Member only Session issue

[Kayz]

Hi guys i've spent 3 whole days trying to get this to work but it dosent. My issue is very similar almost the same as: http://www.phpfreaks.com/forums/index.php?topic=296100.15 but with the code i have.

 

Basically i have custom member pages. member1.php member2.php the design and content will be custom to each member, they also have their own login page.

 

Each member should be able to access their page and simply view their secure area. They should not be able to log into another users area if they dont have the username or password for it.

 

Now the problem is, i have this entire script setup and it works, however i fear there is something wrong with the sessions which allows other members to access other members pages with their own passwords and usernames because they share the same database. So the script executes thinking its a valid user and lets them in.

 

Here is my login checker once the user is validated they are sent to their own folder header("Location: ../{$loginusername}/index.php"); and are able to view the page.

 

 

<?php
require_once('../config.php');

// Connect to the server and select the database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db")or die("Unable to select database");

// The username and password sent from login.php
$loginusername=$_POST['username'];
$loginpassword=$_POST['password'];

//The following bit of coding protects from MySQL injection attacks
$loginusername = stripslashes($loginusername);
$loginpassword = stripslashes($loginpassword);
$loginusername = mysql_real_escape_string($loginusername);
$loginpassword = mysql_real_escape_string($loginpassword);

$sql="SELECT * FROM $tbl WHERE username='$loginusername' and password='$loginpassword'";
$result=mysql_query($sql);

// Count how many results were pulled from the table
$count=mysql_num_rows($result);

// If the result equals 1, continue
if($count==1){

session_start();
$_SESSION["loginusername"] = $loginusername;
$_SESSION['user1'] = $username; // store session data
//echo "User: = ". $_SESSION['loginusername']; //retrieve data
header("Location: ../{$loginusername}/index.php");

}
// If not successful, inform the user of error
else {
echo "Wrong Username or Password";
}
?>

 

 

Now here is the secure page sample:

 

<?php
session_start(); 
if (!$_SESSION['user1']){ 
header("Location: login.php"); 
}else{
print "its working!";
}

?>

<html>
<body>
Login Successful for

</body>
</html>

 

For each login page i have given each user it's own session.. this works, however if user1 logs in and simply changes the url to user2 and enters his user2 password he is granted access giving him new sessions which means he has access to everything.

 

Im pretty sure im missing something really small any help would be appreciated.

[spiderwell]

it looks like you are only checking for existence of the $_SESSION['user1'] variable, and not what its value is, so as long as you are logged in with a session variable called $_SESSION['user1'] it doesnt matter what its value is

 

if there is a unique path which will contain the username or whatever, perhaps do a check that matches the value stored in $_SESSION['user1']

 

i would store the  username whatever the unique identifier is in $_SESSION['user1'] for example lets say the value is 'peter'

then when forwarded to ../peter/index.php, that file should check if the path matches the session,  so perhaps explode the path into an array to extract the peter from it and compare that to the session user1 value. if they are the same , let user stay otherwise redirect away.

 

does that make any sense ?

[Kayz]

it looks like you are only checking for existence of the $_SESSION['user1'] variable, and not what its value is, so as long as you are logged in with a session variable called $_SESSION['user1'] it doesnt matter what its value is

 

if there is a unique path which will contain the username or whatever, perhaps do a check that matches the value stored in $_SESSION['user1']

 

i would store the  username whatever the unique identifier is in $_SESSION['user1'] for example lets say the value is 'peter'

then when forwarded to ../peter/index.php, that file should check if the path matches the session,  so perhaps explode the path into an array to extract the peter from it and compare that to the session user1 value. if they are the same , let user stay otherwise redirect away.

 

does that make any sense ?

 

I think i got you.. well if you see the scripts above the session is in index.php and it works. But the issue we have is when the user is logged in it can go along to another users profile and also login which will give it a new session... do you see what i mean?

 

I need to make each page unique to the user with the login script somehow.. thank you for your input though.

[spiderwell]

then you need to add a further error trap of checking if the user who logs in is the right user for that page.

 

i.e. if peter logs in on johns page, kick him out because its peter not john, rather than just checking peters username against password.

[Kayz]

then you need to add a further error trap of checking if the user who logs in is the right user for that page.

 

i.e. if peter logs in on johns page, kick him out because its peter not john, rather than just checking peters username against password.

 

I see, i tried something like this but it did not work with an 'if statement' im still a newbie with php to be honest... any help would be appreciated.

 

I will have many users so i dont think it would be a good idea to rule out 'xxx' list of users but rather allow only username 'john' to access his page. Each page will be assigned to each user and will be custom in their own way. So 'john' or whoever the user is must be the only person allowed access.

 

Cheers

[spiderwell]

how is this unique page created? would it not be possible to add an $owner variable to it and then compare that against the session id of the user who is on it.

$owner = 'john';
if ($_SESSION['user1'] != $owner)
{
//redirect
}

[Kayz]

how is this unique page created? would it not be possible to add an $owner variable to it and then compare that against the session id of the user who is on it.

$owner = 'john';
if ($_SESSION['user1'] != $owner)
{
//redirect
}

 

For a moment i thought this had worked but unfortunately i am faced with the same problem, the purple bits are the changes i made with your method. Ive realised the script checks the user/pw against the db first which runs the script giving it the session regardless of what the username or user is, so if the user is given the session he can always change the url to whatever page. With the method below i was able to log into user 2's page.

 

 

secure page is with the snippet you have provided

 

<?php
session_start(); 
[b][color=purple]$username  = 'test';[/color] [/b]
[b][color=purple]if ($_SESSION['user1'] != $username ){[/color] [/b]
header("Location: login.php"); //redirect to login page
}else{
print "its working test 1";
}

 

 

Now for the login checker

 

 

<?php
require_once('../config.php');

// Connect to the server and select the database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db")or die("Unable to select database");

// The username and password sent from login.php
$loginusername=$_POST['username'];
$loginpassword=$_POST['password'];

//The following bit of coding protects from MySQL injection attacks
$loginusername = stripslashes($loginusername);
$loginpassword = stripslashes($loginpassword);
$loginusername = mysql_real_escape_string($loginusername);
$loginpassword = mysql_real_escape_string($loginpassword);

$sql="SELECT * FROM $tbl WHERE username='$loginusername' and password='$loginpassword'";
//$sql="SELECT * FROM $tbl WHERE userName='"test"' and password='".$loginpassword."'";

$result=mysql_query($sql);

// Count how many results were pulled from the table
$count=mysql_num_rows($result);

// If the result equals 1, continue
if($count==1){

session_start();

[b][color=purple]$username = 'test';[/color] [/b]
$_SESSION['user1'] = $username; // store session data
header("Location: ../{$loginusername}/index.php");

}
// If not successful, inform the user of error
else {
echo "Wrong Username or Password";
}
?>

 

[spiderwell]

you have hard coded $username to be test in both pages, so it will never fail.

[Kayz]

Edit: I have got it to work! Thank you very much!

 

 

 

Here is the final piece.

 

 

Login Checker:

 

<?php
// Require the information from the includes.php page
require_once('../config.php');

// Connect to the server and select the database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db")or die("Unable to select database");

// The username and password sent from login.php
$loginusername=$_POST['username'];
$loginpassword=$_POST['password'];

//The following bit of coding protects from MySQL injection attacks
$loginusername = stripslashes($loginusername);
$loginpassword = stripslashes($loginpassword);
$loginusername = mysql_real_escape_string($loginusername);
$loginpassword = mysql_real_escape_string($loginpassword);

$sql="SELECT * FROM $tbl WHERE username='$loginusername' and password='$loginpassword'";
//$sql="SELECT * FROM $tbl WHERE userName='"test"' and password='".$loginpassword."'";

$result=mysql_query($sql);

// Count how many results were pulled from the table
$count=mysql_num_rows($result);

// If the result equals 1, continue
if($count==1){

session_start();

$_SESSION['user1'] = $loginusername; //  <<********************************

//echo "User: = ". $_SESSION['loginusername']; //retrieve data
header("Location: ../{$loginusername}/index.php");

}
// If not successful, inform the user of error
else {
echo "Wrong Username or Password";
}
?>

 

 

Instead of username it needed to be $_SESSION['user1'] = $loginusername;

 

 

The secure page

 

<?php
session_start(); 

$loginusername = 'test';
if ($_SESSION['user1'] != $loginusername){

//if (!$_SESSION['user1']){ //if not present assuming this is not the setting page
header("Location: login.php"); //redirect to login page
}else{
print "its working test 1";
}

?>


<html>
<body>
Login Successful
</body>
</html>

 

Same applied it needed to be $loginusername as the variable.

 

Thank you very much spiderwell you have been of great help.

 

 

If you don't mind having a look at the code in general do you think it is safe and secure enough? As i am still a beginner i fear that somebody might come along and snap it to pieces or gain access to my secure pages somehow?

 

Your advice would be much appreciated.

[spiderwell]

upload the files to the thread, i will take a look, but its gone midnight here, i might well have to do it in the morning.

 

i am happy to upload it and play around with it on your server, but message that information to me if you really want me to.

 

 

[Kayz]

upload the files to the thread, i will take a look, but its gone midnight here, i might well have to do it in the morning.

 

i am happy to upload it and play around with it on your server, but message that information to me if you really want me to.

 

 

 

 

It's past midnight here too and im suppose to be waking up at 7 for work! These things really have me dreaming codes! I must thank you once again for your much needed help.. thank you!

[spiderwell]

if you want to email me the code my address is my forum username  @ hotmail.com 

 

i'll do it with my morning tea lol which will be later than 7am ner ner

[Kayz]

if you want to email me the code my address is my forum username  @ hotmail.com 

 

i'll do it with my morning tea lol which will be later than 7am ner ner

 

Cheers will do! If only i could offer/make you tea for the help.

 

Thank you again, it's a few days short of a week that i have been trying to get this to work, thank god for this forum! and of course Thank you again!

[spiderwell]

heya buddy, I am just looking at the files you sent me now, do you however have a copy of the login sucess file, or shall i just make one.

[spiderwell]

ok posting it here too, but have emailed you the scripts direct. I re wrote it so that the file will work for any user in  any user folder, which is the best way to do it really

 

check_login.php

<?php
// Require the information from the includes.php page
require_once('../config.php3');

// Connect to the server and select the database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db")or die("Unable to select database");


//
$loginusername = false;
$loginpassword = false;
$err = false; // default error message is empty
// The username and password sent from login.php
//the isset() basically means if its there get it, otherwise dont bother
if (isset($_POST['username'])) $loginusername=$_POST['username'];
if (isset($_POST['password']))$loginpassword=$_POST['password'];
// if either isnt filled in, tell the user, a very basic bit of validation
if (!$loginusername || !$loginpassword) $err = "please complete the form";
if (!$err) //if no error continue
{
//The following bit of coding protects from MySQL injection attacks
$loginusername = stripslashes($loginusername);
$loginpassword = stripslashes($loginpassword);
$loginusername = mysql_real_escape_string($loginusername);
$loginpassword = mysql_real_escape_string($loginpassword);
//you could add other things like check for text only blah blah

$sql="SELECT * FROM $tbl WHERE username='$loginusername' and password='$loginpassword'";
$result=mysql_query($sql);
// Count how many results were pulled from the table
$count=mysql_num_rows($result);

// If the result equals 1, continue
if($count==1)
{
	session_start();
	$_SESSION['user'] = $loginusername; // store session data
	//please see I have used a session variable that is generic not specific, otherwise you will have to make this page different for every user
	//that would be a pain in the ass, you don't need to have user1 or user2, its the value stored that relevant, not what the variable name is
	header("Location: ../{$loginusername}/index.php3");

}
else 
{
$err = "Wrong Username or Password";
}
}// end login if statement

if ($err) // show error message if there is one
{
echo $err;
echo "<br>Please go back in your browser and try again";
}
?>

 

then index.php

<?php
session_start(); 

$loginusername = 'test2';// this is the line that would have to be diferent in every script
//it isnt very efficient, i am actually not going to use it but delete it after you have read this.
//what we want is a page that does the same for everyone without having to change the code.
//so I am going to compare the stored session username against the url to check they match or else it will kick them out
//this will however mean literally only the owner can view the page, I hope thats what you are after.

$mypath = $_SERVER["REQUEST_URI"];
//echo $mypath; // for debugging
//now we have the path lets see if the username is in that path, i.e. test2 is inside /something/test2/index.php 
//use the built in strpos() function, which returns position of the last occurance of the string you are looking for inside another string.
//http://php.net/manual/en/function.strrpos.php

if(strpos($mypath,"/".$_SESSION['user']."/"))//on testing it failed initially as username test is found in path /test2/ so i added the slashes to stop that. so /test/ doesnt get found in /test2/
{
echo "congratulations you are the right person in the right place";
}
else
{
session_destroy(); //kill the session, naughty person trying to come here
header("Location: login.php3");
die();// stop page executing any further
}

?>

<html>
<body>


</body>
</html>

[Kayz]

Excellent stuff, i am currently at work and will soon try this.

 

Im assuming one login page does it all? I was hoping to redirect users to mydomain/user/ for their page but i think i can get around this easily.

 

Cheers, speak to you soon!

[spiderwell]

did it work for ya?

[Kayz]

This works splendid! Just as i wanted when i first embarked on this project. But i realised i would want to give users their own username like mydomain.com/username and their own folders so i went down the route of giving each user a session which will mean i have to edit the script.. but this eliminates all this and i can use it in every directory without the need to edit the script!

 

Many thanks spiderwell... i presume the script is also secure and nobody can hack into it? I'll be changing the database and will store the passwords in md5 encryption.

 

Also would you have any good pointers or recommend any websites where i can read and learn more php? There are so many out there but i think your recommendation would be wise.

 

Cheers once again!