Sessions Problem

[Bopo]

Hi

 

I'm not too sure why this isn't working however I am using sessions for logging into an admin section of a website, below is the coding of the Login script:

 

<?php
session_start();

if(isset($_POST['submit'])) {

$username = $_POST['username'];
$password = $_POST['password'];



include("../createadmin/adminconnect.php");

$sql = "SELECT username, password FROM adminlogin WHERE username = '$username' AND password = '$password'";
$result = mysql_query($sql, $connection);


if(mysql_num_rows($result)) {
$_SESSION['loggedin'] = 1;
header('Location: http://www.website.com/scripts/admin/admin.php');
exit();}
else {
	header('Location: http://www.website.com/scripts/admin/login.php?error1');
	exit();}

// if(!$result){die(mysql_error();}


}

?>

 

Now behind the admin page, I have the following code to validate whether the user is logged in, and if they are not, re-direct them.

 

<?php
session_start();

if(!isset($_SESSION['loggedin'])) {
   header('Location: http://www.website.com/');
   exit();
}
?>

 

The problem is, even when I do login I get re-directed, and can't figure out why, help appreciated.

[jackpf]

Ahh well...first of all, I notice that you're checking if the form has been submitted by using if(isset($_POST['submit'])) which I assume is the submit button. The only problem with this is that if you don't actually click the submit button, ie you just press enter, it is ignored.

 

So yeah, are you sure the form is actually being submitted?

 

And also, maybe try simply echoing the contents of your sessions, to see if they are actually set or not...?

[bluejay002]

Also... you may also to alternatively check if the username and password fields has been set and are not empty. If okay, then you can do the session handling thing.

 

Also, you might want to do some trimming and escaping to be safer from injection. <-- though out of topic. ^^

[Malevolence]

if(mysql_num_rows($result)) {

 

invalid if statement. You'll need to put something like:

if(mysql_num_rows($result) == 1) {

or

if(mysql_num_rows($result) === 1) {

 

And as for the query, it's good practise to use the backticks for table names e.g. `colours` or whatever. You'll also want to use LIMIT 1 at the end of the query- also good practise seeing as you only want one row.

 

In your form (like jackpf said) name the form itself and then use that to check if the form was submitted (includes enter & submit button)

 

Finally like bluejay said, you'll want to trim and escape that query & variables for safety purposes.

[Bopo]

Hi

 

Thanks for the advice eveyone, I have put a few of those suggestions into practice, however it is still not working, I decided to echo the session 'loggedin' on the admin page, and nothing is returned, therefore it looks like theirs a problem with them, but I haven't been able to figure it out yet

[MasterACE14]

what's your latest code?

[Bopo]

<?php
session_start();

if(isset($_POST['submit'])) {

$username = $_POST['username'];
$password = $_POST['password'];



include("../createadmin/adminconnect.php");

$sql = "SELECT username, password FROM adminlogin WHERE username = '$username' AND password = '$password'";
$result = mysql_query($sql, $connection);


if(mysql_num_rows($result) == 1 ) {
$_SESSION['loggedin'] = 1;
header('Location: http://www.website.com/scripts/admin/admin.php');
exit();}
else {
	header('Location: http://www.website.com/scripts/admin/login.php?error1');
	exit();}

// if(!$result){die(mysql_error();}


}

?>

 

And

 

<?php

session_start();

 

// echo "$_SESSION['loggedin']";

 

if(!isset($_SESSION['loggedin'])) {

  header('Location: http://www.website.com/');

  exit();

}

else

{

exit();

}

 

?>

[redarrow]

   $_SESSION['loggedin'] = 1;

 

 

to

 

 

   $_SESSION['loggedin']=1;

 

also move

 

<?php

 

session_start();

?>

 

to

 

<?php session_start();

 

?>

 

 

[redarrow]

try this please.

 

copy and past as if.

 

<?php session_start();

if(isset($_POST['submit'])) {

$username = $_POST['username'];
$password = $_POST['password'];

include("../createadmin/adminconnect.php");
                      
$sql = "SELECT username, password FROM adminlogin WHERE username = '$username' AND password = '$password'";
$result = mysql_query($sql, $connection) or die(mysql_error());

      
if(mysql_num_rows($result)==1) {
   $_SESSION['loggedin']=1;
   header('Location: http://www.website.com/scripts/admin/admin.php');
   exit();
} else {
      header('Location: http://www.website.com/scripts/admin/login.php?error1');
      exit();
}
   }
   ?>

 

<?php session_start();

if(!isset($_SESSION['loggedin'])) {
   header('Location: http://www.website.com/');
   exit();
}else{
   exit();
}
?>

[Maq]

   $_SESSION['loggedin'] = 1;

 

 

to

 

 

   $_SESSION['loggedin']=1;

 

also move

 

<?php

 

session_start();

?>

 

to

 

<?php session_start();

 

?>

 

 

 

Just curious but what exactly is the difference between those two changes?

[redarrow]

wight spaces,

 

There no difference to the session but could be wight space problem here.

 

any think worth a shot i guess.

[Maq]

I don't think that would matter.  I've only heard of w white space issues correlated with HEADER errors.

[redarrow]

Globals are turned off on the Linux machine (the register_globals php.ini directive)

[DeanWhitehouse]

@redarrow, whitespace problems occur with HTML whitespace not PHP whitespace.

 

Also

Ahh well...first of all, I notice that you're checking if the form has been submitted by using if(isset($_POST['submit'])) which I assume is the submit button. The only problem with this is that if you don't actually click the submit button, ie you just press enter, it is ignored.

 

So yeah, are you sure the form is actually being submitted?

 

And also, maybe try simply echoing the contents of your sessions, to see if they are actually set or not...?

 

Are you serious ??

 

Try it, using if(isset($_POST['submit_button'])) works if you press the button or if you press the enter key.

[jackpf]

Well, it doesn't because I tested it out the other day on my site. Then I realised that if the submit button isn't actually pressed, it doesn't think the form has been submitted.

 

It might just be IE, idk, I haven't tested it in anything else, I just changed it back because it didn't work.

[Bopo]

Thanks for all the suggestions, I tried redarrow code, and the exact same thing happens, the web server I'm using is paid for, and has everything but IIS installed, the PHP version it's using is 5.2.8, totally clueless on what to try next .

[redarrow]

try this tell me what happens.

 

don't need to post nothing just go to the page it on ok.

 

<?php session_start();


$_SESSION['redarrow']="hi there mate!";

if(isset($_SESSION['redarrow'])){

echo $_SESSION['redarrow'];

exit;

}



if(isset($_POST['submit'])) {

$username = $_POST['username'];
$password = $_POST['password'];

include("../createadmin/adminconnect.php");
                      
$sql = "SELECT username, password FROM adminlogin WHERE username = '$username' AND password = '$password'";
$result = mysql_query($sql, $connection) or die(mysql_error());

      
if(mysql_num_rows($result)==1) {
   $_SESSION['loggedin']=1;
   header('Location: http://www.website.com/scripts/admin/admin.php');
   exit();
} else {
      header('Location: http://www.website.com/scripts/admin/login.php?error1');
      exit();
}
   }
   ?>

[Bopo]

Well I get

 

hi there mate!

 

 

[Bopo]

Okay I have been testing this for a while, if I do

 

<?php

$_SESSION['loggedin']=1;
echo $_SESSION['loggedin'];
exit();

?.

 

On either of the pages, it works, 1 is returned, however as soon as I want to transfer the variable value across pages e.g.

 

Login page:

 

 $_SESSION['loggedin']=1; 

 

Admin Page:

 

 echo $_SESSION['loggedin'];

 

It just returns blank  ???

[Bopo]

Anyone?

[jackpf]

You don't have session_start() in that code you just posted...

Could be it a problem..?

[Bopo]

Hi

 

Nah I just let it out.

[Bopo]

Is there anything else I can use to accomplish the same goal?

[jackpf]

Cookies?