Login can be bypassed

[fredundant]

Hi there.

 

I created a registration and login script which works fine.

 

However if the user knows the url of the page they do not need to login which is huge security flaw on my side

 

Here is the login page

<HTML>
<head><title>Login</title>
<link rel='stylesheet' href='layout.css'>
</head>
<body bgcolor="#fd8ecf">
<center><img src="headerpage.jpg"></center>

<div class="navbar">
<div class="button"><a href="index.html">Home</a></div>
<div class="button"><a href="news.html">News</a></div>
<div class="button"><a href="gallery.html">Gallery</a></div>
<div class="button"><a href="videos.html">Videos</a></div>
<div class="button"><a href="contact.html">Contact</a></div>
<div class="button"><a href="links.html">Links</a></div>
<div class="button"><a href="msg.html">Message  Kaaleigh</a></div>

</div>

<div class="frame">

<frameset cols="25%,75%" noresize="noresize">


<?
session_start(); //initialize session mechanism

if(!isset($_POST['ok'])) {
// if the form is not completed, display it
    echo"
   
    <table width='100%'>
    <form method='POST' action='login.php'>
    <tr><td align=center>
    <table>
    <tr><td>
    <table>
    <tr><td>Login:</td><td><input type='text'
        name='username' size='15'></td></tr>
    <tr><td>Password:</td><td><input
        type='password' name='password' size='15'></td></tr>
    </table>
    </td></tr>
    <tr><td align=center><input type='submit' name='ok'
        value='Enter'></td></tr>
    </table>
    </td></tr>
    </form>
    </table>
    ";
}
else{    
    //supposed that user data
    //is saved in database, in users table, that includes id, login, pass fields

    $db=mysql_pconnect('******','********') or die(mysql_error());
  mysql_select_db('*******') or die(mysql_error());
    
    //check if there is a user with such login and password
    $res=mysql_query("SELECT * FROM users WHERE username='".$_POST['username']."'
        AND password='".$_POST['password']."'", $db);
    if(mysql_num_rows($res)!=1){    //such user doesn’t exist
        echo "Incorrect login and password";
    }
    else{    //user is found
        $_SESSION['username']=$_POST['username'];    //set login & pass
        $_SESSION['password']=$_POST['password'];
        header("Location: messageboard.php");    // redirect him to messageboard.php
    }
    
    mysql_close();
}
?>
</body>
</html>

 

and here is the "protected" page

 

<?php
session_start();
//this checks to see if the $_SESSION variable has been not set 
//or if the $_SESSION variable has been not set to true
//and if one or the other is not set then the user gets
//sent to the login page
if(!isset($_SESSION)){
header('Location: messageboard.php');
}



?>


HTML Placed here

 

What I want is effectively 2 messageboard.php pages

 

one for a logged in user and one which tells a user to login

 

what am i missing?

 

[trq]

The $_SESSION array will be set. You need to check further into the array. eg;

 

if (!isset($_SESSION['username'])) {
    header('Location: messageboard.php');
}

[fredundant]

Thankyou thorpe.

That answered my question brilliantly. 

 

One more thing. How do I redirect the user to another page that says you need to be logged in to access the message board?

lets called this page notlogged.html

 

As far as I was aware my users who are not logged in should have been sent back to log in page

[trq]

You use the header functions to set a Location header to do a redirect.

[fredundant]

ofcourse.

 

When trying to go to messageboard without being logged in it timed out as would redirect it back to messageboard and loop round. didn't realise I had the header set back to messageboard.

 

Thankyou for your help.

[PFMaBiSmAd]

In the code you posted above to protect access to a page, you must put an exit; statement in your code after the header(); statement in order to prevent the remainder of the code on your 'protected' page from being executed while the browser preforms the redirect OR you need to put the remainder of the code on the page inside of an else{} statement that you add to that if(){} statement.