help -- Session/Log-in Security

[Chezshire]

Hi,

  I'm continueing to try to teach myself how PHP works and having fun, and the occassional confounding problem too! Today's problem is that I want to make my site's content secure and have initiated this by requiring people to sign in (with 3 different levels of access: User. Mod. Super). Each user can only see what is equal to or less then their level access after logging in. This is working well. The php I am using to keep people out who are not logged in is also working well. The problem is that people who are logged in can't view the content.

 

Can someone help me please?

 

This is the code I'm trying.

 

<?php
session_start();
if(!isset($_SESSION['loggedin']))
{
die("YOU AREN'T LOGGED-IN");
}
?>

 

This is the url of the page I'm trying it on

http://www.xpg.us/rules/combat.php

 

[DarkWater]

Please show us the code where you actually log people in and set the session variables in question.

[Chezshire]

.... Duh... Thank you for the suggestion Darkwater, I should have included that.

I'm mostly a complete newb who's just trying and playing, if you see problems in my code, or if it makes your cringe I apologize. I've honestly got little idea of what I'm doing still. I code via trial and lots and lots of error

Thank you!

 

 

<?php
include ("functions.php");
setcookie ("XPGlogin", "", time());
setcookie ("XPGlogin", "", time(), "/","www.xpg.us");
setcookie ("XPGlogin", "", time(), "/",".xpg.us");

$passwordError="";
$usernameError="";
$USERNAME = "";

// if they've submitted the form, then continue

if (isset($_POST["USERNAME"])) {

$jumpto = $_POST["JUMPTO"];
$USERNAME = $_POST["USERNAME"];
$PASSWORD = $_POST["PASSWORD"];

$myLogin = readDatabase("select username,id,password,lastlogin from login WHERE username=\"$USERNAME\" and approved='true'");


if ($myLogin["username"]) {
$LOGIN = $myLogin["id"];
$LASTLOGIN = $myLogin["lastlogin"];

// if there's a match, check the password

if ($PASSWORD == $myLogin["password"]) {
// if they entered the right password, let 'em save their info

$rightNow = date("YmdHis");
$duration = 31536000; // one year
$encrypted = $myLogin["id"] . "|$rightNow";

setcookie ("XPGlogin", $encrypted, time() + $duration, "/",".xpg.us");
// saves both login and last login time as temp password

$result=mysql_query("UPDATE login SET lastlogin=\"$rightNow\",lastmodified=lastmodified, dateadded=dateadded where id=\"$LOGIN\"",$db);

$jumpto=preg_replace("/\^/","&",$jumpto);
$jumpto=preg_replace("/\{/","?",$jumpto);

header ("Location: $jumpto");
die;

} else { //oops! wrong password or error
$passwordError="yup";
} // end if PASSWORD

} else {
$usernameError="yup";
} // end if USERNAME

echo "<!-- SQL: select username,id,password,lastlogin from login WHERE username=\"$USERNAME\" and approved='true' -->\n";
} // end if LOGINUSER

// --------------------------------------------------------------------------------------------------------------

include ("header.php");
if (isset($_REQUEST["jumpto"])) { $jumpto = $_REQUEST["jumpto"]; } else { $jumpto="/index.php"; }

?>		<center>
		<h1><font color="#A5B9D5">Log In</font></h1>
	</center>
	<hr color="#050F1D" size="5">
	<p><?php

if ($passwordError) {
echo "<font color=\"red\">The password you entered was incorrect.</font> Please make sure you've entered your username correctly, and reenter your password. <a href=\"/forgotpassword.php?id=" . $myLogin["id"] . "\"><b>Forgot your password?</b></a>\n";
} else if ($usernameError) {
echo "<font color=\"red\">The username you entered was not found.</font> Please make sure you've entered your username correctly. <a href=\"/adduser.php\"><b>New users click here!</b></a>\n";
} else {
echo "This area of this website is for administrative personnel only. Enter your username and password below and click "Login". If you've forgotten your password, enter your username and leave the password blank and click "Login" and you'll get a link to have your password emailed to you. <b>The login process requires the use of a tiny identifer file, commonly referred to as a "cookie". Make sure that your browser is set to accept cookies before proceeding. <a href=\"/adduser.php\"><b>New users, please click here.</b></a>";
} // end if password error

?></p><hr color="#050F1D" size="5">
	<p><table border="0" cellpadding="6" cellspacing="0" width="95%">
		<form name="formName" method="post" action="/login.php">
		<tr>
			<td width="40%" align="right">
				<p >Username</td>
			<td><input type="text" name="USERNAME" size="30" value="<?php echo $USERNAME; ?>"></td>
		</tr>
		<tr>
			<td width="40%" align="right">
				<p >Password</td>
			<td><input type="password" name="PASSWORD" size="30"></td>
		</tr>
		<tr>
			<td colspan="2">
				<hr color="#050F1D" size="5">
			</td>
		</tr>
		<tr>
			<td colspan="2" align="center"><input type="hidden" value="<?php echo $jumpto; ?>" name="JUMPTO"><input type="submit" value="Login" name="Login"></td>
		</tr>
	</table>
	</p>
	</form>

<?php include ("footer.php"); ?>

 

 

 

[DarkWater]

I see no mention of session variables in your code. =P  You're using cookies.  Change to sessions.

[Chezshire]

Thank you for the suggestion Darkwater -- But I'm concerned that this might be a little beyond my understanding.

 

Would i add the following to my login page, and if so, is that all I would need to do? Do i need to add a field called 'Session' and or 'views' to my login database? I found the following code below which if i'm understanding what your saying is what I need to do.

 

<?php
session_start();  
// Starts session yeah big fun!
if(isset($_SESSION['views']))
    $_SESSION['views'] = $_SESSION['views']+ 1;
else
    $_SESSION['views'] = 1;

echo "views = ". $_SESSION['views']; 
?>

 

[DarkWater]

I'm not quite sure we're on the same page here.  Look.

 

Someone logs in

  --> Cookies get set with id and the current time

          --> You then check for a logged in session on the content pages

 

Your logic is flawed.  Instead of setting cookies, you should store all the user information in the session.  There's a tutorial on the main PHPFreaks' Site about Sessions and Cookies.  I believe it is called "Sessions and cookies: Adding state to a stateless protocol".  You'll find it.