twsowerby Posted April 11, 2008 Share Posted April 11, 2008 Hi all, I have a general login script that uses sessions. It basically uses an include to check if a user is logged in before they view a certain page. However when they try and view a restricted page and are not logged in, they are taken to the login page but once logged in it does not redirect them to the page they were trying to view. How would I go about doing this? Regards, Tom Quote Link to comment Share on other sites More sharing options...
conker87 Posted April 11, 2008 Share Posted April 11, 2008 Always use session_start(); On all pages that use sessions. Quote Link to comment Share on other sites More sharing options...
twsowerby Posted April 11, 2008 Author Share Posted April 11, 2008 Hi, My include which checks whether a user is logged in already contains that. What I have now is this script that is included on every restricted page: <?php //start the session session_start(); //check to make sure the session variable is registered if(session_is_registered('username')){ //the session variable is registered, the user is allowed to see anything that follows header( "Location: ./index.php" ); } else{ //the session variable isn't registered, send them back to the login page header( "Location: ./login.php" ); } ?> I need it to redirect to whatever page the user was trying to access before they were forced to login by this script. Eg, User clicks link to restricted page-->user is forced to log in-->once logged in, user arrives at page they were trying to access. Regards, Tom Quote Link to comment Share on other sites More sharing options...
MiCR0 Posted April 11, 2008 Share Posted April 11, 2008 ok I think i see what you are trying to do, well 1st you should know that this session can easy be hacked and is very unsafe however for learning its a good way to start. here is a basic system that I think you are looking for. userlogin.php <?php require("config.php"); require("db.php"); require("functions.php"); session_start(); if($_SESSION['SESS_USERNAME']) { header("Location: " . $config_basedir . "index.php"); } if($_POST['submit']) { $sql = "SELECT * FROM users WHERE username = '" . pf_fix_slashes($_POST['username']) . "' AND password = '" . md5(pf_fix_slashes($_POST['password'])) . "'"; $result = mysql_query($sql); $numrows = mysql_num_rows($result); if($numrows == 1) { $row = mysql_fetch_assoc($result); session_register("SESS_USERNAME"); session_register("SESS_USERID"); session_register("SESS_USERLEVEL"); $_SESSION['SESS_USERNAME'] = $row['username']; $_SESSION['SESS_USERID'] = $row['id']; $_SESSION['SESS_USERLEVEL'] = $row['level']; header("Location: " . $config_basedir); } else { header("Location: " . $config_basedir . "/userlogin.php?error=1"); } } else { require("header.php"); echo "<h1>Login</h1>"; if($_GET['error']) { echo "<p>Incorrect login, please try again!</p>"; } ?> <form action="<?php echo $SCRIPT_NAME ?>" method="post"> <table> <tr> <td>Username</td> <td><input type="text" name="username"></td> </tr> <tr> <td>Password</td> <td><input type="password" name="password"></td> </tr> <tr> <td></td> <td><input type="submit" name="submit" value="Login!"></td> </tr> </table> </form> <?php} ?> config.php <?php $dbhost = "localhost"; $dbuser = "root"; $dbpassword = ""; $dbdatabase = "?"; $config_basedir = "http://localhost/"; ?> db.php <?php require("config.php"); $db = mysql_connect($dbhost, $dbuser, $dbpassword); mysql_select_db($dbdatabase, $db); ?> functions.php <?php function pf_fix_slashes($string) { if (get_magic_quotes_gpc() == 1) { return($string); } else { return(addslashes($string)); } } function pf_check_number($value) { if(isset($value) == FALSE) { $error = 1; } if(is_numeric($value) == FALSE) { $error = 1; } if($error == 1) { return FALSE; } else { return TRUE; } } ?> userlogout.php <?php session_start(); require("config.php"); session_unregister("SESS_USERNAME"); session_unregister("SESS_USERID"); session_unregister("SESS_USERLEVEL"); header("Location: " . $config_basedir); ?> now for the session access code you can do from the level that you set up like the following if ($_SESSION['SESS_USERLEVEL'] == 10) { } to use this session you would add in your header.php things like this session_start(); <?php if($_SESSION['SESS_USERNAME']) { echo "Logged in as <strong>" . $_SESSION['SESS_USERNAME'] . "</strong> - <a href='userlogout.php' >Logout</a>"; } else { echo "<a href='userlogin.php' >Login</a>"; } ?> Hope this helps. For a real live site there is a free GPL Class system called DB_eSESSION which is safe 1 class which will handle all of the session stuff for you. Quote Link to comment Share on other sites More sharing options...
twsowerby Posted April 11, 2008 Author Share Posted April 11, 2008 Thanks Micro, I'm trying to implement your code but I'm struggling to get it to work, mainly syntax issues but I'm pretty new to PHP and they are frustrating me. <?php require("../includes/config.php"); require("../includes/db.php"); require("../includes/functions.php"); session_start(); if($_SESSION['SESS_USERNAME']) { header("Location: " . $config_basedir . "index.php"); } if($_POST['submit']) { $sql = "SELECT * FROM users WHERE username = '" . pf_fix_slashes($_POST['username']) . "' AND password = '" . md5(pf_fix_slashes($_POST['password'])) . "'"; $result = mysql_query($sql); $numrows = mysql_num_rows($result); if($numrows == 1) { $row = mysql_fetch_assoc($result); session_register("SESS_USERNAME"); session_register("SESS_USERID"); $_SESSION['SESS_USERNAME'] = $row['username']; $_SESSION['SESS_USERID'] = $row['id']; header("Location: " . $config_basedir); } else { header("Location: " . $config_basedir . "/login.php?error=1"); } } else { echo "<h1>Login</h1>"; echo "<form action=\"login.php\" method=\"post\">"; echo "<table>"; echo "<tr>"; echo "<td>Username</td>"; echo "<td><input type=\"text\" name=\"username\"></td>"; echo "</tr>"; echo "<tr>"; echo "<td>Password</td>"; echo "<td><input type=\"password\" name=\"password\"></td>"; echo "</tr>"; echo "<tr>"; echo "<td></td>"; echo "<td><input type=\"submit\" name=\"submit\" value=\"Login!\"></td>"; echo "</tr>"; echo "</table>"; echo "</form>"; } if($_GET['error']) { echo "<p>Incorrect login, please try again!</p>"; } ?> I echoed the login form as the version you posted was outside the PHP, but was meant to be within the IF statement. If that is wrong then please let me know. The problem I'm having now is that one of the dynamic URL's isn't working and keeps throwing a 404 not found when i try and run the script. Really struggling to fix it so any help would be great. Thanks, Tom Quote Link to comment Share on other sites More sharing options...
MiCR0 Posted April 11, 2008 Share Posted April 11, 2008 that code I post works fine try making a new dir and placing the files there and testing it before you try adding your code too it. Quote Link to comment Share on other sites More sharing options...
twsowerby Posted April 11, 2008 Author Share Posted April 11, 2008 Oh yes it does, im very sorry! I must have messed it up somehow when i was editing. Ok I've got your code working, but how to I go about checking if the user is logged in on each restricted page? I saw your if ($_SESSION['SESS_USERLEVEL'] == 10) { } But I don't really want to do membership levels, just need it to redirect to the login page if the session isnt active. Regards, Tom Quote Link to comment Share on other sites More sharing options...
laffin Posted April 11, 2008 Share Posted April 11, 2008 on yer login form if a user is not logged in send a GET variable to the login form so a user can return to the url he was at. to save any url parameters, u may want to encode the uri line. thus not affecting the login parameters if any. if(!$loggedin) { $uri = urlencode(gzdeflate($_SERVER['REQUEST_URI'],9)); header("Location: http://www.mysite.com/login.php?returnto=$uri"); exit; } in the login processing script, check the returnto var if(isset($_GET['returnto']) $returnto=gzinflate(urldecode($_GET['returnto'])); else $returnto='index.php'; header('Location: $returnto"); exit; these are simple examples. u may want to add some checking to avoid the returnto from being abused from outside domains. Quote Link to comment Share on other sites More sharing options...
twsowerby Posted April 11, 2008 Author Share Posted April 11, 2008 Thanks laffin, I did what you said and I'm hoping it will work but unfortunately my lack of PHP experience i killing me again, I'm finding a syntax error in a nested if that looks fine to me, coulf you have a look for me and see if you can see the problem? The error is on the line where I try and retrieve the url that has been passed through. (if(isset($_GET['returnto'])...) <?php require("config.php"); require("db.php"); require("functions.php"); session_start(); if($_SESSION['SESS_USERNAME']) { } if($_POST['submit']) { $sql = "SELECT * FROM users WHERE username = '" . pf_fix_slashes($_POST['username']) . "' AND password = '" . md5(pf_fix_slashes($_POST['password'])) . "'"; $result = mysql_query($sql); $numrows = mysql_num_rows($result); if($numrows == 1) { $row = mysql_fetch_assoc($result); session_register("SESS_USERNAME"); session_register("SESS_USERID"); session_register("SESS_USERLEVEL"); $_SESSION['SESS_USERNAME'] = $row['username']; $_SESSION['SESS_USERID'] = $row['id']; $_SESSION['SESS_USERLEVEL'] = $row['level']; if(isset($_GET['returnto']) { $returnto=gzinflate(urldecode($_GET['returnto'])); } else { $returnto='index.php';<br>header('Location: $returnto'); exit;} } else { header("Location: " . $config_basedir . "/userlogin.php?error=1"); } } else { require("header.php"); echo "<h1>Login</h1>"; if($_GET['error']) { echo "<p>Incorrect login, please try again!</p>"; } ?> <form action="<?php echo $SCRIPT_NAME ?> "" method="post"> <table> <tr> <td>Username</td> <td><input type="text" name="username"></td> </tr> <tr> <td>Password</td> <td><input type="password" name="password"></td> </tr> <tr> <td></td> <td><input type="submit" name="submit" value="Login!"></td> </tr> </table> </form> <?php } ?> Regards, Tom Quote Link to comment Share on other sites More sharing options...
laffin Posted April 11, 2008 Share Posted April 11, 2008 Missing paren if(isset($_GET['returnto'])) { shude have 2 ending parens Quote Link to comment Share on other sites More sharing options...
twsowerby Posted April 11, 2008 Author Share Posted April 11, 2008 Right laffin, I hope your still around, cos im a bit stuffed if not! All the syntax is fine and theres no errors, i just can't get it to do what I need! I don;t think the url is being passed properly, but I don't know why! This is what I have so far: userlogin.php <?php require("config.php"); require("db.php"); require("functions.php"); session_start(); if($_SESSION['SESS_USERNAME']) { header("Location: " . $config_basedir); } if($_POST['submit']) { $sql = "SELECT * FROM users WHERE username = '" . pf_fix_slashes($_POST['username']) . "' AND password = '" . md5(pf_fix_slashes($_POST['password'])) . "'"; $result = mysql_query($sql); $numrows = mysql_num_rows($result); if($numrows == 1) { $row = mysql_fetch_assoc($result); session_register("SESS_USERNAME"); session_register("SESS_USERID"); session_register("SESS_USERLEVEL"); $_SESSION['SESS_USERNAME'] = $row['username']; $_SESSION['SESS_USERID'] = $row['id']; $_SESSION['SESS_USERLEVEL'] = $row['level']; if(isset($_GET['returnto'])) { $returnto=gzinflate(urldecode($_GET['returnto'])); } else { $returnto='index.php'; header('Location:'. $returnto); exit;} } else { header("Location: " . $config_basedir . "/userlogin.php?error=1"); } } else { require("header.php"); echo "<h1>Login</h1>"; if($_GET['error']) { echo "<p>Incorrect login, please try again!</p>"; } ?> <form action="<?php echo $SCRIPT_NAME ?> "" method="post"> <table> <tr> <td>Username</td> <td><input type="text" name="username"></td> </tr> <tr> <td>Password</td> <td><input type="password" name="password"></td> </tr> <tr> <td></td> <td><input type="submit" name="submit" value="Login!"></td> </tr> </table> </form> <?php } ?> Thats my login script. incSession.php <?php session_start(); if($_SESSION['SESS_USERNAME']==null) { $uri = urlencode(gzdeflate($_SERVER['REQUEST_URI'],9)); header("Location: " . $config_basedir . "userlogin.php?returnto=$uri"); exit; } else { } ?> Thats what is included in all restricted pages. When I'm logged out of the system and click a restricted page, it takes me to the login page, i sign on, and then it sends me back to index.php. I need it to send me to the original page i was trying to access. Any ideas? Tom Quote Link to comment Share on other sites More sharing options...
laffin Posted April 11, 2008 Share Posted April 11, 2008 first portion i see a problem if(isset($_GET['returnto'])) { $returnto=gzinflate(urldecode($_GET['returnto'])); } else { $returnto='index.php'; } header('Location:'. $returnto); exit; The rest looks fine Quote Link to comment Share on other sites More sharing options...
twsowerby Posted April 11, 2008 Author Share Posted April 11, 2008 Hmm thanks laffin, still getting the same result as before though, very infuriating, im pretty sure its something really simple but i cant seem to sort it out. is it supposed to pass this in the url? http://localhost/sites/fyp/htdocs/userlogin.php?returnto=%D3%2F%CE%2CI-%D6O%AB%2C%D0%CF%28I%C9O.%D6%CF%ADtLN%CE%2F%CD%2B%D1%2B%C8%28%00%00 If you have any bright ideas please let me know. I'm not getting any errors, its just taking me straight back to the index page after i log in. is my if($_SESSION['SESS_USERNAME']==null) bit right? I'm thinking the $_GET['returnto'] isn't working, but I have no idea why. Tom Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.