session weirdness

[amplexus]

hi everyone.

 

I'm using some session scripting to allow access to a page only from a page that is password protected.everything works just dandy, except for this...  if someone is on the page, and refreshes, it destroys the session.  requires the password. that part is okay.  if you then enter the password incorrectly, you are bumped not to the original referring page, passlist.php, but to the site index.  at that point from the site index, if you type the url into the bar, or use a shortcut, you are allowed passcode free access to the page. the site index is an html page, not PHP, and no session setting or variable passing can occur, right?

 

here's the code on the original page, the one you can only get to through a referring page( at least, should only)

<?php
session_start();

if(empty($_SESSION['logged'])) {
echo "<script>window.location.href='passlist.php'</script>";
}
session_unset(); 

session_destroy();


include("dbinfo.inc.php");
mysql_connect($servname,$dbusername,$dbpassword);
@mysql_select_db($database) or die( "Unable to select database");
$query="SELECT * FROM ($newdbname) ";
$result=mysql_query($query);
$num=mysql_numrows($result); 
mysql_close();

$i=0;
while ($i < $num) {
$user_id=mysql_result($result, $i, "user_id");
$username=mysql_result($result,$i,"username");
$password=mysql_result($result,$i,"password");
echo "$username, $password, $user_id";
?>

<form action="updated.php">
<input type="hidden" name="user_id" value="<?php echo "$user_id"; ?>">
Username: <input type="text" name="username" value="<?php echo "$username"?>"><br>
Password: <input type="text" name="password" value="<?php echo "$password"?>"><br>
<input type="Submit" value="Update" name="submit">
</form>
<?php
++$i;
}
  
?>

 

I hope I'm explaining this correctly, I'm baffled.

 

[amplexus]

what I think is happening is that the referring page has a fairly simple javascript pass protect script (this isn't government secrets here) and when you don't don't enter the right code, it somehow runs the script without displaying?  here's the referring page code, and the javascript as well

<head>
<SCRIPT language="JavaScript" src="logscript.js">

</SCRIPT>
<link href="cathfound.css" rel="stylesheet" type="text/css" />
</HEAD> 
<?php
session_start();
$_SESSION['logged'] = 1;
include("dbinfo.inc.php");
mysql_connect($servname,$dbusername,$dbpassword);
@mysql_select_db($database) or die( "Unable to select database");
$query="SELECT * FROM ($newdbname)";
$result=mysql_query($query);

$num=mysql_numrows($result); 

mysql_close();

echo "<b><center>Database Output</center></b><br><br>";

?>
<table border="0" cellspacing="2" cellpadding="2">
<tr> 
<th><font face="Arial, Helvetica, sans-serif">Username</font></th>
<th><font face="Arial, Helvetica, sans-serif">Password</font></th>

</tr>

<?
$i=0;
while ($i < $num) {
$username=mysql_result($result,$i,"username");
$password=mysql_result($result,$i,"password");

?>

<tr> 
<td><font face="Arial, Helvetica, sans-serif"><? echo "$username"; ?></font></td>
<td><font face="Arial, Helvetica, sans-serif"><? echo "$password"; ?></font></td>
</tr>
<?
++$i;
} 
echo "</table>";


?>
<br/><br/><br/><br/><a href="update.php">Click here to update users</a>

 

java script:

var password;

var pass1="xxxxxxxxxx";

password=prompt('Please enter your password to view this page!',' ');

if (password==pass1)
  alert('Password Correct! Click OK to enter!');
else
   {
    window.location="/index.html";
    }

 

 

[amplexus]

I'm pretty sure it's NOT the javascript causing the problem.