jackel15 Posted August 18, 2009 Share Posted August 18, 2009 I have a user login system built to access the admin area of my site. Once you've logged in and then log out, you can just type the address of the admin page directly into the url and get there, just as if you're still logged in. It appears you never really log out. I get these errors when linking directly to a protected page. Notice: Undefined index: access in /hermes/bosweb/web293/b2934/ipw.cocoafirstassembly/public_html/_admin/index.php on line 10 Warning: Cannot modify header information - headers already sent by (output started at /hermes/bosweb/web293/b2934/ipw.cocoafirstassembly/public_html/_admin/index.php:10) in /hermes/bosweb/web293/b2934/ipw.cocoafirstassembly/public_html/_admin/index.php on line 11 Line 10 and 11: if($_SESSION['access'] != TRUE) { header('Location: login.php'); } I have an _admin/index.php which you need to be logged into see. _admin/Login.php <?php error_reporting(E_ALL); ini_set("display_errors", 1); include('../_assets/path.php'); session_save_path($path); if(empty($_POST)) { $status = 'Please Enter Username and Password to Add, Edit and Remove Sermons.'; } else { $user = $_POST['user']; $pass = $_POST['pass']; $error_list = array(); if(empty($user)) { $error_list[] = 'Please Enter Your Username'; } if(empty($pass)) { $error_list[] = 'Please Enter Your Password'; } if(empty($error_list)) { include('../_assets/info.php'); mysql_connect("$host", "$username", "$password")or die("Could Not Connect to Server. Check Login Info."); mysql_select_db("$db_name")or die('Could Not Connect to Database. Please email the webmaster at christensonmedia@gmail.com and try again later.'); $sql = "SELECT id"; $sql .= " FROM users"; $sql .= " WHERE user='$user'"; $sql .= " AND pass='$pass'"; $result = mysql_query($sql); if(mysql_num_rows($result) == 1) { session_start(); $_SESSION['access'] = TRUE; header('Location: index.php'); } else { $status = 'The Username and Password you entered was invalid. Please Try again.'; } } else { foreach($error_list as $error_message) { $status = "$error_message<br />"; } } } ?> _admin/Logout.php <?php include('../_assets/path.php'); session_save_path($path); session_start(); $_SESSION['access'] = FALSE; session_destroy(); header('Location: ../index.php'); ?> And the code that check for users status on _admin/index.php <?php error_reporting(E_ALL); ini_set("display_errors", 1); include('../_assets/path.php'); session_save_path($path); session_start(); if($_SESSION['access'] != TRUE) { header('Location: login.php'); } include('../_assets/info.php'); mysql_connect("$host", "$username", "$password")or die("Could Not Connect to Server. Check Login Info."); mysql_select_db("$db_name")or die('Could Not Connect to Database. Please email the webmaster at christensonmedia@gmail.com and try again later.'); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> Quote Link to comment Share on other sites More sharing options...
Garethp Posted August 18, 2009 Share Posted August 18, 2009 if(!isset($_SESSION['access'])) { header('Location: login.php'); } if($_SESSION['access'] != TRUE) { header('Location: login.php'); } Quote Link to comment Share on other sites More sharing options...
Adam Posted August 18, 2009 Share Posted August 18, 2009 As Garethp's pointed out, the problem is you're not checking that the session variable is set before testing against it's value. The fact that you're getting this notice though would suggest you are actually being logged out. Correcting this will solve the next problem as well, which is generally caused by trying to set a header after there has been content written to the page (in your case the notice). Quote Link to comment Share on other sites More sharing options...
jackel15 Posted August 18, 2009 Author Share Posted August 18, 2009 Got it! Awesome. I put it on the pages that are protected and now there's no way around logging in. Thanks Guys. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted August 18, 2009 Share Posted August 18, 2009 now there's no way around logging in. Nope. You also need to put an exit; statement after your header() redirect to prevent the rest of the code on your "protected" page(s) from being executed. By correcting the code to eliminate the Notice: message, that just allowed the header redirect to work but the rest of the code is still executing on that page. All a hacker needs to do is ignore the redirect and he can still access your "protected" pages. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.