Inconsistent Sessions

[TapeGun007]

Maybe I am going about this the wrong way, so any advice on how to do this BETTER would be greatly appreciated.

 

So when a sales person logs in the code is simply:

<?php
if($_SESSION['SalesCRMA'] !== "Admin" && $_SESSION['SalesCRMA'] !== "Owner" && $_SESSION['SalesCRMA'] !== "Moderator" && $_SESSION['SalesCRMA'] !== "Sales"){
    header('Location: http://www.mysite.com/logout.php');
}
?>

I send them to the logout.php because it clears any cookies that have to do with the website.

 

I have an ADMIN button at the top that only shows up if an actual admin logged in.  On all the Admin pages I have similar code:

<?php
if($_SESSION['SalesCRMA'] !== "Admin" && $_SESSION['SalesCRMA'] !== "Owner" && $_SESSION['SalesCRMA'] !== "Moderator"){
    header('Location: http://www.mysite.com/logout.php');
}
?>

For some reason, when I click the ADMIN button (which just goes to admin.php), I get sent back to the login screen.  However, the 2nd time I click on the ADMIN button, everything works fine for the entire day until the next morning when I have to log in twice again.

 

What is causing this to occur?

 

BTW, admin.php is in a sub folder if that makes any difference.

Edited February 24, 2016 by TapeGun007

[requinix]

Is it possible that the login code is executing after those checks?

[TapeGun007]

I don't think so.  The login page is completely separate from all other pages.  Once you login, it redirects to a page called crm.php and you can go to ANY of the pages just fine (calendar, leads, whatever), but once you click on the Admin page, it redirects to the login page again.  After logging in again... then there are no issues with any of the admin pages.

 

Is there some sort of error checking code I can insert to see what is going on?

[mac_gyver]

this is a sign that the host-name/sub-domain part of the url (the www. vs no www.) is inconstant and is changing due to the redirects and your session cookie setting for the domain isn't set to match all variations of your domain name. the php.net documentation tells you how to set it so that it does, but your code should also be consistent in the variation of your domain name that is being used.

 

you also need a exit; statement after the header() redirect to prevent your code on the protected page from running while the browser is requesting the target url in the redirect. this could also be the cause of unusual session operation, if the rest of your code on the page is clearing or modifying the session variables.

 

lacking a real permission system, you need to use in_array() to test if a value is or is not one of several possible choices. your code would end up looking like - 

// define the user types that are admins -
$admin_types = array("Admin","Owner","Moderator");


// test if the current user is not an admin type
if(!in_array($_SESSION['SalesCRMA'],$admin_types)
{
    header('Location: http://www.mysite.com/logout.php');
    exit;
}

Edited February 24, 2016 by mac_gyver

[requinix]

Try dumping the $_SESSION in the Admin page where it fails the login check. Apparently something is different between the two page loads and what's in (or not) the session may explain that.

 

If your session data isn't too complex then you can

error_log(json_encode($_SESSION));

Or to the screen, but then the header redirect won't work (which would be fine for this).

[TapeGun007]

mac_gyver, that was it.

 

In the index.php page, once a person logged in and everything checked out, I redirected to crm.php instead of http://www.mysite.com/crm.php.  Once I changed to the full URL, everything now works fine.  I had also put in the exit; command before testing to see if that was part of the issue or not, but whatever the case it does work.