SalientAnimal Posted January 23, 2014 Share Posted January 23, 2014 I'm currently working on restricting access to pages for users who are logged into my site. However, I keen getting the wrong result. I have two senarios: Logged in users must see the logged in page This is then further restricted by access level (0 = None, 1 = General User, 2 = Team User, etc.) 2 must have access to all pages, 1 to some page, and 0 only have access to the home page Users who are not logged in must see a different page all together (Contains registration info) Here is what I have been tryign, but it is not working: <head> <title>Test Page</title> <?php include 'formatting.html' ?> </head> <body> <?php if (login_check($mysqli) == true) : include 'panelin.php'; include '../menu2/menu.html'; ?> <?php else : include 'panelout.php'; ?> <?php endif; ?> This was mainly focusing for the logged in vs. logged out users at the moment. I am able to see the session info, however I keep getting the panelout.php page instead of the panelin.php Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted January 23, 2014 Share Posted January 23, 2014 What does the code for formatting.html look like? As the code stands, the login_check() function is missing and $mysqli is undefined. Quote Link to comment Share on other sites More sharing options...
SalientAnimal Posted January 23, 2014 Author Share Posted January 23, 2014 (edited) Sorry this was at the top of my page, I did not include it in the original section: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <!-- INCLUDING REQUIRED AUTHENTICATION FILES, DATABASE CONNECTIONS, FUNCTIONS. --> <?php include_once 'includes/db_connect.php'; include_once 'includes/functions.php'; sec_session_start(); if (login_check($mysqli) == true) ?> Formatting.html looks like this: <link rel="shortcut icon" href="../test/favicon.ico?v=2"/> <meta name="description" content="Login Page" /> <meta name="keywords" content="login, register, login page, techdesignlab, tech design lab, computer, components, hardware, software, peripherals" /> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <!-- REFERENCING FOR ALL STYLE SHEETS --> <link rel="stylesheet" href="css/style.css" type="text/css" media="screen"/> <link rel="stylesheet" href="css/slide.css" type="text/css" media="screen"/> <link rel="stylesheet" href="menu2/menu.css" type="text/css" media="screen"/> <link rel="stylesheet" href="css/form_template.css" type="text/css" media="screen"/> <!-- REFERNCE TO MAIN CORE OF jQUERY SCRIPT --> <script src="js/jquery-2.0.3.min.js" type="text/javascript"></script> <!-- MENU SLIDE EFFFECT --> <script src="js/slide.js" type="text/javascript"></script> <!-- SHA512 PASSWORD ENCRIPTION ALGORYTHM --> <script src="js/sha512.js" type="text/javascript"></script> <!-- FORM FUNCTIONS --> <script src="js/forms.js" type="text/javascript"></script> --> Edited January 23, 2014 by SalientAnimal Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted January 23, 2014 Share Posted January 23, 2014 Could you show what the login_check() function look like? Of course, if there is any sensitive information in the function, you'll want to hide that. Have you tried displaying the value that's returned by login_check()? Maybe it doesn't return a true/false value. You could add the following line above your if statement: var_dump(login_check($mysqli)); Quote Link to comment Share on other sites More sharing options...
SalientAnimal Posted January 23, 2014 Author Share Posted January 23, 2014 Here is the login function: function login_check($mysqli) { // Check if all session variables are set if (isset($_SESSION['user_id'], $_SESSION['username'], $_SESSION['login_string'], $_SESSION['email'], $_SESSION['level'], $_SESSION['session_status'])) { $user_id = $_SESSION['user_id']; $login_string = $_SESSION['login_string']; $username = $_SESSION['username']; $email = $_SESSION['email']; $level = $_SESSION['level']; $status = $_SESSON['session_status'] ; // Get the user-agent string of the user. $user_browser = $_SERVER['HTTP_USER_AGENT']; if ($stmt = $mysqli->prepare("SELECT password FROM members WHERE id = ? LIMIT 1")) { // Bind "$user_id" to parameter. $stmt->bind_param('i', $user_id); $stmt->execute(); // Execute the prepared query. $stmt->store_result(); if ($stmt->num_rows == 1) { // If the user exists get variables from result. $stmt->bind_result($password); $stmt->fetch(); $login_check = hash('sha512', $password . $user_browser); if ($login_check == $login_string) { // Logged In!!!! return true; } else { // Not logged in return false; } } else { // Not logged in return false; } } else { // Not logged in return false; } } else { // Not logged in return false; } } I did use var_dump(login_check($mysqli)); and did get the session information returned. Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted January 23, 2014 Share Posted January 23, 2014 I did use var_dump(login_check($mysqli));and did get the session information returned. Did it return "true" as expected? Since the function return true/false, you could modify the if statement as follows: <?php if (login_check($mysqli)) : Also, note that the function could be simplified. Instead of having all those return statements, you could do something like: <?php //... if ($login_check == $login_string) { // Logged In!!!! return true; } } } } // Not logged in return false; } ?> Also note Quote Link to comment Share on other sites More sharing options...
SalientAnimal Posted January 23, 2014 Author Share Posted January 23, 2014 Apologies, I used var_dump($_SESSION); exit; and not var_dump(login_check($mysqli)); I had the login check confused with the session check. If the Session check returned session in formation, why would the login_check return false? In my case it is returning false. Quote Link to comment Share on other sites More sharing options...
Mace Posted January 23, 2014 Share Posted January 23, 2014 It might be easier to find the problem by finding out which condition is invalid. Try an echo at every possible return false. if ($login_check == $login_string) { // Logged In!!!! return true; } else { // Not logged in echo 1; return false; } } else { // Not logged in echo 2; return false; } } else { // Not logged in echo 3; return false; } } else { // Not logged in echo 4; return false; } } Depending on which number is echo'd you know where your problem is. Quote Link to comment Share on other sites More sharing options...
SalientAnimal Posted January 24, 2014 Author Share Posted January 24, 2014 It's returning 4 Quote Link to comment Share on other sites More sharing options...
SalientAnimal Posted January 24, 2014 Author Share Posted January 24, 2014 It's returning 4 I removed $_SESSION['session_status'] from my login_check script because I wanted to use this the determine if a user is logged in or not to check the number of online users. When I removed it, it is now not echoing any of the values, but the wrong pages are still being displayed. Quote Link to comment Share on other sites More sharing options...
Mace Posted January 24, 2014 Share Posted January 24, 2014 So if login_check($mysqli) returns true, your problem is not in the login check. However you haven't post any other part of your code so we have no clue why the wrong pages are being displayed. Quote Link to comment Share on other sites More sharing options...
SalientAnimal Posted January 24, 2014 Author Share Posted January 24, 2014 I took a different route to solving this problem. I changed the way that my page looks at the session, and rather than coding different pages I'm just routing the users who are not logged in back to the login page. <?php include_once 'includes/db_connect.php'; include_once 'includes/functions.php'; sec_session_start(); if (login_check($mysqli) == true) { $logged = 'in'; } else { $logged = 'out'; header('location:index.php'); echo 'You are required to login'; exit; } ?> What I do want to ask now though, is how do I use this session to control access levels, i.e. UserAccess = 0, 1, 2, 3. User level 0 has access to only 1 page on the site and will always be redirected to this page. User level 1,2 has access to certain pages. Different for both users, sometimes user 2 will be able to access user 1 pages but not always. User level 3 has access to ALL pages. Quote Link to comment Share on other sites More sharing options...
SalientAnimal Posted January 24, 2014 Author Share Posted January 24, 2014 So if login_check($mysqli) returns true, your problem is not in the login check. However you haven't post any other part of your code so we have no clue why the wrong pages are being displayed. What additional page code would you like to see? I don't want to over swamp you with unnecessary code. Quote Link to comment Share on other sites More sharing options...
Solution Mace Posted January 24, 2014 Solution Share Posted January 24, 2014 I'm not sure if you mean something like this, but i'll give it a try function checkLoginLevel() { $allowed = array( '1' => array('first-page.php'), '2' => array('first-page.php', 'second-page.php'), '3' => true, ); if(!isset($allowed[$_SESSION['level']])) { echo 'You have no login level'; exit; } if(is_array($allowed[$_SESSION['level']])) { $file = $_SERVER["PHP_SELF"]; $file = explode('/', $file); $file = end($file); if(!in_array($file, $allowed[$_SESSION['level']])) { echo 'You are not allowed on this page'; exit; } } if(is_bool($allowed[$_SESSION['level']])) { // you're allowed; } } Quote Link to comment Share on other sites More sharing options...
SalientAnimal Posted January 24, 2014 Author Share Posted January 24, 2014 (edited) That looks like what I'm looking for, going to give it a try. Would I call the function at the same time as I call the login_check function? so i.e. the opening line of my page would be: checkLoginLevel(); sec_session_start(); Do I add all the pages the user is allowed to access to each array? Oh, and level 0 I want to re-direct to the info.php page. All other users just get the message saying that they are not authorized / or get allowed in (depending on their access level) to view the page. Edited January 24, 2014 by SalientAnimal Quote Link to comment Share on other sites More sharing options...
Mace Posted January 24, 2014 Share Posted January 24, 2014 just add all the files you want to grant acces to in the array $allowed. place this code in the function. if($_SESSION['level'] == 0) { header('Location:info.php'); exit; } and i would do the session start before the checkLoginLevel. checkLoginLevel(); sec_session_start(); Quote Link to comment Share on other sites More sharing options...
SalientAnimal Posted January 24, 2014 Author Share Posted January 24, 2014 Thanks so much for the help, this is now working really nicely. If anyone want to see the solution code, I will be happy to post it, its just a lot of code that I don't won't to post if it isn't needed. Thanks again. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.