sigmahokies Posted November 17, 2015 Share Posted November 17, 2015 Hi everyone, I know you are seeing me post in here many times for help, but I am very very appreciate about you who helped me. This is better than Stack overflow website! However, I have last thing to do in login system. I succeed create login system - login page, check login page (make sure it is you or kill page), then go to restrict page, but i have problem with $_SESSION variable that continue to other page. I need something that can restrict to username to access to this page. I don't want to anyone type in manual in web address to access, I will label session in all restrict page, but seem my login page and check login page are working, but check login page could not pass to restrict area (pass to register page, edit page, delete page, etc). can you help? I wrote in PHP: <?php require_once("require.php"); session_start(); $username = stripslashes($_POST['user']); $password = stripslashes($_POST['pass']); $username = mysqli_real_escape_string($Garydb, $username); $password = mysqli_real_escape_string($Garydb, $password); $log = "SELECT username, password, type FROM username WHERE username ='".$username."' AND password = '".$password."'"; $result = mysqli_query($Garydb, $log); $count = mysqli_num_rows($result); if ($count == 1) { $_SESSION['username']; $_SESSION['passname']; header('location:register.php'); } else { die(header("location:denied.php")); } ?> <!doctype type> <html> </html> Then I wrote in next page that SESSION vailable should pass to this other page: <?php session_start(); if (isset($_SESSION['user']) && ($_SESSION['pass'])) { echo "<p>you are logged in ".$_SESSION['user']."</p>"; }else { die("<p>You don't have permission or access to this page</p> <p>You must log in to gain access <a href='login.php'>Return to Login page</a></p>"); ?> Thank you in advance time. Gary Quote Link to comment Share on other sites More sharing options...
benanamen Posted November 17, 2015 Share Posted November 17, 2015 (edited) DO NOT SET THE PASSWORD IN A SESSION NEVER EVER EVER! It would also appear that you are storing plaintext passwords. VERY VERY BAD! You are also not even setting anything at all to those sessions anyways. On top of that you keep changing the username/password names. You have FOUR variations. If you had error reporting turned on like you should, you would be getting errors. It seems you are hacking away at this one piece at a time. You would do well to study a few PDO login/reg systems to see how things are being done. You are not even close to doing this right. Edited November 17, 2015 by benanamen Quote Link to comment Share on other sites More sharing options...
sigmahokies Posted November 17, 2015 Author Share Posted November 17, 2015 (edited) Ok ok, you don't have to make bigger font size, ok? I am going to remove password in session... Done, removed. Edited November 17, 2015 by sigmahokies Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted November 17, 2015 Share Posted November 17, 2015 These two lines are doing nothing by the way $_SESSION['username']; $_SESSION['passname']; If you want to store the username in the session variable then you need to assign it a value. Just like the example I have in your other topic. Password should not be stored in the session, so drop the password session variable. To see if the user is logged in all you need to do is to check if $_SESSION['username'] exists, If it does then the user is logged, display the webpage. If it does not exist then they are not logged in, then redirect them to your login page. You logout page should be destroying the session and unsetting the $_SESSION variables. Quote Link to comment Share on other sites More sharing options...
sigmahokies Posted November 18, 2015 Author Share Posted November 18, 2015 Hi I'm back. I succeed to create the denial page if username and password are wrong and not exist, but i got problem with continue session by username, (of course, I won't continue the session by password). it get an error when conflict with header (redirect) and cache. There are three page that I am showing to you now. First page: <!doctype html> <html> <head> <title>Login System</title> <link href="rcd.css" rel="stylesheet" type="text/css"> <link href="font.css" rel="stylesheet" type="text/css"> <link href="submit.css" rel="stylesheet" type="text/css"> </head> <body> <form action ="checklogin.php" method="POST"> <center> <fieldset style='width:800px;'> <table cellspacing="10" cellpadding="10"> <p id="font">Please Login to RCD's database</p> <tr><td>Username:</td><td><input type="text" name="user" placeholder="Username"></td></tr> <tr><td>Password:</td><td><input type="password" name="pass" placeholder="Password"></td></tr> <tr><td colspan="2" align="center"><input id="submit" type="submit" name="submitted" value="Log in"></td></tr> </table> </fieldset> </center> </form> </body> </html> Second Page: <?php require_once("require.php"); session_start(); $username= stripslashes($_POST['user']); $password = stripslashes($_POST['pass']); $username = mysqli_real_escape_string($Garydb, $username); $password = mysqli_real_escape_string($Garydb, $password); $log = "SELECT username, password, type FROM username WHERE username ='".$username."' AND password = '".$password."'"; $result = mysqli_query($Garydb, $log); $count = mysqli_num_rows($result); if ($count == 1) { $_SESSION['user']; $_SESSION['pass']; header('location:register.php'); } else { die(header('location:denied.php')); } ?> <!doctype type> <html> </html> Third Page: <html> <?php require_once('require.php'); ?> <!doctype html> <head> <title>Register a new member</title> <link href="rcd.css" rel="stylesheet" type="text/css"> <link href="members.css" rel="stylesheet" type="text/css"> </head> <body> <?php session_start(); $_SESSION['username'] = $user; echo "<p>You are logged as ".$user."</p>"; ?> On this third page, I get an error message - Warning: session_start(): Cannot send session cache limiter - headers already sent I know I must write session_start(); on top of all php script, but I don't know why I gets error when I am got them right username and password. But yet, If someone typed wrong or not exist username and password will go to denied, it works. but i got error, session won't print on screen as you can see as logging. Can you help? Thank you in advance time. Gary Quote Link to comment Share on other sites More sharing options...
sigmahokies Posted November 18, 2015 Author Share Posted November 18, 2015 I can't edit what i said in above. I am trying to protect this third page from manual web address by using session, but session_start(); just go an error. Thanks again, Gary Quote Link to comment Share on other sites More sharing options...
Strider64 Posted November 18, 2015 Share Posted November 18, 2015 What I would do is creating a configuration file and called it config.php or utilities.inc.php (This is what I call mine) then stick it at the top of every page. Then you can simply have scripts/sessions configured and you don't have to keep typing it every time - here's my utilities.inc.php file as an example: <?php if ($_SERVER["SERVER_NAME"] != "localhost") { if ($_SERVER["HTTPS"] != "on") { // Redirect to a secure website ( https ) header("Location: https://www.pepster.com"); exit(); } } /* Turn on error reporting */ ini_set('display_errors', 1); ini_set('display_startup_errors', 1); error_reporting(-1); /* * Pepster's Place : Web Design & Development * John R Pepp * Date: July 21, 2015 * Version: 1.0 alpha */ date_default_timezone_set('America/Detroit'); // Set the Default Time Zone: /* Autoloads classes using namespaces */ require_once "lib/website_project/website_project.inc.php"; use website_project\database\ConnectPDO as Connect; use website_project\users\Members as Login; use website_project\blog\Blog as Journal; include 'connect/connect.php'; // Connection Variables: header("Content-Type: text/html; charset=utf-8"); header('X-Frame-Options: SAMEORIGIN'); // Prevent Clickjacking: header('X-Content-Type-Options: nosniff'); header('x-xss-protection: 1; mode=block'); header('Strict-Transport-Security: max-age=31536000; includeSubDomains'); header("content-security-policy: default-src 'self'; report-uri /csp_report_parser"); header("content-security-policy: script-src 'self' https://apis.google.com"); header('X-Permitted-Cross-Domain-Policies: master-only'); /* Set length of sessions and start sessions */ $seconds = 60; $minutes = 60; $hours = 24; $days = 14; session_set_cookie_params($seconds * $minutes * $hours * $days, ""); session_start(); /* Use $user for sessions variable */ $user = isset($_SESSION['user']) ? $_SESSION['user'] : NULL; /* Get the current page */ $phpSelf = filter_input(INPUT_SERVER, 'PHP_SELF', FILTER_SANITIZE_URL); $path_parts = pathinfo($phpSelf); $basename = $path_parts['basename']; // Use this variable for action='': $pageName = ucfirst($path_parts['filename']); /* PDO Connection */ $db = new Connect; $pdo = $db->getDatabase(); $user_login = new Login($db); $blog = new Journal($db); function html_escape($raw_input) { // important! don't forget to specify ENT_QUOTES and the correct encoding return htmlspecialchars($raw_input, ENT_QUOTES | ENT_HTML5, 'UTF-8'); } Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.