Jump to content

Can SESSION be used in header to prevent navigating to pages?

ntroycondo

By ntroycondo
in PHP Coding Help

Recommended Posts

ntroycondo Member

ntroycondo

Posted
Posted

Is there a simple say to use SESSION in header to prevent anyone from going directly to a URL.

I tried a few things but can't get it to work.

 

I tried using something simple like these pulled from my login script:

session_start();

$_SESSION['username']=$username;

 

and one for admin user

if ($username=="admin")

 

Once a user has logged in, then on subsequent pages I don't need to query DB to see if they are a valid user. Shouldn't the SESSION have this already?

 

As always, thanks for all help.

 

My login script is below.

 

<?php
session_start();
$username = $_POST['user_name'];
$password = $_POST['password'];
$password = md5($password);

if ($username&&$password)
{
$connect = mysql_connect("host", "un", "password") or die("Couldn't connect");
mysql_select_db("ihear") or die("Couldn't find DB");

$query = mysql_query("SELECT * FROM ihear_users WHERE user_name='$username'");

$numrows = mysql_num_rows($query);

if ($numrows!=0)
{

while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['user_name'];
$dbpassword = $row['password'];
}
if ($username=="admin")
{	
header("Location: http://".$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF'])."/"."admin.php");

	$_SESSION['username']=$username;
}
if ($username==$dbusername&&$password==$dbpassword)
{	
header("Location: http://".$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF'])."/"."member.php");
	$_SESSION['username']=$username;
}
else
	echo "Incorrect password!";
}
else
die("User does not exist");

}
else
die("Please enter user name and password.");

?>

ntroycondo Member

ntroycondo

Posted
  • Author
Posted

The login.php works fine. Admin user and member user redirect to appropriate pages.

 

For example, member user login directs to member.php page. If I log out the user, I can simply put the member.php page back as URL and goes right back in.

 

I want to use session_start to check if they are logged in or not and redirect to appropriate page.

ntroycondo Member

ntroycondo

Posted
  • Author
Posted

My logout.php is:

 

<?php
ob_start();
// Set the page title and include the HTML header.
$page_title = 'iHear logout';
include ('./header3.inc');
session_start();
?>
<div align=center>
<?php

session_start();

session_destroy();

echo "You have logged out.";

?>

kenrbnsn Regular Member

kenrbnsn

Posted
Posted

This is what the manual says about session_destroy

session_destroy() destroys all of the data associated with the current session. It does not unset any of the global variables associated with the session, or unset the session cookie. To use the session variables again, session_start() has to be called.

 

In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.

 

So if you're just using session_destroy, as soon as you do a session_start() all the session variables are back and it never looks like the user logged out.

 

If you unset the session variable indicating that the user is logged in this may also work.

 

Ken

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.