anb_newbie Posted October 25, 2012 Share Posted October 25, 2012 Hi there, I'm trying to make a backend for a website i'm working on so that the owner can update the info easily. I have created a login.php file which checks for the right username and password which is working fine. <?php // *** Validate request to login to this site. if (!isset($_SESSION)) { session_start(); } $loginFormAction = $_SERVER['PHP_SELF']; if (isset($_GET['accesscheck'])) { $_SESSION['PrevUrl'] = $_GET['accesscheck']; } if (isset($_POST['username'])) { $loginUsername=$_POST['username']; $password=$_POST['password']; $MM_fldUserAuthorization = ""; $MM_redirectLoginSuccess = "myadminpage.html"; $MM_redirectLoginFailed = "login.php"; $MM_redirecttoReferrer = false; mysql_select_db($database_claudechalhoubconx, $claudechalhoubconx); $LoginRS__query=sprintf("SELECT username, password FROM admins WHERE username=%s AND password=%s", GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")); $LoginRS = mysql_query($LoginRS__query, $claudechalhoubconx) or die(mysql_error()); $loginFoundUser = mysql_num_rows($LoginRS); if ($loginFoundUser) { $loginStrGroup = ""; if (PHP_VERSION >= 5.1) {session_regenerate_id(true);} else {session_regenerate_id();} //declare two session variables and assign them $_SESSION['MM_Username'] = $loginUsername; $_SESSION['MM_UserGroup'] = $loginStrGroup; if (isset($_SESSION['PrevUrl']) && false) { $MM_redirectLoginSuccess = $_SESSION['PrevUrl']; } header("Location: " . $MM_redirectLoginSuccess ); } else { header("Location: ". $MM_redirectLoginFailed ); } } ?> If the user logs in successfully, he is taken to myadminpage.html where he gets to pick what to update(videos, press articles, etc...). For example, If he chooses videos, he is taken to the updatevideos.php page where he can view/add/delete/modify videos etc... Note that I have not included any session checks in myadminpage.html. All was working properly, until I added the Restrict Access to Page() behaviour to all the update pages. Note that I've been working in dreamweaver cs5. In this behaviour, if the user doesn't have access to this page, he should be directed back to the login page. Otherwise, he goes to the updatevideos.php (for example) The problem is, even after a successful login and getting to myadminpage.html, I click on videos(for example) and instead of getting to the update videos page, I am going back to the login page. I am guessing something is going wrong with the session variable. The following is the code on the updatevideos.php. (I have pasted above the code of the login.php. I have no code for session variables on myadminpage.html (in case that could be causing the problem)). <?php if (!isset($_SESSION)) { session_start(); } $MM_authorizedUsers = ""; $MM_donotCheckaccess = "true"; // *** Restrict Access To Page: Grant or deny access to this page function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) { // For security, start by assuming the visitor is NOT authorized. $isValid = False; // When a visitor has logged into this site, the Session variable MM_Username set equal to their username. // Therefore, we know that a user is NOT logged in if that Session variable is blank. if (!empty($UserName)) { // Besides being logged in, you may restrict access to only certain users based on an ID established when they login. // Parse the strings into arrays. $arrUsers = Explode(",", $strUsers); $arrGroups = Explode(",", $strGroups); if (in_array($UserName, $arrUsers)) { $isValid = true; } // Or, you may restrict access to only certain users based on their username. if (in_array($UserGroup, $arrGroups)) { $isValid = true; } if (($strUsers == "") && true) { $isValid = true; } } return $isValid; } $MM_restrictGoTo = "login.php"; if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) { $MM_qsChar = "?"; $MM_referrer = $_SERVER['PHP_SELF']; if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&"; if (isset($_SERVER['QUERY_STRING']) && strlen($_SERVER['QUERY_STRING']) > 0) $MM_referrer .= "?" . $_SERVER['QUERY_STRING']; $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer); header("Location: ". $MM_restrictGoTo); exit; } ?> Any help is greatly appreciated! Thanks in advance. Quote Link to comment https://forums.phpfreaks.com/topic/269887-restrict-access-to-page-behaviour-problem/ Share on other sites More sharing options...
MDCode Posted October 25, 2012 Share Posted October 25, 2012 (edited) if(!$_SESSION) { session_start(); } session_start(); should be the first thing you should put at the script, because you aren't starting the session it will never say that there's a session, which makes that line invalid and allow a user to bypass it everytime function isAuthorized($strUsers,$strGroups,$UserName,$UserGroup){ Where are you getting those variables? Edited October 25, 2012 by ExtremeGaming Quote Link to comment https://forums.phpfreaks.com/topic/269887-restrict-access-to-page-behaviour-problem/#findComment-1387653 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.