monstaface Posted April 16, 2014 Share Posted April 16, 2014 I am creating seperate logins for users and once my staff have logged in the pages they have access too are not visible to other users however if the users find the URL and type it in they can still view the link. I then created a session to fix this issue with the following code: session_start(); include ("db.php"); if(!isset($_SESSION['sId'])) die("Access not allowed "); However now even if a staff member is logged into the system I still receive the following statement when they attempt to access the page: 'Access not allowed ' In the getlogin page I also placed this line of code : session_start(); include("db.php"); $_SESSION['sId']; How can I fix this? Thanks in advance for your help Quote Link to comment https://forums.phpfreaks.com/topic/287820-authorization-session-issues/ Share on other sites More sharing options...
Ch0cu3r Posted April 16, 2014 Share Posted April 16, 2014 $_SESSION['sId']; will do nothing. If you want to set the sId session varibale you will need to assign it a value, what that value is is upto. Quote Link to comment https://forums.phpfreaks.com/topic/287820-authorization-session-issues/#findComment-1476381 Share on other sites More sharing options...
monstaface Posted April 16, 2014 Author Share Posted April 16, 2014 Sorry could you elaborate on what you mean with an example? Quote Link to comment https://forums.phpfreaks.com/topic/287820-authorization-session-issues/#findComment-1476383 Share on other sites More sharing options...
Solution davidannis Posted April 16, 2014 Solution Share Posted April 16, 2014 You need to set a value when they successfully log in something like this if ($user_name==$db_user_name && $pass==$db_pass){ //or whatever your successful login logic is $_SESSION['status']=logged_in ; }else{ echo 'Wrong username / password'; } Then you can check on your page that requires a log in. if (!isset$_SESSION['status']) || $_SESSION['status']!='logged_in'){ die ('you need to be logged in'); } Of course, these are code segments. You still need session_start() Quote Link to comment https://forums.phpfreaks.com/topic/287820-authorization-session-issues/#findComment-1476384 Share on other sites More sharing options...
monstaface Posted April 16, 2014 Author Share Posted April 16, 2014 (edited) It worked thank you everyone! Edited April 16, 2014 by monstaface Quote Link to comment https://forums.phpfreaks.com/topic/287820-authorization-session-issues/#findComment-1476389 Share on other sites More sharing options...
Ch0cu3r Posted April 16, 2014 Share Posted April 16, 2014 (edited) $SESSION should be $_SESSION (starts with an underscore) Also make sure you have started the session at the top of your getstaff page You should also be sanitizing your user input before using it in your query $email = mysql_real_escape_string($_POST['l_email']); Passwords should be hashed not stored as plain text in the database Edited April 16, 2014 by Ch0cu3r Quote Link to comment https://forums.phpfreaks.com/topic/287820-authorization-session-issues/#findComment-1476390 Share on other sites More sharing options...
monstaface Posted April 16, 2014 Author Share Posted April 16, 2014 ^Thanks I fixed the mistake and i am sanitizing my user input right now! Quote Link to comment https://forums.phpfreaks.com/topic/287820-authorization-session-issues/#findComment-1476391 Share on other sites More sharing options...
davidannis Posted April 16, 2014 Share Posted April 16, 2014 Passwords should be hashed not stored as plain text in the database and they should be salted (combined with some arbitrary text, preferably a different value for each record) before they are hashed. That makes it hard to run a dictionary attack against a set of hashed passwords. Quote Link to comment https://forums.phpfreaks.com/topic/287820-authorization-session-issues/#findComment-1476399 Share on other sites More sharing options...
monstaface Posted April 16, 2014 Author Share Posted April 16, 2014 ^Thanks i'll look into this now Also I wanted to create a link in my header where staff members can logout of the system. In the Places I have searched for how to proceed I have been told that the only code required would be: <?php session_start(); session_destroy(); ?> Is this the correct method? Quote Link to comment https://forums.phpfreaks.com/topic/287820-authorization-session-issues/#findComment-1476402 Share on other sites More sharing options...
Jacques1 Posted April 16, 2014 Share Posted April 16, 2014 No. A session consists of three different things: a session file on the server, the $_SESSION array in the current PHP process, and a session cookie in the user's browser. To properly terminate a session, you need to clear all three things. The PHP manual explains exactly how to do that. Quote Link to comment https://forums.phpfreaks.com/topic/287820-authorization-session-issues/#findComment-1476409 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.