Jump to content

Last thing in Login System


sigmahokies

Recommended Posts

Hi everyone,

 

I know you are seeing me post in here many times for help, but I am very very appreciate about you who helped me. This is better than Stack overflow website!

 

However, I have last thing to do in login system. I succeed create login system - login page, check login page (make sure it is you or kill page), then go to restrict page, but i have problem with $_SESSION variable that continue to other page.

 

I need something that can restrict to username to access to this page. I don't want to anyone type in manual in web address to access, I will label session in all restrict page, but seem my login page and check login page are working, but check login page could not pass to restrict area (pass to register page, edit page, delete page, etc). can you help?

 

I wrote in PHP:

 

<?php
 
require_once("require.php");
 
session_start();
 
$username = stripslashes($_POST['user']);
$password = stripslashes($_POST['pass']);
 
$username = mysqli_real_escape_string($Garydb, $username);
$password = mysqli_real_escape_string($Garydb, $password);
$log = "SELECT  username, password, type FROM username WHERE username ='".$username."' AND password = '".$password."'";
$result = mysqli_query($Garydb, $log);
 
$count = mysqli_num_rows($result);
 
if ($count == 1) {
$_SESSION['username'];
$_SESSION['passname'];
header('location:register.php');
}
else {
die(header("location:denied.php"));
}
?>
<!doctype type>
<html>
</html>
 
Then I wrote in next page that SESSION vailable should pass to this other page:
 
<?php
session_start();
 
if (isset($_SESSION['user']) && ($_SESSION['pass'])) {
echo "<p>you are logged in ".$_SESSION['user']."</p>";
}else
{
die("<p>You don't have permission or access to this page</p>
<p>You must log in to gain access <a href='login.php'>Return to Login page</a></p>");
 
?>
 
Thank you in advance time.
 
Gary

 

Link to comment
Share on other sites

DO NOT SET THE PASSWORD IN A SESSION NEVER EVER EVER!

 

It would also appear that you are storing plaintext passwords. VERY VERY BAD!

 

 

You are also not even setting anything at all to those sessions anyways. On top of that you keep changing the username/password names. You have FOUR variations.

 

If you had error reporting turned on like you should, you would be getting errors.

 

It seems you are hacking away at this one piece at a time. You would do well to study a few PDO login/reg systems to see how things are being done. You are not even close to doing this right.

Edited by benanamen
Link to comment
Share on other sites

These two lines are doing nothing by the way

$_SESSION['username'];
$_SESSION['passname'];

If you want to store the username in the session variable then you need to assign it a value. Just like the example I have in your other topic. 

 

Password should not be stored in the session, so drop the password session variable.

 

To see if the user is logged in all you need to do is to check if $_SESSION['username'] exists, If it does then the user is logged, display the webpage. If it does not exist then they are not logged in, then redirect them to your login page. You logout page should be destroying  the session and unsetting the $_SESSION variables.

Link to comment
Share on other sites

Hi I'm back. 

 

I succeed to create the denial page if username and password are wrong and not exist, but i got problem with continue session by username, (of course, I won't continue the session by password). it get an error when conflict with header (redirect) and cache. There are three page that I am showing to you now.

 

First page:

 

<!doctype html>
<html>
<head>
<title>Login System</title>
<link href="rcd.css" rel="stylesheet" type="text/css">
<link href="font.css" rel="stylesheet" type="text/css">
<link href="submit.css" rel="stylesheet" type="text/css">
</head>
<body>
<form action ="checklogin.php" method="POST">
<center>
<fieldset style='width:800px;'>
<table cellspacing="10" cellpadding="10">
<p id="font">Please Login to RCD's database</p>
<tr><td>Username:</td><td><input type="text" name="user" placeholder="Username"></td></tr>
<tr><td>Password:</td><td><input type="password" name="pass" placeholder="Password"></td></tr>
<tr><td colspan="2" align="center"><input id="submit" type="submit" name="submitted" value="Log in"></td></tr>
</table>
</fieldset>
</center>
</form>
</body>
</html>
 
Second Page:
 
<?php
 
require_once("require.php");
 
session_start();
 
$username= stripslashes($_POST['user']);
$password = stripslashes($_POST['pass']);
 
$username = mysqli_real_escape_string($Garydb, $username);
$password = mysqli_real_escape_string($Garydb, $password);
 
$log = "SELECT  username, password, type FROM username WHERE username ='".$username."' AND password = '".$password."'";
$result = mysqli_query($Garydb, $log);
 
$count = mysqli_num_rows($result);
 
if ($count == 1) {
$_SESSION['user'];
$_SESSION['pass'];
header('location:register.php');
}
else {
die(header('location:denied.php'));
}
?>
<!doctype type>
<html>
</html>
 
Third Page: 
 
<html>
<?php
 
require_once('require.php');
 
?>
<!doctype html>
<head>
<title>Register a new member</title>
<link href="rcd.css" rel="stylesheet" type="text/css">
<link href="members.css" rel="stylesheet" type="text/css">
</head>
<body>
<?php
session_start();
 
$_SESSION['username'] = $user;
echo "<p>You are logged as ".$user."</p>";
 
?>
 
On this third page, I get an error message - 
 
Warning: session_start(): Cannot send session cache limiter - headers already sent
 
I know I must write session_start(); on top of all php script, but I don't know why I gets error when I am got them right username and password. But yet, If someone typed wrong or not exist username and password will go to denied, it works. but i got error, session won't print on screen as you can see as logging. Can you help?
 
Thank you in advance time.
 
Gary
Link to comment
Share on other sites

What I would do is creating a configuration file and called it config.php or utilities.inc.php (This is what I call mine) then stick it at the top of every page.

 

 

Then you can simply have scripts/sessions configured and you don't have to keep typing it every time - here's my utilities.inc.php file as an example:

<?php
if ($_SERVER["SERVER_NAME"] != "localhost") {
   if ($_SERVER["HTTPS"] != "on") { // Redirect to a secure website ( https )
      header("Location: https://www.pepster.com");
      exit();
    }
}
/* Turn on error reporting */
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(-1);

/*
 * Pepster's Place : Web Design & Development
 * John R Pepp
 * Date: July 21, 2015
 * Version: 1.0 alpha
 */
date_default_timezone_set('America/Detroit'); // Set the Default Time Zone:

/* Autoloads classes using namespaces                       */
require_once "lib/website_project/website_project.inc.php";

use website_project\database\ConnectPDO as Connect;
use website_project\users\Members as Login;
use website_project\blog\Blog as Journal;

include 'connect/connect.php'; // Connection Variables:
header("Content-Type: text/html; charset=utf-8");
header('X-Frame-Options: SAMEORIGIN'); // Prevent Clickjacking:
header('X-Content-Type-Options: nosniff');
header('x-xss-protection: 1; mode=block');
header('Strict-Transport-Security: max-age=31536000; includeSubDomains');
header("content-security-policy: default-src 'self'; report-uri /csp_report_parser");
header("content-security-policy: script-src 'self' https://apis.google.com");
header('X-Permitted-Cross-Domain-Policies: master-only');

/* Set length of sessions and start sessions */
$seconds = 60;
$minutes = 60;
$hours = 24;
$days = 14;
session_set_cookie_params($seconds * $minutes * $hours * $days, "");
session_start();

/* Use $user for sessions variable */
$user = isset($_SESSION['user']) ? $_SESSION['user'] : NULL;
/* Get the current page */
$phpSelf = filter_input(INPUT_SERVER, 'PHP_SELF', FILTER_SANITIZE_URL);

$path_parts = pathinfo($phpSelf);

$basename = $path_parts['basename']; // Use this variable for action='':
$pageName = ucfirst($path_parts['filename']);

/* PDO Connection */
$db = new Connect;
$pdo = $db->getDatabase();

$user_login = new Login($db);
$blog = new Journal($db);

function html_escape($raw_input) {
    // important! don't forget to specify ENT_QUOTES and the correct encoding
    return htmlspecialchars($raw_input, ENT_QUOTES | ENT_HTML5, 'UTF-8');
} 
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.