Y-m-d H:i:s');
        $qID = $_POST["question_ID"];
        $author = 'avtori';


        $sql="INSERT INTO comments (comment_ID, comment_post_ID, comment_author, comment_date, comment_content, user_id) 
            VALUES
          (NULL, '$qID', '$author', '$dro', '$content', '$authorID')";

        $result = mysql_query($sql);

} else {
    echo 'error';
}

?>

Can anyone please help?

Here is the logout function:

function logout()
{
global $db;
session_start();

if(isset($_SESSION['user_id']) || isset($_COOKIE['user_id'])) {
mysql_query("update `users` 
            set `ckey`= '', `ctime`= '' 
            where `id`='$_SESSION[user_id]' OR  `id` = '$_COOKIE[user_id]'") or die(mysql_error());
}           

/************ Delete the sessions****************/
unset($_SESSION['user_id']);
unset($_SESSION['user_name']);
unset($_SESSION['user_level']);
unset($_SESSION['HTTP_USER_AGENT']);
session_unset();
session_destroy(); 

/* Delete the cookies*******************/
setcookie("user_id", '', time()-60*60*24*COOKIE_TIME_OUT, "/");
setcookie("user_name", '', time()-60*60*24*COOKIE_TIME_OUT, "/");
setcookie("user_key", '', time()-60*60*24*COOKIE_TIME_OUT, "/");

header("Location: index.php");
}

Here is the authentication script:

include 'dbc.php';

$err = array();

foreach($_GET as $key => $value) {
    $get[$key] = filter($value); //get variables are filtered.
}

if ($_POST['doLogin']=='Login')
{

foreach($_POST as $key => $value) {
    $data[$key] = filter($value); // post variables are filtered
}


$user_email = $data['usr_email'];
$pass = $data['pwd'];


if (strpos($user_email,'@') === false) {
    $user_cond = "user_name='$user_email'";
} else {
      $user_cond = "user_email='$user_email'";

}


$result = mysql_query("SELECT `id`,`pwd`,`full_name`,`approved`,`user_level` FROM users WHERE 
           $user_cond
            AND `banned` = '0'
            ") or die (mysql_error()); 
$num = mysql_num_rows($result);

  // Match row found with more than 1 results  - the user is authenticated. 
    if ( $num > 0 ) { 

    list($id,$pwd,$full_name,$approved,$user_level) = mysql_fetch_row($result);

    if(!$approved) {
    //$msg = urlencode("Account not activated. Please check your email for activation code");
    $err[] = "Account not activated. Please check your email for activation code";

    //header("Location: login.php?msg=$msg");
     //exit();
     }

        //check against salt
    if ($pwd === PwdHash($pass,substr($pwd,0,9))) { 
     // this sets session and logs user in  
       session_start();
       session_regenerate_id (true); //prevent against session fixation attacks.

       // this sets variables in the session 
        $_SESSION['user_id']= $id;  
        $_SESSION['user_name'] = $full_name;
        $_SESSION['user_level'] = $user_level;
        $_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);

        //update the timestamp and key for cookie
        $stamp = time();
        $ckey = GenKey();
        mysql_query("update users set `ctime`='$stamp', `ckey` = '$ckey' where id='$id'") or die(mysql_error());

        //set a cookie 

       if(isset($_POST['remember'])){
                  setcookie("user_id", $_SESSION['user_id'], time()+60*60*24*COOKIE_TIME_OUT, "/");
                  setcookie("user_key", sha1($ckey), time()+60*60*24*COOKIE_TIME_OUT, "/");
                  setcookie("user_name",$_SESSION['user_name'], time()+60*60*24*COOKIE_TIME_OUT, "/");
                   }
        if(empty($err)){            
          header("Location: myaccount.php");
         }
        }
        else
        {
        //$msg = urlencode("Invalid Login. Please try again with correct user email and password. ");
        $err[] = "Invalid Login. Please try again with correct user email and password.";
        //header("Location: login.php?msg=$msg");
        }
    } else {
        $err[] = "Error - Invalid login. No such user exists";
      }     
}

Answer 1

It kills me how many people post code vulnerable to SQL injection!

<?php
$content = htmlentities($_POST["answ_content"],ENT_COMPAT,'UTF-8');
        // ^ Attack  vector
$dro = date('Y-m-d H:i:s');
$qID = $_POST["question_ID"];
    // ^ Attack vector
$author = 'avtori';

$sql="INSERT INTO comments (comment_ID, comment_post_ID, comment_author, comment_date, comment_content, user_id) 
      VALUES
      (NULL, '$qID', '$author', '$dro', '$content', '$authorID')";
?>

Sanitize your database inputs!

Answer 2

Try nuking the session from orbit: session_destroy

Call it, nuke their session cookie, end the script immediately, and direct the user to the login page. They'll get a new session there and log in properly.

Answer 3

You can use session_regenerate_id to make sure to use a new session ID and destroy the old one:

session_start();
if ($userIsAuthentic) {
    session_regenerate_id(true);
}

If you’re not using PHP 5.1.0 or higher you can use this equivalent to substitute the missing delete_old_session parameters:

session_start();
if ($userIsAuthentic) {
    $_SESSION = array();
    session_destroy();
    session_write_close();
    session_start();
    session_regenerate_id();
}