Page not directing properly

[nvee]

Hey guys

 

Im busy with a control panel for a client. The script is divided in 2 parts, the first checks for session variables and directs users either to index.php if session is incorrect or to admin.php if logged in and the session vars is correct.

 

The second part is a login script which takes a default username and password, then sends a email to the user with a 2nd password which must first be submitted before you are gained access to the site. Although this piece of code appears to work, I am including it anyways for those who have comments/suggestions or maybe want to use it.

 

The problem I am experiencing is with the login if the sessions are accepted. It does not direct properly, it says that the page will never direct properly. It appears to run in a loop. I see what the problem is, but I cannot find a way to make the script work. The problem appears to be with the else part of the if($rows !=...). It says that it directs the user to admin if it succeeds that condition, but what if I am already on admin.php?

 

Anyways, its a infinite loop, but I need some suggestions, anyone wanna help, ill really appreciate it:

 

// The top logincheck part
<?php
include("includes/functions.php");
session_start();
if(!isset($_SESSION["id"]) && !isset($_SESSION["username"])) {
header("location:index.php");
} else {
$uname = $_SESSION["username"];
$uid = $_SESSION["id"];
connectdb();
$query = mysql_query("SELECT * FROM ovmuser WHERE ovmuser = '".$uname."'");
$rows = mysql_num_rows($query);
if($rows != 1 || $uid != session_id()) {
	session_unset();
	session_destroy();
	header("location:index.php");
} else {
	header("location:admin.php");
}
}

if($_POST["login"] == "Submit") {
$ovmuser = $_POST["ovmuser"];
$ovmpass = md5($_POST["ovmpass"]);
connectdb();
$query = mysql_query("SELECT * FROM ovmuser WHERE ovmuser = '".$ovmuser."' AND ovmpass = '".$ovmpass."'");
$rows = mysql_num_rows($query);
$msg = $rows;
if($rows == 1) {
while($results = mysql_fetch_array($query)) {
$ovmemail = $results["ovmemail"];	
}
$subject = "Marvin to the rescue";
$to = $ovmemail;
$randompass = substr(md5(rand(0,100000)),0,6);
$message = "
Hey. Your random password is: $randompass
";
$query = mysql_query("UPDATE ovmuser SET ovmrandompass = '".$randompass."' WHERE ovmuser = '".$ovmuser."'");
mail($to,$subject,$message);
$ovmrandom = "aktiveer";
}
}
if(isset($_POST["random"])) {
$ovmrandompass = $_POST["random"];
$ovmuser = $_POST["ovmuser"];
$ovmpass = $_POST["ovmpass"];
connectdb();
$query = mysql_query("SELECT * FROM ovmuser WHERE ovmuser = '".$ovmuser."' AND ovmpass = '".$ovmpass."' AND ovmrandompass = '".$ovmrandompass."'");
$rows2 = mysql_num_rows($query);
if($rows2 == 1) {
	$_SESSION["username"] = $ovmuser;
	$_SESSION["id"] = session_id();
	header("location:admin.php");
} else {
	header("location:index.php");
}
}
?>

[Dancodim]

I think something like this will help You out:

 

if($rows != 1 || $uid != session_id()) {
      session_unset();
      session_destroy();
      header("location:index.php");
   } else if (condition if he is already on logged as admin) {
   // do whatever You want
}
else {
      header("location:admin.php");

[MatthewJ]

Just as a tip too, I would change the headers to "Location: index.php" etc. (note the capital L and the space after the colon. I have seen different browser versions have a problem with this.