Authorization Session issues

[monstaface]

I am creating seperate logins for users and once my staff have logged in the pages they have access too are not visible to other users however if the users find the URL and type it in they can still view the link. 

I then created a session to fix this issue with the following code:

session_start();
include ("db.php");
if(!isset($_SESSION['sId']))
    die("Access not allowed ");

However now even if a staff member is logged into the system I still receive the following statement when they attempt to access the page:

'Access not allowed '

 

In the getlogin page I also placed this line of code :

 

session_start();
include("db.php");
$_SESSION['sId'];

How can I fix this? Thanks in advance for your help

 

[Ch0cu3r]

$_SESSION['sId']; will do nothing. If you want to set the sId session varibale you will need to assign it a value, what that value is is upto. 

[monstaface]

Sorry could you elaborate on what you mean with an example? 

[davidannis]

You need to set a value when they successfully log in something like this

if ($user_name==$db_user_name && $pass==$db_pass){ //or whatever your successful login logic is
      $_SESSION['status']=logged_in ;
}else{
       echo 'Wrong username / password';
}

Then you can check on your page that requires a log in.

if (!isset$_SESSION['status']) || $_SESSION['status']!='logged_in'){
 die ('you need to be logged in');
}

Of course, these are code segments. You still need session_start()

[monstaface]

It worked thank you everyone! 

Edited April 16, 2014 by monstaface

[Ch0cu3r]

$SESSION should be $_SESSION (starts with an underscore)

 

Also make sure you have started the session at the top of your getstaff page

 

You should also be sanitizing your user input before using it in your query

$email = mysql_real_escape_string($_POST['l_email']);

Passwords should be hashed not stored as plain text in the database

Edited April 16, 2014 by Ch0cu3r

[monstaface]

^Thanks I fixed the mistake and i am sanitizing my user input right now! 

[davidannis]

Passwords should be hashed not stored as plain text in the database

 

and they should be salted (combined with some arbitrary text, preferably a different value for each record) before they are hashed. That makes it hard to run a dictionary attack against a set of hashed passwords.

 

[monstaface]

^Thanks i'll look into this now

 

Also I wanted to create a link in my header where staff members can logout of the system. In the Places I have searched for how to proceed I have been told that the only code required would be: 

<?php
session_start();
session_destroy();
?>

Is this the correct method?

[Jacques1]

No. A session consists of three different things: a session file on the server, the $_SESSION array in the current PHP process, and a session cookie in the user's browser. To properly terminate a session, you need to clear all three things.

 

The PHP manual explains exactly how to do that.