Jump to content
Chrisj

Help with session_start();

Recommended Posts

The php web video script that I’m using displays a User’s profile page, by simply adding (for example) …/@UserName after the url into a browser. I tried to have a User’s profile page only display to Users who are logged into the site, by adding session code:

if(!isset($_SESSION['username'])){
   header("Location:../login");
   exit();
}

like so:

<?php
if(!isset($_SESSION['username'])){
   header("Location:../login");
   exit();
}

if (empty($_GET['id'])) {
    header("Location: " . PT_Link(''));
    exit();
}
$username = PT_Secure($_GET['id']);
$user_id  = $db->where('username', $username)->getOne(T_USERS);

$lists    = false;
if (empty($user_id)) {
    header("Location: " . PT_Link(''));
    exit();
}
$pt->page_url_ = $pt->config->site_url.'/@'.$username ;
$pt->second_page = 'videos';
if (!empty($_GET['page'])) {
    switch ($_GET['page']) {
        case 'liked-videos':
            $pt->second_page = 'liked-videos';
            break;
        case 'about':
            $pt->second_page = 'about';
            break;
        case 'play-lists':
            $pt->second_page = 'play-lists';
            $lists           = true;
            break;

    }
    $pt->page_url_ = $pt->config->site_url.'/@'.$username."?page=".$pt->second_page;
}

$user_data   = PT_UserData($user_id, array(
    'data' => true
));

etc...

but was unsuccessful. The problem is although the …/@UserName no longer displays in the browser field (and redirects to the login page) (with that additional code), once logged in, the User can’t see his Profile Page either.

I also tried adding this:

if(!isset($_SESSION['username'])){
   header("Location:../login");
   print_r($_SESSION);
   exit;
}

but I see no printed results.

I have tried this:

<?php
session_start();
if(!isset($_SESSION['username'])){
   header("Location:../login");
   exit();
}

but, when I select the drop-down menu > profile, it just seems to refresh the same page (that I'm on, and doesn't take me to the ../@chrisj profile page, as it did  before I added this:

if(!isset($_SESSION['username'])){
   header("Location:../login");
   exit();
}

Also, the .htaccess file shows this:

RewriteRule ^@([^\/]+)(\/|)$  index.php?link1=timeline&id=$1 [QSA]

if that is any clue.

I went ahead and asked the developer, and he simply said:
“Its happening because file is same so no remedy for now”.
So, now I’m looking for ideas on what I might try as a work around.

just FYI -When a user logs in it sets the $_SESSION[‘username’] variable, id, etc.)

I’m guessing that maybe the main page that I’m on simply refreshes (rather than redirects to the ‘Profile’ Page) is because I am (already)logged in:

if(!isset($_SESSION['username'])){
   header("Location:../login");

So, is there a solution that might instruct to say something like 'if already logged in go to @ the username’s profile page? something like:

if (IS_LOGGED == true) {

any additional suggestions are welcomed 

 

Share this post


Link to post
Share on other sites

In case it's the answer to this,

What's the rewriting rule that handles this whatever page but without the @username bit?

Share this post


Link to post
Share on other sites

Thanks for your reply, but, I'd have to guess.

Maybe this:

RewriteRule ^([^\/]+)(\/|)$  index.php?link1=$1 [QSA]

or this?

RewriteRule ^v/(.*)$ index.php?v=$1 [NC,QSA]

or this?

RewriteRule ^$ index.php?link1=home [NC,QSA]

or?

 

RewriteRule ^aj/([^/.]+)/([^/.]+)/([^/.]+)/?$ ajax.php?type=$1&first=$2&second=$3 [L,QSA]

 

another bit of information, when i asked the script's developer "I want to keep the User account page from displaying in web searches... with ”noindex”..., he said to use this in the html:

$pt->second_page == ‘about’

I don't know if that is at all helpful.

 

Any additional suggestions is appreciated

 

 

 

Share this post


Link to post
Share on other sites
5 minutes ago, Chrisj said:

Thanks for your reply, but, I'd have to guess.

How about the entire .htaccess then?

Share this post


Link to post
Share on other sites

Thanks again for your reply.

Here's the .htaccess file:

 

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^$ index.php?link1=home [NC,QSA]
RewriteRule ^reset-password/([^\/]+)(\/|)$ index.php?link1=reset-password&code=$1 [NC,QSA]
RewriteRule ^confirm/(.*)/(.*)$ index.php?link1=confirm&code=$1&email=$2 [NC,QSA]
RewriteRule ^two_factor_login/$ index.php?link1=two_factor_login [NC,QSA]
RewriteRule ^two_factor_submit/$ index.php?link1=two_factor_submit [NC,QSA]

RewriteRule ^v/(.*)$ index.php?v=$1 [NC,QSA]

RewriteRule ^api/v(([0-9])([.][0-9]+))(\/|)$ api.php?v=$1 [QSA]

RewriteRule ^admin-cp$ admincp.php [NC,QSA]
RewriteRule ^admin-cp/(.*)$ admincp.php?page=$1 [NC,QSA]
RewriteRule ^admin-cdn/(.*)$ admin-panel/$1 [L]

RewriteRule ^videos/category/(.*)/rss(\/|)$ index.php?link1=videos&page=category&id=$1&feed=rss [NC,QSA]
RewriteRule ^videos/category/(.*)/(.*)$ index.php?link1=videos&page=category&id=$1&sub_id=$2 [NC,QSA]
RewriteRule ^videos/category/(.*)$ index.php?link1=videos&page=category&id=$1 [NC,QSA]
RewriteRule ^videos/(.*)/rss(\/|)$ index.php?link1=videos&page=$1&feed=rss [NC,QSA]
RewriteRule ^videos/(.*)$ index.php?link1=videos&page=$1 [NC,QSA]
RewriteRule ^articles(\/|)$ index.php?link1=articles [NC,QSA]
RewriteRule ^articles/category/(.*)(\/|)$ index.php?link1=articles&category_id=$1 [NC,QSA]
RewriteRule ^articles/read/(.*)(\/|)$ index.php?link1=read&id=$1 [NC,QSA]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^aj/([^/.]+)/?$ ajax.php?type=$1&first=$2 [L,QSA]
RewriteRule ^aj/([^/.]+)/([^/.]+)/?$ ajax.php?type=$1&first=$2 [L,QSA]
RewriteRule ^aj/([^/.]+)/([^/.]+)/([^/.]+)/?$ ajax.php?type=$1&first=$2&second=$3 [L,QSA]
RewriteRule ^edit-video/(.*)?$ index.php?link1=edit-video&id=$1 [L,QSA]
RewriteRule ^watch/([^\/]+)(\/|)?$ index.php?link1=watch&id=$1 [L,QSA]
RewriteRule ^watch/([^\/]+)/list/([^\/]+)(\/|)?$ index.php?link1=watch&id=$1&list=$2 [L,QSA]
RewriteRule ^embed/(.*)?$ index.php?link1=embed&id=$1 [L,QSA]
RewriteRule ^resend/(.*)/(.*)?$ index.php?link1=resend&id=$1&u_id=$2 [L,QSA]
RewriteRule ^redirect/(.*)?$ index.php?link1=redirect&id=$1 [L,QSA]
RewriteRule ^settings/(.*)/(.*)$ index.php?link1=settings&page=$1&user=$2 [NC,QSA]
RewriteRule ^settings/(.*)$ index.php?link1=settings&page=$1 [NC,QSA]
RewriteRule ^terms/([^\/]+)(\/|)$  index.php?link1=terms&type=$1 [QSA]
RewriteRule ^go_pro(\/|)$  index.php?link1=go_pro [QSA]
RewriteRule ^ads(\/|)$  index.php?link1=ads [QSA]
RewriteRule ^ads/create(\/|)$  index.php?link1=create_ads [QSA]
RewriteRule ^ads/edit/(\d+)(\/|)$  index.php?link1=edit_ads&id=$1 [QSA]
RewriteRule ^ads/analytics/(\d+)(\/|)$  index.php?link1=ads_analytics&id=$1 [QSA]
RewriteRule ^contact-us(\/|)$  index.php?link1=contact [QSA]
RewriteRule ^@([^\/]+)(\/|)$  index.php?link1=timeline&id=$1 [QSA]
RewriteRule ^messages/(.*)$ index.php?link1=messages&id=$1 [NC,QSA]
RewriteRule ^view_analytics/(.*)$ index.php?link1=view_analytics&id=$1 [NC,QSA]
RewriteRule ^video_studio/(.*)$ index.php?link1=video_studio [NC,QSA]
RewriteRule ^comments/$ index.php?link1=comments [NC,QSA]
RewriteRule ^dashboard/$ index.php?link1=dashboard [NC,QSA]
RewriteRule ^popular_channels/$ index.php?link1=popular_channels [NC,QSA]
RewriteRule ^create_article/$ index.php?link1=create_article [NC,QSA]
RewriteRule ^my_articles/$ index.php?link1=my_articles [NC,QSA]
RewriteRule ^edit_articles/(.*)?$ index.php?link1=edit_articles&id=$1 [NC,QSA]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([^\/]+)(\/|)$  index.php?link1=$1 [QSA]

<IfModule mod_deflate.c>
  AddOutputFilterByType DEFLATE text/html
  AddOutputFilterByType DEFLATE text/css
  AddOutputFilterByType DEFLATE text/javascript
  AddOutputFilterByType DEFLATE text/xml
  AddOutputFilterByType DEFLATE text/plain
  AddOutputFilterByType DEFLATE image/x-icon
  AddOutputFilterByType DEFLATE image/svg+xml
  AddOutputFilterByType DEFLATE application/rss+xml
  AddOutputFilterByType DEFLATE application/javascript
  AddOutputFilterByType DEFLATE application/x-javascript
  AddOutputFilterByType DEFLATE application/xml
  AddOutputFilterByType DEFLATE application/xhtml+xml
  AddOutputFilterByType DEFLATE application/x-font
  AddOutputFilterByType DEFLATE application/x-font-truetype
  AddOutputFilterByType DEFLATE application/x-font-ttf
  AddOutputFilterByType DEFLATE application/x-font-otf
  AddOutputFilterByType DEFLATE application/x-font-opentype
  AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
  AddOutputFilterByType DEFLATE font/ttf
  AddOutputFilterByType DEFLATE font/otf
  AddOutputFilterByType DEFLATE font/opentype
  BrowserMatch ^Mozilla/4 gzip-only-text/html
  BrowserMatch ^Mozilla/4\.0[678] no-gzip
  BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
</IfModule>
<IfModule mod_security.c>
  SecFilterScanPOST Off
</IfModule>
## EXPIRES CACHING ##
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access plus 1 year"
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType image/gif "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
ExpiresByType text/css "access plus 1 month"
ExpiresByType application/pdf "access plus 1 month"
ExpiresByType text/x-javascript "access plus 1 month"
ExpiresByType application/x-shockwave-flash "access plus 1 month"
ExpiresByType image/x-icon "access plus 1 year"
ExpiresDefault "access plus 190 days"
</IfModule>
## EXPIRES CACHING ##

# BEGIN cPanel-generated php ini directives, do not edit
# Manual editing of this file may result in unexpected behavior.
# To make changes to this file, use the cPanel MultiPHP INI Editor (Home >> Software >> MultiPHP INI Editor)
# For more information, read our documentation (https://go.cpanel.net/EA4ModifyINI)
<IfModule php7_module>
   php_value post_max_size 2024M
   php_value upload_max_filesize 2024M
   php_value output_buffering Off
   php_value max_execution_time 4000
   php_value max_input_vars 3000
   php_value max_input_time 5000
   php_flag zlib.output_compression Off
   php_flag log_errors On
   php_value error_reporting 32767
   php_value error_log "/home/.../public_html/error_log"
</IfModule>
<IfModule lsapi_module>
   php_value post_max_size 2024M
   php_value upload_max_filesize 2024M
   php_value output_buffering Off
   php_value max_execution_time 4000
   php_value max_input_vars 3000
   php_value max_input_time 5000
   php_flag zlib.output_compression Off
   php_flag log_errors On
   php_value error_reporting 32767
   php_value error_log "/home/.../public_html/error_log"
</IfModule>
# END cPanel-generated php ini directives, do not edit

 

I look forward to any additional assistance

Share this post


Link to post
Share on other sites

I don't understand any of this discussion.  But the worst part of that lack is that I don't see any usage of "session_start()" in any of the many code samples.  So my question is "What is the real problem"?  Perhaps you could just explain what you are trying to accomplish?

Share this post


Link to post
Share on other sites

Thanks for your reply. Sorry for any confusion.

"session_start()" appears in my initial posting.

I'm trying to "have a User’s profile page only display to Users who are logged into the site", and not have any profile pages display in any web searches (only be available to display to logged in users).

 

any additional help is appreciated

 

Share this post


Link to post
Share on other sites
Posted (edited)

So - however you accept a request from any person on your site to "see" a profile page - you need to simply check if they are signed in.  If that means they have to have a certain $_SESSION element set, then all you do is call isset() for that item, no?  What is the question about session_start all about?  Obviously every script you execute should begin like this:

	<?php
    ...
    ...
	session_start();
	
Edited by ginerjm

Share this post


Link to post
Share on other sites
Posted (edited)
20 hours ago, Chrisj said:

like so:


<?php
if(!isset($_SESSION['username'])){
   header("Location:../login");
   exit();
}

if (empty($_GET['id'])) {
    header("Location: " . PT_Link(''));
    exit();
}
$username = PT_Secure($_GET['id']);
$user_id  = $db->where('username', $username)->getOne(T_USERS);

$lists    = false;
if (empty($user_id)) {
    header("Location: " . PT_Link(''));
    exit();
}
$pt->page_url_ = $pt->config->site_url.'/@'.$username ;
$pt->second_page = 'videos';
if (!empty($_GET['page'])) {
    switch ($_GET['page']) {
        case 'liked-videos':
            $pt->second_page = 'liked-videos';
            break;
        case 'about':
            $pt->second_page = 'about';
            break;
        case 'play-lists':
            $pt->second_page = 'play-lists';
            $lists           = true;
            break;

    }
    $pt->page_url_ = $pt->config->site_url.'/@'.$username."?page=".$pt->second_page;
}

$user_data   = PT_UserData($user_id, array(
    'data' => true
));

etc...

these un-commented, out of context, snippets of code, are almost useless to us. we don't know how they fit into the grand scheme of what the application is doing. if the author of the code, who does have knowledge of and access to the whole script, cannot solve this, what makes you think we can based on seeing a small part of the script? is this a free script that is available for download on the web? if someone can download this to examine or test changes on, you will get quicker and more accurate solutions to your threads.

i did get a couple of LOLs out of the above code. it has hard-code logic testing permitted page values, that would have to be found and edited, probably in several locations, anytime a new choice is added and even though the application is using pretty urls, it is building one with a ?page=... parameter in it. the way to build urls is to produce an associative array, usually starting with a copy of the existing $_GET array, adding, removing, or modifying elements in the array, and than call a user written function that knows the rules on how to produce the actual url from the entries in this array. dynamic values being put into the url must be urlencoded so as to not accidentally break the url.

either on this forum or elsewhere, i helped you a number of times with the previous phpmotion script you were trying to use. it was written and organized very badly, making each change difficult and repetitive. while it looks like this current script is using some better implementation practices, it still appears to be just a brute-force built, hard-coded, un-commented, massive wall of code, that is difficult to make changes to. i hope you didn't spend any money on this.

edit: and here is a problem with storing the username in a session variable to indicate who is logged in. it makes it harder to allow usernames to be edited by the user and impossible if a username needs to be edited by a moderator/administrator. only the user's id (auto-increment integer primary index) should be stored in a session variable to identify who a user is. any other user information should be retrieved on each page request.

Edited by mac_gyver

Share this post


Link to post
Share on other sites
19 hours ago, mac_gyver said:

$username = PT_Secure($_GET['id']);

here's another problem with the posted code. the $username value is being used in both an sql and a html/url context. the way to provide protection in each of those contexts is different, so the function could just 'look' like it works for expected values, but could be ineffective with the unexpected kind of values hackers would use.

Share this post


Link to post
Share on other sites

Rewinding a bit, and without commenting on design or code quality,

If adding the check for $_SESSION[username] isn't working then that's not where the username is being stored. If it's stored at all, of course. The session_start() is required to use $_SESSION, and checking for the username (if stored) should be sufficient to know whether the user is logged in. If the page "refreshes" then it likely means you were redirected to the login page because the check failed, but the login page properly detected you were logged in and sent you... wherever.

Share this post


Link to post
Share on other sites

Much thanks for all the replies.

Regarding "the author of the code, who does have knowledge of and access to the whole script, cannot solve this", I believe he just didn't want to delve into it currently, based on his 'for now' remark. I understand that most scripts are imperfect, but I'm trying to improve this one as I go, one step at a time, and this particular issue presently.

Regarding "if adding the check for $_SESSION[username] isn't working then that's not where the username is being stored", yes, you're right, it is stored in the db > users table > 'username' column.

Regarding "the check failed, but the login page properly detected you were logged in", that makes sense, so is there a solution that could instruct:

even though the users' profile pages are blocked ( ../@username) from web searches, once a user is logged in and @username is selected, then ../@username page is available to visit/view?

 

I look forward to ant additional guidance.

Share this post


Link to post
Share on other sites
11 minutes ago, Chrisj said:

Regarding "if adding the check for $_SESSION[username] isn't working then that's not where the username is being stored", yes, you're right, it is stored in the db > users table > 'username' column.

...

Stored in the session. That's not where the information is being stored in the session.

11 minutes ago, Chrisj said:

even though the users' profile pages are blocked ( ../@username) from web searches, once a user is logged in and @username is selected, then ../@username page is available to visit/view?

That's the whole point of what you're trying to do, right?

Share this post


Link to post
Share on other sites

from one of your previous threads on this forum -

if (IS_LOGGED == false) {
    header("Location: " . PT_Link('login'));
    exit();
}

or more simply -

if (!IS_LOGGED) {
    header("Location: " . PT_Link('login'));
    exit();
}

this of course assumes that the code producing the IS_LOGGED defined constant is consistently being used and exists before the code you have posted.

a feature like controlling who can view a certain page, like the profiles, should be part of the user permission system. does this code have a general purpose user permission system in it?

  • Like 1

Share this post


Link to post
Share on other sites

Much thanks again for your replies.

It appears that when I added your:

if (!IS_LOGGED) {
    header("Location: " . PT_Link('login'));
    exit();
}

and added this code back into another file:

   <?php
    if ($pt->second_page == 'about')
   echo "<meta name='robots' content='noindex'>";
   ?>

that my goal has been reached of blocking web searches of ../@username, but having ../@username available after login.

Does that seem correct? I'm surprised.

If you suspect I don't have something correct, please let me know, but I cleared the cache and tested in chrome, firefox and bing.

I look forward to your comments.

 

 

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.