AshleyByrom Posted July 19, 2009 Share Posted July 19, 2009 Okay, well I am extremely new to PHP and I am trying to make a project as I learn. I learn easier that way by putting what I learn into practice. I am making a very basic user-login system. The part I need help with is the session I set. I have three pages, index.php, yourin.php, and logout.php index.php has a form with three textfields (company, username, and password) and a hidden field (its value for now is 'admin') and a login button. When you click login this sends you to yourin.php with this code: <form action="yourin.php" method="post"> <input name="level" type="hidden" id="level" value="admin" /> <input name="company" type="text" id="company" value="company" /> <input name="username" type="text" id="username" value="username" /> <input name="password" type="password" id="password" value="password" /> <input name="loginButton" type="submit" id="loginButton" value=" login" /></form> yourin.php creates the session, and creates four session variables. (The session code is the first line of code) They are: session_start(); $_SESSION["username"] = $_POST["username"]; $_SESSION["company"] = $_POST["company"]; $_SESSION["password"] = $_POST["password"]; $_SESSION["level"] = $_POST["level"]; then finally the logout page has a basic session destroy (again, first line of code) <?php session_destroy(); ?> My problem is this. I have set an if statment on index.php to check if the session exists. If it does, you are redirected to yourin.php, if not then nothing new happens and the basic index.php page loads. I have used the following code: (again, first line.) <?php if (isset($_SESSION["username"])) { header( 'Location: yourin.php' ) ; } When i go to index.php and login, I am taken to yourin.php and the variables etc. all work. but when i return to index.php i get the basic index page even though the session was created. I think I have done everything right. Surely when you create a session it exists when you go onto a separate page from the same website? Help me please! Quote Link to comment Share on other sites More sharing options...
Paradoxz Posted July 19, 2009 Share Posted July 19, 2009 I actually downloaded a login script and broke it down to learn all about sessions, it's actually a really nice script. You can find the breakdown and even the source files here: http://phpsense.com/php/php-login-script.html Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted July 19, 2009 Share Posted July 19, 2009 Every page that sets or references a session variable must have a session_start(); statement. Also, don't put the <input name="level" type="hidden" id="level" value="admin" /> as a hidden field in a form or you will find that anyone with a login can become an administrator by simply setting the value they want when the form is submitted. The only place you should determine if someone is an admin is on the server where the usename is associated with the level. You also need an exit; statement after the header() redirect to prevent the remainder of the code on the protected page from being executed. Without the exit; a hacker can still get whatever the page outputs and if the page happens to be a form, the submitted data will still be processed by the code on the page. Quote Link to comment Share on other sites More sharing options...
AshleyByrom Posted July 19, 2009 Author Share Posted July 19, 2009 Wow, thank you! so quick! Paradoxz, I have downloaded the login script, and i am looking at that. Thank you SO much! And, PFMaBiSmAd, I have done what you said.. thank you for your help and your suggestions too. they have worked! However I have a second problem now. When yourin.php is loaded, the session variables are loaded using POST. That is assuming the login form has been filled out. But if I am redirected to yourin.php because I am already logged in, I have not filled the form out so I get a bunch of PHP errors basicaly saying the session variables cannot be loaded because there is no POST information available. I understand that but, do you know of a way to work around this? Quote Link to comment Share on other sites More sharing options...
Paradoxz Posted July 19, 2009 Share Posted July 19, 2009 You can use an if fail ! for anything, even to redirect here is an example of one I use $v2 = $_GET['v2']; //This takes a variable from a url (i.e. .php?v2=1) if(!$v2) { $v2 = '1'; } So all that this says is if $v2 is blank then it makes $v2 = 1 You can do this with a header to redirect as well. Quote Link to comment Share on other sites More sharing options...
AshleyByrom Posted July 19, 2009 Author Share Posted July 19, 2009 Problem solved! Thanks to paradoxz, the login script he recommended gave me the idea of when i click login go to a login-execute page, which loads the variables and then go to yourin. this saves the problem of re-loading variables and searching for POST variables which dont exist! Thank you so so much! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.