Jump to content

Not redirecting properly.


treilad

Recommended Posts

Index2.php is a script I wrote that checks for a cookie. If the cookie is present, it sends them to the page they wanted, but if not, it redirects them to the login page. Index.php is my webpage. When I logout, it logs out, but when I click 'back', I can still see index.php. That shouldn't happen (so I thought) because I put:
[quote]<?php
include ('index2.php');
?>[/quote]
at the top of index.php, so that it would run the script and redirect to login if they weren't logged in. It still let's me see index.php. I thought it was because I had to refresh for it to load, but it still didn't.

Perhaps an "if" would do it?

Also, I'm quite sure I'll have to code it to auto-refresh every time the page is visited, so that once the script is working it will run and keep people not logged in from seeing it, so in addition I need to know how to do that. Keep things in one topic.
Link to comment
Share on other sites

it would help to see the code you use to "logout" the user.  it could be that your cookie was improperly removed or reset, so the server thinks you're still logged in when you've been told that you're logged out.  in fact, it would be helpful to see index.php, index2.php, and your logout function if they're not too long.
Link to comment
Share on other sites

Can do. Will edit them into this post...

index.php
[code]<?psp
include ('index2.php');
?>

<html>

<head>

<title="Untitled">

</head>

<body>

<center>

<table border="0" cellspacing="0" cellpadding="0" width="752">

<tr>

<td width="752" height="150" colspan="8" background="http://www.geocities.com/runelodge/header.jpg"></td>

</tr>

<tr>

<td width="94" height="15">

<a href="./index2.php"><img src="http://www.geocities.com/runelodge/button1.jpg" border="0"></a>

</td>

<td width="94" height="15">

<a href="./about.php"><img src="http://www.geocities.com/runelodge/button2.jpg" border="0"></a>

</td>

<td width="94" height="15">

<a href="./forum2.php"><img src="http://www.geocities.com/runelodge/button3.jpg" border="0"></a>

</td>

<td width="94" height="15">

<a href="./clans2.php"><img src="http://www.geocities.com/runelodge/button4.jpg" border="0"></a>

</td>

<td width="94" height="15">

<a href="./members2.php"><img src="http://www.geocities.com/runelodge/button5.jpg" border="0"></a>

</td>

<td width="94" height="15">

<a href="./links2.php"><img src="http://www.geocities.com/runelodge/button6.jpg" border="0"></a>

</td>

<td width="94" height="15">

<a href="./register.php"><img src="http://www.geocities.com/runelodge/button7.jpg" border="0"></a>

</td>

<td width="94" height="15">

<a href="./loginpage.php"><img src="http://www.geocities.com/runelodge/button8.jpg" border="0"></a>

</td>

</tr>

</table>

<table border="0" width="752" cellspacing="0" cellpadding="20">

<tr>

<td width="752" style="border: 1px solid grey;">

Testing, Testing, 1 - 2 - 3.

</td>

</tr>

</table>

</center>

</body>

</html>[/code]

Index2.php
[code]<?php

include ('db.php');

if(isset($_COOKIE['ID_my_site']))
{
$username = $_COOKIE['ID_my_site'];
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());
while($info = mysql_fetch_array( $check ))
{

if ($pass != $info['password'])
{ header("Location: loginpage.php");
}

else
{
echo ('<meta http-equiv="refresh" content="1;url=./index.php">');

}
}
}
else

{
header("Location: loginpage.php");
}
?>[/code]

Logout.php
[code]<?php
$past = time() - 100;
setcookie(ID_my_site, gone, $past);
setcookie(Key_my_site, gone, $past);
header("Location: login.php");
?>[/code]

Thar they be.

Link to comment
Share on other sites

When you go back to the index after logging out, refresh the page and see if it kicks you off. Then, the worst that can happen is they see the main page after logging out--but if they click something it will load that page and kick them off anyways.
Link to comment
Share on other sites

read the below please ok.

The fact is that the browser must close before the cookie deletes.

using time()-1 to delete (expire) a cookie only works if the client's clock is set exact. my testing showed some weird results with my clock set 1 second or so behind the server. 1 day or even just a few seconds ahead of the server's time and the cookie doesn't expire when it's suposed to.

my test:
setcookie('k',$k+1,time()-1);
echo $k;

setting the expire time to 0 makes it a browser session cookie, lasting forever, until the browser is closed. but setting the expire time to 1 is the lowest timestamp possible and is most likely to expire the cookie without any problems.

my fix:
setcookie('k',$k+1,1);
echo $k;

this is my theory. I'm not sure why no one else has thought of this problem or solution, and I'm still testing, but please email me your questions or comments.
Link to comment
Share on other sites

[quote]When you go back to the index after logging out, refresh the page and see if it kicks you off. Then, the worst that can happen is they see the main page after logging out--but if they click something it will load that page and kick them off anyways.[/quote]

That's what I thought. I said in my first post that that didn't work.  :P
Link to comment
Share on other sites

[quote]if ((isset($_COOKIE['user']) && (!strpos("$_SERVER['php_self']", "logout.php") {
    echo 'You wanna log out?';
}
else {
    echo 'You wanna log in?';
}[/quote]

[quote]my fix:
setcookie('k',$k+1,1);
echo $k;[/quote]

Both look promising. I'll try the simpler of the two first.
Link to comment
Share on other sites

alright, first things first:  ensure that your setcookie() in your logout function matches EXACTLY your login setcookie(), with the exception of the expiry time.  second, make sure that you give it ample time difference, as pixy mentioned.  can never be too sure when annihilating cookies.

third:  your index.php logic is flawed.  say a user with a cookie set goes to index.php, and their credentials check out.  they are then sent to index.php again, and lo and behold, index2.php is run again.  it checks their info again.  it checks out again.  they're sent to index.php again.  lo and behold, index2.php is run again... (and so on).  if this hasn't happened to you already, it's a marvel of technology.

i would suggest simply checking the cookie against the database.  if their credentials check out, don't do anything.  they're on the page they want to access, no need to send them to it again.  if the credentials DON'T check out (or the cookie isn't set), however, header() them to the login page.  use exit; after the header() to ensure they're booted.

[b]EDIT:  haha whoopsie, it was redarrow that mentioned the time difference.[/b]
Link to comment
Share on other sites

^ I didn't know I mentioned time difference, but okie dokey.

I have a question: Couldn't someone go in and edit their cookie? The whole reason I switched coding to sessions was because I didn't want someone to go into their cookie, edit the file, and try to log in as someone else...?
Link to comment
Share on other sites

they could hypothetically speaking, but it would be just like using the login form with random variables.  they still have to pass through the authentication part, which means it's a shot in the dark with whatever values they've given their cookie, much like it would be with a form.  if the cookie stores the password in hashed form, they have to go the extra step and hash whatever they think might be the password.  hackers don't have that kind of patience, they'd have some other, more efficient underhanded trick.
Link to comment
Share on other sites

^ When I used only cookies I did md5() on their username and saw if it matched the md5($_COOKIE['user']), but someone could change that...

Do you have to do anything like that with sessions? I just store $_SESSION['user'] as their username, uncoded...but it doesn't show up on their computer so they can't change it...right?

And heckenschutze, why do you say that suppressing errors with @ is not lazy? O_O
Link to comment
Share on other sites

I tried pixy's and I tried to try akitchin's. Only been using PHP for a week or so so I don't have all the syntax down. Can somebody point out my mistake(s) here?

[code]<?php

include ('db.php');

if(isset($_COOKIE['ID_my_site']))
{
$username = $_COOKIE['ID_my_site'];
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());
while($info = mysql_fetch_array( $check ))
{

if ($pass != $info['password'])
{ header("Location: loginpage.php");
}

else
{
header("Location: index.php");
exit;
}
}
}
?>[/code]

Is there an "if" statement ya'll can think of that would make sure that the page runs a script everytime? I realize I'd have to fix the script so it didn't cause the looping problem that akitchin mentioned, but that shouldn't be hard.
Link to comment
Share on other sites

What error are you getting? Or are you just wanting for us to look at it and see if it's right?

What I would do is check if the cookie IS NOT set, instead of if it is. That way you handle it first and die() the script...

if (!isset($_COOKIE['my_site_id'])) {
    echo 'Dude, log your butt into the system!';
    header("location: loginpage.php");
}
else {
    // Do what you want
}
Link to comment
Share on other sites

try something along these lines in index2.php.  keep in mind this is a semantic writeup only, you'll have to replace it with the actual code you're using:

[code]<?php

// check if the user's credentials check out
if (cookie is set)
{
  // grab the credentials (hint: when the query is only grabbing one row, you don't need a while() loop)
  if (credentials dont match)
  {
    // send them to the logout (since they have a cookie set but have wrong credentials, don't want them keeping the cookie)
  }
}
else
{
  // the cookie isn't set, so we can send them to the login right away with header()
}

?>[/code]

note that the script doesn't do anything if the credentials match, only if they do NOT match.  that's exactly what you want.  it will let the page that index2.php is being included on display if their credentials check out, but will boot them if they don't.  just include index2.php on all pages to be "protected" in this manner.
Link to comment
Share on other sites

I filled in the code the best I could, but there might be errors. It looks like it will run alright.

[code]<?php

// check if the user's credentials check out
if(isset($_COOKIE['ID_my_site']))
// grab the credentials (hint: when the query is only grabbing one row, you don't need a while() loop)
{
$username = $_COOKIE['ID_my_site'];
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());
while($info = mysql_fetch_array( $check )){

  if (!isset($_COOKIE['ID_my_site']))
  {
    header('./logout.php')
  }
}
else
{
  header('./loginpage.php')
}

?>[/code]

Now that we've got past the looping issue you brought up, I'd like to know how to make that script run everytime the page is refreshed. Force refresh possibly? I dunno. Ya'll have been a big help tonight so thanks a ton. I've been working on this for over 15 hours straight, so I'm gonna get some shut-eye. I'll wake up in a few hours and check what you post so the board doesn't disappear on me. Thanks again and you probably haven't seen the last of me...

:D
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.