Jump to content

Allow 2 logged in users to view page


grucker
 Share

Go to solution Solved by Ch0cu3r,

Recommended Posts

On many pages I have the code

session_start();
if(!isset($_SESSION['usr']) || !isset($_SESSION['pswd'])){
header("Location: /index.php");
}

This allows a logged on viewer to see the many pages.

Trouble is I now would like another person to log in to view just one page.

Imagine the if should have an elseif but I struggle to get it to work.

Any help please

Link to comment
Share on other sites

That's a pretty archaic way of handling users.  Ideally, you'd have a User table in a database that contains their login name and a hashed version (never, ever, EVER the plaintext version) of their password.  When they log into the system, you'd check the data they entered against the data that's in the database.  If it matches, you then set a flag (it could be something as simple as $_SESSION['loggedIn'] = true;) that you pass from page to page.

 

If you need to limit what logged in users can see based on their access level, simply add that info to the database and pass that around as well (something like $_SESSION['accessLevel'] = 'admin';).  Then you can simply check if they're logged in and if they're at the proper access level to view the page.

Link to comment
Share on other sites

That's a pretty archaic way of handling users.  Ideally, you'd have a User table in a database that contains their login name and a hashed version (never, ever, EVER the plaintext version) of their password.  When they log into the system, you'd check the data they entered against the data that's in the database.  If it matches, you then set a flag (it could be something as simple as $_SESSION['loggedIn'] = true;) that you pass from page to page.

 

If you need to limit what logged in users can see based on their access level, simply add that info to the database and pass that around as well (something like $_SESSION['accessLevel'] = 'admin';).  Then you can simply check if they're logged in and if they're at the proper access level to view the page.

You are perfectly correct. There is no database and the information to be viewed is not earth shattering, just test reports from boring electrical equipment. At the mo I send different users to different pages and the one who is just supposed to see one would have to know the names of the other pages to see more. I just wondered If it was possible.

Link to comment
Share on other sites

I know what I mean I just find it difficult to explain without breaking the rules.
session_start();
if($_REQUEST['usr']=="AINSCOUGH" && $_REQUEST['pswd']=="*****"){
$_SESSION['usr'] = "AINSCOUGH";
$_SESSION['pswd'] = "******";
header("Location: ../accounts/AINSCOUGH/location.php");
}

elseif($_REQUEST['usr']=="AINSCOUGH" && $_REQUEST['pswd']=="*****"){
$_SESSION['usr'] = "AINSCOUGH";
$_SESSION['pswd'] = "******";
header("Location:../accounts/AINSCOUGH/SiteName/Teesside/showfolders.php");
}

Are the 2 users. I can make either the only one able to see the page by changing $_SESSION['pswd']to eg. twit and then
on the page
session_start();
if(!isset($_SESSION['usr']) || !isset($_SESSION['pswd'])){
header("Location: /index.php");
}

Change pswd to twit which allows, only the one allowed to see one page.
I just wanted both to see this page and leave the original code on the other pages to only allow pass word ***** to see the pages. Is that more explanatory?

Edited by KevinM1
Link to comment
Share on other sites

Okay, first, some tips:

1. NEVER post sensitive info on a public forum like this one. I took the liberty of editing out the passwords in your post above, but, yeah, not smart.

2. Why are you passing a user's name and password through sessions? All you need to know is the user, right? Each user should have their own account. Successful login should set a flag that says "I'm logged in as Bob," or "I'm logged in as Suzie." Passing their passwords around, especially in a non-hashed plaintext (meaning, exactly what they enter into the system) is both unnecessary and dangerous from a security standpoint. You might think, "Well, this is a small site... who would ever see it?" But, small sites are perfect targets for bad guys because they tend to have bad security. And since most people still use the same password for everything in their lives, a security hole on your site could eventually mean someone having their identity stolen.

3. Why are you checking for a certain usr/pswd combo only to reassign it with the same exact data immediately afterward? The:
 

$_SESSION['usr'] = "AINSCOUGH";
$_SESSION['pswd'] = "*****";

Portions are completely unnecessary.

 

---

From what I can see, you've written yourself into a corner. Your current system is inflexible. Yeah, you could hack at it, with a bunch of if/else conditionals to make it 'work' (and you could), but that wouldn't really be addressing the underlying problem.

I suggest that you rebuild it so it's flexible and secure. Look at my first reply: that tells you the general approach you should take. If you need any help on any particular part of it, we'll be here. And while that's likely not what you wanted to hear, it's really the best way to go for you and your employer. I simply can't, as a web professional, give you a way to proceed with your current code in good conscience.

Link to comment
Share on other sites

How about something like this:

session_start();
if($_REQUEST['usr']=="AINSCOUGH" && $_REQUEST['pswd']=="*****"){
$_SESSION['usr'] = "AINSCOUGH";
$_SESSION['pswd'] = "******";
$_SESSION['type']="this";
header("Location: ../accounts/AINSCOUGH/location.php");
}

elseif($_REQUEST['usr']=="AINSCOUGH" && $_REQUEST['pswd']=="*****"){
$_SESSION['usr'] = "AINSCOUGH";
$_SESSION['pswd'] = "******";
$_SESSION['type']="that";
header("Location:../accounts/AINSCOUGH/SiteName/Teesside/showfolders.php");
}

Then on pages you want anyone to see:

session_start();
if(!isset($_SESSION['usr']) || !isset($_SESSION['pswd'])){
header("Location: /index.php");
}

but on those you want to restrict only to users of type "this" (or "that")

session_start();
if(!isset($_SESSION['usr']) || !isset($_SESSION['pswd'] || $_SESSION['type']!="this")){// change this to that if you want to require users of type that
header("Location: /index.php");
}
Link to comment
Share on other sites

Okay, first, some tips:

 

1. NEVER post sensitive info on a public forum like this one. I took the liberty of editing out the passwords in your post above, but, yeah, not smart.

 

2. Why are you passing a user's name and password through sessions? All you need to know is the user, right? Each user should have their own account. Successful login should set a flag that says "I'm logged in as Bob," or "I'm logged in as Suzie." Passing their passwords around, especially in a non-hashed plaintext (meaning, exactly what they enter into the system) is both unnecessary and dangerous from a security standpoint. You might think, "Well, this is a small site... who would ever see it?" But, small sites are perfect targets for bad guys because they tend to have bad security. And since most people still use the same password for everything in their lives, a security hole on your site could eventually mean someone having their identity stolen.

 

3. Why are you checking for a certain usr/pswd combo only to reassign it with the same exact data immediately afterward? The:

 

$_SESSION['usr'] = "AINSCOUGH";
$_SESSION['pswd'] = "*****";

Portions are completely unnecessary.

 

---

 

From what I can see, you've written yourself into a corner. Your current system is inflexible. Yeah, you could hack at it, with a bunch of if/else conditionals to make it 'work' (and you could), but that wouldn't really be addressing the underlying problem.

 

I suggest that you rebuild it so it's flexible and secure. Look at my first reply: that tells you the general approach you should take. If you need any help on any particular part of it, we'll be here. And while that's likely not what you wanted to hear, it's really the best way to go for you and your employer. I simply can't, as a web professional, give you a way to proceed with your current code in good

Once again I agree with you. If I was updating these files I would follow your instruction. Unfortunately these accounts and files are updated by non it office staff. This method was the easiest method for them all to understand. I have taken your advice and removed

$_SESSION['usr'] = "AINSCOUGH";

$_SESSION['pswd'] = "*****";

Thanks for your help

Link to comment
Share on other sites

 

How about something like this:

session_start();
if($_REQUEST['usr']=="AINSCOUGH" && $_REQUEST['pswd']=="*****"){
$_SESSION['usr'] = "AINSCOUGH";
$_SESSION['pswd'] = "******";
$_SESSION['type']="this";
header("Location: ../accounts/AINSCOUGH/location.php");
}

elseif($_REQUEST['usr']=="AINSCOUGH" && $_REQUEST['pswd']=="*****"){
$_SESSION['usr'] = "AINSCOUGH";
$_SESSION['pswd'] = "******";
$_SESSION['type']="that";
header("Location:../accounts/AINSCOUGH/SiteName/Teesside/showfolders.php");
}

Then on pages you want anyone to see:

session_start();
if(!isset($_SESSION['usr']) || !isset($_SESSION['pswd'])){
header("Location: /index.php");
}

but on those you want to restrict only to users of type "this" (or "that")

session_start();
if(!isset($_SESSION['usr']) || !isset($_SESSION['pswd'] || $_SESSION['type']!="this")){// change this to that if you want to require users of type that
header("Location: /index.php");
}

I have tried this code. It appears to be almost what I require.

Two things, I had to change

if(!isset($_SESSION['usr']) || !isset($_SESSION['pswd'] || $_SESSION['type']!="this")){

header("Location: /index.php");

}

To

if(!isset($_SESSION['usr']) || !isset($_SESSION['pswd']) || $_SESSION['type']!="this"){

header("Location: /index.php");

}

I only point this out for anyone else who may try it.

Secondly, the code for multi viewrs is fine but I really need a code so only "this" and "that" can see the page and not "other"

 

Thanks ever so much for your help

 

Link to comment
Share on other sites

I wrote this

session_start();
if(!isset($_SESSION['usr']) || !isset($_SESSION['pswd']) || $_SESSION['type']!="this")
if(!isset($_SESSION['usr']) || !isset($_SESSION['pswd']) || $_SESSION['type']!="that")
{
header("Location: /index.php");
}

It seems to work and only allows the 2 users to view the page. Is the code written correctly?

If so I can mark it solved

Edited by grucker
Link to comment
Share on other sites

  • Solution

Your if statement could be rewritten as

if(!isset($_SESSION['usr']) || !isset($_SESSION['pswd']) || ($_SESSION['type']!="this" || $_SESSION['type']!="that"))
{
    header("Location: /index.php");
}

// Or as
$allowedTypes = array('this', 'that');

if(!isset($_SESSION['usr']) || !isset($_SESSION['pswd']) || !in_array($_SESSION['type'], $allowedTypes))
{
    header("Location: /index.php");
}
Link to comment
Share on other sites

 

Your if statement could be rewritten as

if(!isset($_SESSION['usr']) || !isset($_SESSION['pswd']) || ($_SESSION['type']!="this" || $_SESSION['type']!="that"))
{
    header("Location: /index.php");
}

// Or as
$allowedTypes = array('this', 'that');

if(!isset($_SESSION['usr']) || !isset($_SESSION['pswd']) || !in_array($_SESSION['type'], $allowedTypes))
{
    header("Location: /index.php");
}

Thefirst didn't work but the array did, Thanks. Regarding earlier post.

$_SESSION['usr'] = "AINSCOUGH";

$_SESSION['pswd'] = "*****";

 

I had to readd this didnt work without it on the linux server

Link to comment
Share on other sites

This thread is more than a year old.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.