Jump to content

Archived

This topic is now archived and is closed to further replies.

treilad

Not redirecting properly.

Recommended Posts

Index2.php is a script I wrote that checks for a cookie. If the cookie is present, it sends them to the page they wanted, but if not, it redirects them to the login page. Index.php is my webpage. When I logout, it logs out, but when I click 'back', I can still see index.php. That shouldn't happen (so I thought) because I put:
[quote]<?php
include ('index2.php');
?>[/quote]
at the top of index.php, so that it would run the script and redirect to login if they weren't logged in. It still let's me see index.php. I thought it was because I had to refresh for it to load, but it still didn't.

Perhaps an "if" would do it?

Also, I'm quite sure I'll have to code it to auto-refresh every time the page is visited, so that once the script is working it will run and keep people not logged in from seeing it, so in addition I need to know how to do that. Keep things in one topic.

Share this post


Link to post
Share on other sites
yea it should happen becuase u dont refresh your page in the script im sure once u press back and refresh it will send them to wherever

Share this post


Link to post
Share on other sites
I would think it's because the file is cached?

Share this post


Link to post
Share on other sites
That would make sense.  :-[

But if I coded it to refresh each time, it would be cached with that code so it wouldn't be a problem. Right?

Share this post


Link to post
Share on other sites
it would help to see the code you use to "logout" the user.  it could be that your cookie was improperly removed or reset, so the server thinks you're still logged in when you've been told that you're logged out.  in fact, it would be helpful to see index.php, index2.php, and your logout function if they're not too long.

Share this post


Link to post
Share on other sites
Can do. Will edit them into this post...

index.php
[code]<?psp
include ('index2.php');
?>

<html>

<head>

<title="Untitled">

</head>

<body>

<center>

<table border="0" cellspacing="0" cellpadding="0" width="752">

<tr>

<td width="752" height="150" colspan="8" background="http://www.geocities.com/runelodge/header.jpg"></td>

</tr>

<tr>

<td width="94" height="15">

<a href="./index2.php"><img src="http://www.geocities.com/runelodge/button1.jpg" border="0"></a>

</td>

<td width="94" height="15">

<a href="./about.php"><img src="http://www.geocities.com/runelodge/button2.jpg" border="0"></a>

</td>

<td width="94" height="15">

<a href="./forum2.php"><img src="http://www.geocities.com/runelodge/button3.jpg" border="0"></a>

</td>

<td width="94" height="15">

<a href="./clans2.php"><img src="http://www.geocities.com/runelodge/button4.jpg" border="0"></a>

</td>

<td width="94" height="15">

<a href="./members2.php"><img src="http://www.geocities.com/runelodge/button5.jpg" border="0"></a>

</td>

<td width="94" height="15">

<a href="./links2.php"><img src="http://www.geocities.com/runelodge/button6.jpg" border="0"></a>

</td>

<td width="94" height="15">

<a href="./register.php"><img src="http://www.geocities.com/runelodge/button7.jpg" border="0"></a>

</td>

<td width="94" height="15">

<a href="./loginpage.php"><img src="http://www.geocities.com/runelodge/button8.jpg" border="0"></a>

</td>

</tr>

</table>

<table border="0" width="752" cellspacing="0" cellpadding="20">

<tr>

<td width="752" style="border: 1px solid grey;">

Testing, Testing, 1 - 2 - 3.

</td>

</tr>

</table>

</center>

</body>

</html>[/code]

Index2.php
[code]<?php

include ('db.php');

if(isset($_COOKIE['ID_my_site']))
{
$username = $_COOKIE['ID_my_site'];
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());
while($info = mysql_fetch_array( $check ))
{

if ($pass != $info['password'])
{ header("Location: loginpage.php");
}

else
{
echo ('<meta http-equiv="refresh" content="1;url=./index.php">');

}
}
}
else

{
header("Location: loginpage.php");
}
?>[/code]

Logout.php
[code]<?php
$past = time() - 100;
setcookie(ID_my_site, gone, $past);
setcookie(Key_my_site, gone, $past);
header("Location: login.php");
?>[/code]

Thar they be.

Share this post


Link to post
Share on other sites
When you go back to the index after logging out, refresh the page and see if it kicks you off. Then, the worst that can happen is they see the main page after logging out--but if they click something it will load that page and kick them off anyways.

Share this post


Link to post
Share on other sites
also i think you can set the cookie time if the user leaves a page not sure theo.

Share this post


Link to post
Share on other sites
read the below please ok.

The fact is that the browser must close before the cookie deletes.

using time()-1 to delete (expire) a cookie only works if the client's clock is set exact. my testing showed some weird results with my clock set 1 second or so behind the server. 1 day or even just a few seconds ahead of the server's time and the cookie doesn't expire when it's suposed to.

my test:
setcookie('k',$k+1,time()-1);
echo $k;

setting the expire time to 0 makes it a browser session cookie, lasting forever, until the browser is closed. but setting the expire time to 1 is the lowest timestamp possible and is most likely to expire the cookie without any problems.

my fix:
setcookie('k',$k+1,1);
echo $k;

this is my theory. I'm not sure why no one else has thought of this problem or solution, and I'm still testing, but please email me your questions or comments.

Share this post


Link to post
Share on other sites
[quote]When you go back to the index after logging out, refresh the page and see if it kicks you off. Then, the worst that can happen is they see the main page after logging out--but if they click something it will load that page and kick them off anyways.[/quote]

That's what I thought. I said in my first post that that didn't work.  :P

Share this post


Link to post
Share on other sites
you could use this...
if ((isset($_COOKIE['user']) && (!strpos("$_SERVER['php_self']", "logout.php") {
   echo 'You wanna log out?';
}
else {
   echo 'You wanna log in?';
}

Just an idea.

Share this post


Link to post
Share on other sites
[quote]if ((isset($_COOKIE['user']) && (!strpos("$_SERVER['php_self']", "logout.php") {
    echo 'You wanna log out?';
}
else {
    echo 'You wanna log in?';
}[/quote]

[quote]my fix:
setcookie('k',$k+1,1);
echo $k;[/quote]

Both look promising. I'll try the simpler of the two first.

Share this post


Link to post
Share on other sites
Mine's better, I got it out of a book. :D Well, I remembered reading it in a book, so you might have to fix my syntax.

Lol, just let us know if it worked.

Share this post


Link to post
Share on other sites
alright, first things first:  ensure that your setcookie() in your logout function matches EXACTLY your login setcookie(), with the exception of the expiry time.  second, make sure that you give it ample time difference, as pixy mentioned.  can never be too sure when annihilating cookies.

third:  your index.php logic is flawed.  say a user with a cookie set goes to index.php, and their credentials check out.  they are then sent to index.php again, and lo and behold, index2.php is run again.  it checks their info again.  it checks out again.  they're sent to index.php again.  lo and behold, index2.php is run again... (and so on).  if this hasn't happened to you already, it's a marvel of technology.

i would suggest simply checking the cookie against the database.  if their credentials check out, don't do anything.  they're on the page they want to access, no need to send them to it again.  if the credentials DON'T check out (or the cookie isn't set), however, header() them to the login page.  use exit; after the header() to ensure they're booted.

[b]EDIT:  haha whoopsie, it was redarrow that mentioned the time difference.[/b]

Share this post


Link to post
Share on other sites
^ I didn't know I mentioned time difference, but okie dokey.

I have a question: Couldn't someone go in and edit their cookie? The whole reason I switched coding to sessions was because I didn't want someone to go into their cookie, edit the file, and try to log in as someone else...?

Share this post


Link to post
Share on other sites
they could hypothetically speaking, but it would be just like using the login form with random variables.  they still have to pass through the authentication part, which means it's a shot in the dark with whatever values they've given their cookie, much like it would be with a form.  if the cookie stores the password in hashed form, they have to go the extra step and hash whatever they think might be the password.  hackers don't have that kind of patience, they'd have some other, more efficient underhanded trick.

Share this post


Link to post
Share on other sites
Yes, but you usually store the encrypted password in the cookie and check it against the database. <-- slow but meh :)

Share this post


Link to post
Share on other sites
^ When I used only cookies I did md5() on their username and saw if it matched the md5($_COOKIE['user']), but someone could change that...

Do you have to do anything like that with sessions? I just store $_SESSION['user'] as their username, uncoded...but it doesn't show up on their computer so they can't change it...right?

And heckenschutze, why do you say that suppressing errors with @ is not lazy? O_O

Share this post


Link to post
Share on other sites
I tried pixy's and I tried to try akitchin's. Only been using PHP for a week or so so I don't have all the syntax down. Can somebody point out my mistake(s) here?

[code]<?php

include ('db.php');

if(isset($_COOKIE['ID_my_site']))
{
$username = $_COOKIE['ID_my_site'];
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());
while($info = mysql_fetch_array( $check ))
{

if ($pass != $info['password'])
{ header("Location: loginpage.php");
}

else
{
header("Location: index.php");
exit;
}
}
}
?>[/code]

Is there an "if" statement ya'll can think of that would make sure that the page runs a script everytime? I realize I'd have to fix the script so it didn't cause the looping problem that akitchin mentioned, but that shouldn't be hard.

Share this post


Link to post
Share on other sites
What error are you getting? Or are you just wanting for us to look at it and see if it's right?

What I would do is check if the cookie IS NOT set, instead of if it is. That way you handle it first and die() the script...

if (!isset($_COOKIE['my_site_id'])) {
    echo 'Dude, log your butt into the system!';
    header("location: loginpage.php");
}
else {
    // Do what you want
}

Share this post


Link to post
Share on other sites
[quote]What error are you getting? Or are you just wanting for us to look at it and see if it's right?[/quote]

Disregard it. I like your logic for checking if it's not there. Seems it would cause less trouble. Will try...

Share this post


Link to post
Share on other sites
Anything to help, dear. Let me know if it works.

Share this post


Link to post
Share on other sites
try something along these lines in index2.php.  keep in mind this is a semantic writeup only, you'll have to replace it with the actual code you're using:

[code]<?php

// check if the user's credentials check out
if (cookie is set)
{
  // grab the credentials (hint: when the query is only grabbing one row, you don't need a while() loop)
  if (credentials dont match)
  {
    // send them to the logout (since they have a cookie set but have wrong credentials, don't want them keeping the cookie)
  }
}
else
{
  // the cookie isn't set, so we can send them to the login right away with header()
}

?>[/code]

note that the script doesn't do anything if the credentials match, only if they do NOT match.  that's exactly what you want.  it will let the page that index2.php is being included on display if their credentials check out, but will boot them if they don't.  just include index2.php on all pages to be "protected" in this manner.

Share this post


Link to post
Share on other sites
I filled in the code the best I could, but there might be errors. It looks like it will run alright.

[code]<?php

// check if the user's credentials check out
if(isset($_COOKIE['ID_my_site']))
// grab the credentials (hint: when the query is only grabbing one row, you don't need a while() loop)
{
$username = $_COOKIE['ID_my_site'];
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());
while($info = mysql_fetch_array( $check )){

  if (!isset($_COOKIE['ID_my_site']))
  {
    header('./logout.php')
  }
}
else
{
  header('./loginpage.php')
}

?>[/code]

Now that we've got past the looping issue you brought up, I'd like to know how to make that script run everytime the page is refreshed. Force refresh possibly? I dunno. Ya'll have been a big help tonight so thanks a ton. I've been working on this for over 15 hours straight, so I'm gonna get some shut-eye. I'll wake up in a few hours and check what you post so the board doesn't disappear on me. Thanks again and you probably haven't seen the last of me...

:D

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.