$_sessions

[tourbike]

hello,

 

I am trying to protect in internal web app pages being accessed without proper username and passwords. I thought I could use $_SESSION instead of using session_register then use this golbal $_SESSION to protect. Is this right or is there an easier way.

 

cheers in advance

[premiso]

That is the proper way to do it. Just make sure that session_start() is at the top of any page you wish to use sessions.

[tourbike]

So to protect the other web pages in my app I would add the code:

 

<?

session_start();

if($_SESSION['username']){

header("location:login.php");

}

 

?>

 

and add this to all the pages that I want to protect. !???!

 

this is roughly right, as I cannot seem to get it to work on my localhost machine.

 

cheers

[PFMaBiSmAd]

A) It would be if(!isset($_SESSION['username'])){

 

B) You need an exit; statement after your header() redirect to prevent the remainder of the 'protected' code on the page from being executed. Without the exit statement all a hacker needs to do is ignore the header() redirect that you are sending to the browser and he can access the remainder of the content on the page.

[tourbike]

Thanks I changed the code above and slotted it into the page I wanted to protect but when i tried to access the page it didnt work (bearing in mind that I am working on my localhost xampp windows version )

 

this is the code that i use to create the $_SESSION once the user logs in:

 

if #Mysql query is correct then returns a value

{

// Register $myusername, $mypassword and redirect to file "control.php"

session_start();

$_SESSION['username'];

$_SESSION['pass'];

header("location:control.php");

}

else {

echo "Wrong Username or Password";

}

 

this works for making the correct passwords etc but its the next step that I am struggling with. the following code I use on control.php to block unauthorised access to the file.

 

<?

session_start();

if(!isset($_SESSION['sm_username'])){

header("location:login.php");

}

exit();

?>

 

where am I going wrong???

[wildteen88]

Your're creating a session variable called $_SESSION['username'] not $_SESSION['sm_username']. So you should be checking to see if the $_SESSION['username'] variable existis.

[PFMaBiSmAd]

Just putting two variable names in your php code does nothing -

$_SESSION['username'];

$_SESSION['pass'];

 

You need to assign values to variables -

$_SESSION['username'] = $myusername;
$_SESSION['pass'] = $mypassword;

 

The exit; goes after the header() redirect, not after you close the if(){} statement -

<?php
session_start();
if(!isset($_SESSION['username'])){
header("location:login.php");
exit();
}
?>

[tourbike]

hello and thank you very much for the advice especially #PFMaBiSmAd

 

@wildteen88 that was a type error on my part so sorry about that

 

anyway it worked like a treat but i think i do need to work on the error pages now, so thanks again

 

laters