Jump to content

Authorization Session issues


monstaface
Go to solution Solved by davidannis,

Recommended Posts

I am creating seperate logins for users and once my staff have logged in the pages they have access too are not visible to other users however if the users find the URL and type it in they can still view the link. 

I then created a session to fix this issue with the following code:

session_start();
include ("db.php");
if(!isset($_SESSION['sId']))
    die("Access not allowed ");

However now even if a staff member is logged into the system I still receive the following statement when they attempt to access the page:

'Access not allowed '

 

In the getlogin page I also placed this line of code :

 

session_start();
include("db.php");
$_SESSION['sId'];

How can I fix this? Thanks in advance for your help

 

Link to comment
Share on other sites

  • Solution

You need to set a value when they successfully log in something like this

if ($user_name==$db_user_name && $pass==$db_pass){ //or whatever your successful login logic is
      $_SESSION['status']=logged_in ;
}else{
       echo 'Wrong username / password';
}

Then you can check on your page that requires a log in.

if (!isset$_SESSION['status']) || $_SESSION['status']!='logged_in'){
 die ('you need to be logged in');
}

Of course, these are code segments. You still need session_start()

Link to comment
Share on other sites

$SESSION should be $_SESSION (starts with an underscore)

 

Also make sure you have started the session at the top of your getstaff page

 

You should also be sanitizing your user input before using it in your query

$email = mysql_real_escape_string($_POST['l_email']);

Passwords should be hashed not stored as plain text in the database

Edited by Ch0cu3r
Link to comment
Share on other sites

Passwords should be hashed not stored as plain text in the database

 

and they should be salted (combined with some arbitrary text, preferably a different value for each record) before they are hashed. That makes it hard to run a dictionary attack against a set of hashed passwords.

 

Link to comment
Share on other sites

^Thanks i'll look into this now

 

Also I wanted to create a link in my header where staff members can logout of the system. In the Places I have searched for how to proceed I have been told that the only code required would be: 

<?php
session_start();
session_destroy();
?>

Is this the correct method?

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.