Jump to content

$_SESSION Help, Log-in system

ReeceSayer

By ReeceSayer
in PHP Coding Help

 Share

Recommended Posts

ReeceSayer Member

ReeceSayer

Posted
Posted

Hi, i'm having a little trouble with some code i wrote. I've used the code many times before with success but i'm now doing a group project and i've had to add my php code into my friends html and css page.

 

The code is a basic login form using sessions, this all works fine i can log in, the code acknowledges that i am an admin and it displays my username and anything else in the session but when i refresh the page i am automatically sent back to the login page via my header which is the following code:

 

<?php 
	session_start();
	if(!isset($_SESSION['username']) || !isset($_SESSION['sid']) ||!isset($_SESSION['ip']) || $_SESSION['adminid'] != 1) {
	header("Location: index.php");
	}
	include("phpfunctions.php");
	db_connect();
?>

 

I have no idea why my session variables aren't holding after refreshing so any help would be great. I can also post the rest of the code if need be. Sorry if its something simple but i'm really stuck. Thanks

Link to comment
https://forums.phpfreaks.com/topic/194704-_session-help-log-in-system/
Share on other sites
ReeceSayer Member

ReeceSayer

Posted
  • Author
Posted

Is the login page setting the session vars?

 

Yes i have a the form on index.html which when submitted sends to processlogin.php, this page sets the vars and decides wether the user is admin or not then redirects to the relevant page (adminpage.php or memberpage.php

 

Thanks for the reply

ReeceSayer Member

ReeceSayer

Posted
  • Author
Posted

i have this code in to test that the vars are set:

<?php 
echo "Welcome " . $_SESSION['username'] . ", you are now logged in as an admin.";
echo "<br />User" . $_SESSION['username'] ."<br />";
echo "Ip:" . $_SESSION['ip'] . "<br />";
echo "SID:" . $_SESSION['sid'] . "<br />";
echo "AdminID:" . $_SESSION['adminid'] . "";
?>

They are all producing an outcome, until i refresh the page when it just gets sent back via the header to index.php (changed from html to php and added same code to check vars were or were not set, which they weren't).

 

Thanks

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

The symptom would tend to indicate that code on the page is altering or un-setting one or more of the session values being tested and/or destroying the session. It would take seeing the actual code to be able to directly help.

 

You also need an exit/die statement after your header() redirect to prevent the remainder of the 'protected' code on the page from being executed. All a hacker needs to do is ignore the header redirect and he can access anything on that page.

 

Edit: Also, if register_globals are on (what does a phpinfo() statement show?) your session variables could be magically overwritten when you set same name program variables in the code on the page.

ReeceSayer Member

ReeceSayer

Posted
  • Author
Posted

The symptom would tend to indicate that code on the page is altering or un-setting one or more of the session values being tested and/or destroying the session. It would take seeing the actual code to be able to directly help.

 

You also need an exit/die statement after your header() redirect to prevent the remainder of the 'protected' code on the page from being executed. All a hacker needs to do is ignore the header redirect and he can access anything on that page.

 

Edit: Also, if register_globals are on (what does a phpinfo() statement show?) your session variables could be magically overwritten when you set same name program variables.

Thanks for the info about adding the exit; i didn't know that, even though the site isn't going to be live its very useful! I'll post the code now and have a mess around to see if i can sort it out with the info you've given me.

 

I have a form which posts to the following when submitted.

 

processlogin.php

<?php
//start session
session_start();

//include my functions
include ("phpfunctions.php");

//connect to database
db_connect();

// Same checking stuff all over again.
if(isset($_POST['submit'])) {
if(empty($_POST['username']) || empty($_POST['password'])) {
	header("Location: login.php");
	exit;
}
// Create the variables again.
$username = $_POST['username'];
$password = $_POST['password'];
// Encrypt the password again with the md5 hash. 
// This way the password is now the same as the password inside the database.
$password = md5($password);

// Store the SQL query inside a variable. 
// ONLY the username you have filled in is retrieved from the database.
$query = "SELECT username,password,adminid
		  FROM	 `users`
		  WHERE	 username='$username'";
$result = mysql_query($query);

if(!$result) { 
	// Gives an error if the username given does not exist.
	// or if something else is wrong.
	echo "The query failed " . mysql_error();
} 
else
{
	// Now create an object from the data you've retrieved.
	$row = mysql_fetch_object($result);
	// You've now created an object containing the data.
	// You can call data by using -> after $row.
	// For example now the password is checked if they're equal.
	if($row->password != $password) {
		header("Location: login.php");
		exit;
	}

	// By storing data inside the $_SESSION superglobal,
	// you stay logged in until you close your browser.
	$_SESSION['username'] = $username;
	$_SESSION['sid'] = session_id(); 
	// Make it more secure by storing the user's IP address.
	$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
	//Makes adminid into a session variable.
	$_SESSION['adminid'] = $row->adminid;

			if($row->adminid == 0){
	// Now redirect to members.
	header("Location: memberpage.php");
	// $_SESSION['username'] should print out your username.
	}

					if($row->adminid == 1){
	// Now redirect to admin.
	header("Location: adminpage.php");

	}

}
}


?>

Which at the moment redirects me to the following:

 

adminpage.php

<?php 
ini_set('display_errors',1);
error_reporting(E_ALL|E_STRICT);
	session_start();
	if(!isset($_SESSION['username']) || !isset($_SESSION['sid']) ||!isset($_SESSION['ip']) || $_SESSION['adminid'] != 1) {
	header("Location: index.php");
	exit;
	}
	include("phpfunctions.php");
	db_connect();
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>World Cup 2010 South Africa - Admin</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="stylesheet" href="style.css" type="text/css" />
</head>

<body>

<div id="container">

<!-- Start of Page Header -->

<div id="page_header">

	<h1><span>The WorldCup 2010</span></h1>
	<h3><span>South Africa</span></h3>

</div>

<!-- End of Page Header -->


<!-- Start of Page Menu -->

<div id="page_menu">

	<ul>
	<li id="Teams"><a href="LINK HERE" title="Teams"><b><span>Teams</span></b></a></li>
	<li id="Fixtures"><a href="LINK HERE" title="Fixtures"><b><span>Fixtures</span></b></a></li>
	<li id="Stats"><a href="LINK HERE" title="Stats"><b><span>Stats</span></b></a></li>
	<li id="Videos"><a href="LINK HERE" title="Videos / Pics"><b><span>Videos / Pics</span></b></a></li>
	<li id="Tickets"><a href="LINK HERE" title="Tickets"><b><span>Tickets</span></b></a></li>
	<li id="Merchandise"><a href="LINK HERE" title="Merchandise"><b><span>Merchandise</span></b></a></li>
	<li id="contactus"><a href="LINK HERE" title="Contact Us"><b><span>Contact Us</span></b></a></li>
	</ul>

</div>

<!-- End of Page Menu -->


<!-- Start of Page Search -->

<div id="page_login">

<?php
if(isset($_SESSION['username']) && isset($_SESSION['sid']) && isset($_SESSION['ip'])) {
echo "You are logged in as <b>" . $_SESSION['username'] ."</b><br />";
echo "Today is " . date("D j \o\\f F Y", time()) . "<br />";
echo "The time is " . date("G:i", time());

} else
{
echo "you need to login";

}
?>
<br />
<br />
<a href="<?php session_destroy()?>">Logout</a>

</div>

<!-- End of Page Search -->


<!-- Start of Page Content -->

<div id="page_content">

<div id="welcome_text">
<div class="content_box">

<h2><span>Welcome</span></h2>

<p>
<?php 
echo "Welcome " . $_SESSION['username'] . ", you are now logged in as an admin.";
echo "<br />User" . $_SESSION['username'] ."<br />";
echo "Ip:" . $_SESSION['ip'] . "<br />";
echo "SID:" . $_SESSION['sid'] . "<br />";
echo "AdminID:" . $_SESSION['adminid'] . "";
?>
<br/><br/>
More text would go here 
<br/><br/>
Even more text would go here </p>

</div>
</div>


	<!-- Start of Services Column -->

	<div id="services_column">


		<!-- Start of Service Listing 1 -->

		<div id="services1">
		<div class="services_textbox">

<h2><span>Services 1</span></h2>

<p>Small bits of information about and area on the site.</p>


<div class="link-more">
<a href="LINK HERE">more</a>
</div>

			<div class="clearthis"> </div>
		</div>
		</div>

		<!-- End of Service Listing 1 -->


		<!-- Start of Service Listing 2 -->

		<div id="services2">
		<div class="services_textbox">

<h2><span>Services 2</span></h2>

<p>Small bits of information about and area on the site</a>.</p>

<div class="link-more">
<a href="LINK HERE">more</a>
</div>

			<div class="clearthis"> </div>
		</div>
		</div>

		<!-- End of Service Listing 2 -->


		<!-- Start of Service Listing 3 -->

		<div id="services3">
		<div class="services_textbox">

<h2><span>Services 3</span></h2>

<p>
Small bits of information about and area on the site.
</p>

<div class="link-more">
<a href="LINK HERE">more</a>
</div>

			<div class="clearthis"> </div>
		</div>
		</div>

		<!-- End of Service Listing 3 -->

	</div>

	<!-- End of Services Column -->


	<!-- Start of Order Cards -->

	<div id="order_cards">

		<div id="order_accept">
		<h3><span>We Accept:</span></h3>
		<img src="images/order_creditcards.gif" width="278" height="28" alt="Paypal, Visa, Mastercard, Amex Discover, eCheck" />
		</div>

		<h2><span>Three Ways to Order Cards</span></h2>

		<ul>
		<li id="online"><a href="LINK HERE"><span> </span><b class="block">Online</b></a></li>
		<li id="phone"><a href="LINK HERE"><span> </span><b class="block">Phone</b></a></li>
		<li id="mail"><a href="LINK HERE"><span> </span><b class="block">Mail</b></a></li>
		</ul>

		<div class="clearthis"> </div>

		<div id="order_text">


<p>
Visit <a style="color:#ff0000;" LINK HERE ">our merchandise</a> for more items available. 
</p>

		</div>

	</div>

	<!-- End of Order Cards -->


	<!-- Start of Mailing List -->

	<div id="mailing_list">

		<h2>Join the WorldCUp 2010 Tickets Mailing List</h2>

		<form action="LINK HERE/">
		<div>
			<input type="text" />
			<input type="image" src="images/mailinglist_button.gif" alt="Go" class="button" />
		</div>
		</form>

	</div>

	<!-- End of Mailing List -->


	<div class="clearthis"> </div>
</div>

<!-- End of Page Content -->


<!-- Start of Footer Links -->

<div id="footer_links">

	<ul>
	<li><a href="LINK HERE">Home</a></li>
	<li><a href="LINK HERE">About Us</a></li>
	<li><a href="LINK HERE">Tickets</a></li>
	<li><a href="LINK HERE">Fixtures</a></li>
	<li><a href="LINK HERE">Merchandise</a></li>
	<li><a href="LINK HERE">Teams</a></li>
	<li class="last"><a href="LINK HERE">Contact Us</a></li>
	</ul>

	<div class="clearthis"> </div>
</div>

<!-- End of Footer Links -->


<!-- Start of Page Footer -->


<!-- End of Page Footer -->


</div>

</body>
</html>

 

Thanks for the help

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

The symptom would tend to indicate that code on the page is ... destroying the session.

 

You are unconditionally destroying the session when the following line of code is executed -

 

<a href="<?php session_destroy()?>">Logout</a>

 

Php code on any page is executed when the page is requested. Also, href="..." attribute values are URL's.

ReeceSayer Member

ReeceSayer

Posted
  • Author
Posted

Thanks alot thats worked you're a life saver. I had initially thought that may have been the problem and used <!-- --> tags to comment out the html part but i didn't realise that the session would still be destroyed. I'm still fairly new to php, is there any way to have session_destroy() run when i click logout? or would it just be easier to make a new page with session_destroy on it?

 

Thanks again

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted
<!-- --> tags to comment out the html part

 

HTML only has meaning in a browser, where it gets rendered. In a .php file, everything that is not php code is really just a bunch of characters in a file that gets output when the page is requested.

 

To make a log out link would require a URL that can be clicked on. That URL must contain enough information so that the target page knows what action to perform. This can either be a logout page that only performs the logout function or you can put a GET parameter on the end of the URL that the code on a multi-purpose page can use to detect that the requested operation was to preform a logout.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.