I have a user login system built to access the admin area of my site. Once you've logged in and then log out, you can just type the address of the admin page directly into the url and get there, just as if you're still logged in. It appears you never really log out.
I get these errors when linking directly to a protected page.
Line 10 and 11:
if($_SESSION['access'] != TRUE) {
header('Location: login.php'); }
I have an _admin/index.php which you need to be logged into see.
_admin/Login.php
<?php
error_reporting(E_ALL);
ini_set("display_errors", 1);
include('../_assets/path.php');
session_save_path($path);
if(empty($_POST)) {
$status = 'Please Enter Username and Password to Add, Edit and Remove Sermons.';
} else {
$user = $_POST['user'];
$pass = $_POST['pass'];
$error_list = array();
if(empty($user)) {
$error_list[] = 'Please Enter Your Username';
}
if(empty($pass)) {
$error_list[] = 'Please Enter Your Password';
}
if(empty($error_list)) {
include('../_assets/info.php');
mysql_connect("$host", "$username", "$password")or die("Could Not Connect to Server. Check Login Info.");
mysql_select_db("$db_name")or die('Could Not Connect to Database. Please email the webmaster at christensonmedia@gmail.com and try again later.');
$sql = "SELECT id";
$sql .= " FROM users";
$sql .= " WHERE user='$user'";
$sql .= " AND pass='$pass'";
$result = mysql_query($sql);
if(mysql_num_rows($result) == 1) {
session_start();
$_SESSION['access'] = TRUE;
header('Location: index.php');
} else {
$status = 'The Username and Password you entered was invalid. Please Try again.';
}
} else {
foreach($error_list as $error_message) {
$status = "$error_message<br />";
}
}
}
?>
_admin/Logout.php
<?php
include('../_assets/path.php');
session_save_path($path);
session_start();
$_SESSION['access'] = FALSE;
session_destroy();
header('Location: ../index.php');
?>
And the code that check for users status on _admin/index.php
<?php
error_reporting(E_ALL);
ini_set("display_errors", 1);
include('../_assets/path.php');
session_save_path($path);
session_start();
if($_SESSION['access'] != TRUE) {
header('Location: login.php');
}
include('../_assets/info.php');
mysql_connect("$host", "$username", "$password")or die("Could Not Connect to Server. Check Login Info.");
mysql_select_db("$db_name")or die('Could Not Connect to Database. Please email the webmaster at christensonmedia@gmail.com and try again later.');
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">