tourbike Posted July 21, 2010 Share Posted July 21, 2010 hello, I am trying to protect in internal web app pages being accessed without proper username and passwords. I thought I could use $_SESSION instead of using session_register then use this golbal $_SESSION to protect. Is this right or is there an easier way. cheers in advance Quote Link to comment Share on other sites More sharing options...
premiso Posted July 21, 2010 Share Posted July 21, 2010 That is the proper way to do it. Just make sure that session_start() is at the top of any page you wish to use sessions. Quote Link to comment Share on other sites More sharing options...
tourbike Posted July 21, 2010 Author Share Posted July 21, 2010 So to protect the other web pages in my app I would add the code: <? session_start(); if($_SESSION['username']){ header("location:login.php"); } ?> and add this to all the pages that I want to protect. !???! this is roughly right, as I cannot seem to get it to work on my localhost machine. cheers Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted July 21, 2010 Share Posted July 21, 2010 A) It would be if(!isset($_SESSION['username'])){ B) You need an exit; statement after your header() redirect to prevent the remainder of the 'protected' code on the page from being executed. Without the exit statement all a hacker needs to do is ignore the header() redirect that you are sending to the browser and he can access the remainder of the content on the page. Quote Link to comment Share on other sites More sharing options...
tourbike Posted July 21, 2010 Author Share Posted July 21, 2010 Thanks I changed the code above and slotted it into the page I wanted to protect but when i tried to access the page it didnt work (bearing in mind that I am working on my localhost xampp windows version ) this is the code that i use to create the $_SESSION once the user logs in: if #Mysql query is correct then returns a value { // Register $myusername, $mypassword and redirect to file "control.php" session_start(); $_SESSION['username']; $_SESSION['pass']; header("location:control.php"); } else { echo "Wrong Username or Password"; } this works for making the correct passwords etc but its the next step that I am struggling with. the following code I use on control.php to block unauthorised access to the file. <? session_start(); if(!isset($_SESSION['sm_username'])){ header("location:login.php"); } exit(); ?> where am I going wrong??? Quote Link to comment Share on other sites More sharing options...
wildteen88 Posted July 21, 2010 Share Posted July 21, 2010 Your're creating a session variable called $_SESSION['username'] not $_SESSION['sm_username']. So you should be checking to see if the $_SESSION['username'] variable existis. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted July 21, 2010 Share Posted July 21, 2010 Just putting two variable names in your php code does nothing - $_SESSION['username']; $_SESSION['pass']; You need to assign values to variables - $_SESSION['username'] = $myusername; $_SESSION['pass'] = $mypassword; The exit; goes after the header() redirect, not after you close the if(){} statement - <?php session_start(); if(!isset($_SESSION['username'])){ header("location:login.php"); exit(); } ?> Quote Link to comment Share on other sites More sharing options...
tourbike Posted July 21, 2010 Author Share Posted July 21, 2010 hello and thank you very much for the advice especially #PFMaBiSmAd @wildteen88 that was a type error on my part so sorry about that anyway it worked like a treat but i think i do need to work on the error pages now, so thanks again laters Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.