spookztar Posted August 4, 2007 Share Posted August 4, 2007 Hi guys, a bit puzzled here ??? On first pageview $_SESSION['allowed'] is set and $_SESSION['disallowed'] is not. Why? This should only happen upon successfull log-in. The code appears a bit long, but it's mostly just a log-in routine with various checks. When "allowed" is set, sections should be accessible from links in the menu. can someone explain this behaviour to me? top of script: session_start(); include 'musicart_files/music_includes/dbconnector.php'; include 'musicart_files/music_includes/musicart_functions.php'; if ($_SESSION['allowed'] = TRUE) unset($_SESSION['disallowed']); $_SESSION['unauthorized'] = TRUE; print_r($_SESSION); ini_set('display_errors', ON); error_reporting(E_ALL); ?> included menu: function menu() { echo "<span>"; //$link = array(); $links[1] = "Product Handling"; $links[2] = "Misc. Parameters"; $links[3] = "Statistics"; $links[4] = "Look 'n' Feel"; foreach ($links as $key => $value) { echo "<a href=\"".$_SERVER['PHP_SELF']."?sectionid=".$key."\">".$value."</a>"; } echo "</span>"; } The code: $sectionid = (isset($_GET['sectionid']) AND is_numeric($_GET['sectionid'])) ? $_GET['sectionid'] : "failed"; $loginform = "<form method='post' action='{$_SERVER['PHP_SELF']}'> <fieldset> <legend>LOG-IN</legend> <p><label>Name:</label><input name='formusername' type='text' size='15' maxlength='20' /></p> <p><label>Password:</label><input name='formpassword' type='password' size='15' maxlength='20' /></p> <p><input class='submit' type='submit' value='Log-in' name='login' /></p> </fieldset> </form>"; if ($sectionid == 1) //AND ($_SESSION['allowed'] == TRUE)) { echo "<div class='adminbox'>"; echo menu(); echo "</div><!-- adminbox end -->"; echo "<div class='applicationarea'>"; echo "Welcome to section 1!"; die("</div><!-- applicationarea end -->"); } if ($sectionid == 2) { echo "<div class='adminbox'>"; echo menu(); echo "</div><!-- adminbox end -->"; echo "<div class='applicationarea'>"; echo "Welcome to section 2!"; die("</div><!-- applicationarea end -->"); } if ($sectionid == 3) { echo "<div class='adminbox'>"; echo menu(); echo "</div><!-- adminbox end -->"; echo "<div class='applicationarea'>"; echo "Welcome to section 3!"; die("</div><!-- applicationarea end -->"); } if ($sectionid == 4) { echo "<div class='adminbox'>"; echo menu(); echo "</div><!-- adminbox end -->"; echo "<div class='applicationarea'>"; echo "Welcome to section 4!"; die("</div><!-- applicationarea end -->"); } if (isset($_POST['login'])) { $formusername = mysql_real_escape_string(strip_tags(trim($_POST['formusername']))); $formpassword = mysql_real_escape_string(strip_tags(trim($_POST['formpassword']))); if (!preg_match('/[a-z]+/', $formusername) OR !preg_match('/[A-Z]+/', $formusername) OR !preg_match('/[0-9]+/', $formusername)) { echo "<div class='applicationarea'>"; echo "<span class='warning'>FAILURE: Authentication failed. Username failed character criteria.</span>"; echo $loginform; die("</div><!-- applicationarea end -->"); } if (!preg_match('/[a-z]+/', $formpassword) OR !preg_match('/[A-Z]+/', $formpassword) OR !preg_match('/[0-9]+/', $formpassword)) { echo "<div class='applicationarea'>"; echo "<span class='warning'>$formpassword FAILURE: Authentication failed. Password failed character criteria.</span>"; echo $loginform; die("</div><!-- applicationarea end -->"); } elseif (strlen($formusername) <5 OR strlen($formusername) >20) { echo "<div class='applicationarea'>"; echo "<span class='warning'>FAILURE: Authentication failed. Username illegal length.</span>"; echo $loginform; die("</div><!-- applicationarea end -->"); } elseif (strlen($formpassword) <8 OR strlen($formpassword) >20) { echo "<div class='applicationarea'>"; echo "<span class='warning'>FAILURE: Authentication failed. Password illegal length.</span>"; echo $loginform; die("</div><!-- applicationarea end -->"); } else { $formpassword = md5($formpassword); $formusername = md5($formusername); // // DB stuff below and authorization if userdata validates and matches fetched DB values. // $query = mysql_query("SELECT name, param FROM parameter WHERE name='siteuser' OR name='siteuserpasswd'") OR die(mysql_error()); while($row = mysql_fetch_array($query)) { $$row['name'] = $row['param']; } if ($siteuser !== $formusername) { echo "<div class='applicationarea'>"; echo "<span class='warning'>FAILURE: Authentication failed. Wrong username.</span>"; echo $loginform; die("</div><!-- applicationarea end -->"); } if ($siteuserpasswd !== $formpassword) { echo "<div class='applicationarea'>"; echo "<span class='warning'>FAILURE: Authentication failed. Wrong password.</span>"; echo $loginform; die("</div><!-- applicationarea end -->"); } if (($siteuser == $formusername) AND ($siteuserpasswd == $formpassword)) { //$_SESSION['allowed'] = TRUE; echo "<div class='adminbox'>"; echo menu(); echo "</div><!-- adminbox end -->"; echo "<div class='applicationarea'>"; echo "<h1>Greetings 0' exalted one, my master!</h1>"; die("</div><!-- applicationarea end -->"); } } } else { echo "<div class='applicationarea'>"; echo $loginform; die("</div><!-- applicationarea end -->"); } Thanx, Link to comment https://forums.phpfreaks.com/topic/63322-unset-_session-set-anyway/ Share on other sites More sharing options...
dbo Posted August 4, 2007 Share Posted August 4, 2007 Check out your if statement... you're assigning it a value rather than testing = is assignment operator where as == is comparison operator. Hope this helps! Link to comment https://forums.phpfreaks.com/topic/63322-unset-_session-set-anyway/#findComment-315588 Share on other sites More sharing options...
spookztar Posted August 4, 2007 Author Share Posted August 4, 2007 Thanx for your reply, dbo. That did some of it. Thanx! But how do you explain the setting of $_SESSION['allowed'] at first pageview when this happens nowhere in the script? As you can see, it's been edited out for troubleshooting purposes. Link to comment https://forums.phpfreaks.com/topic/63322-unset-_session-set-anyway/#findComment-315629 Share on other sites More sharing options...
spookztar Posted August 4, 2007 Author Share Posted August 4, 2007 Ok, $_SESSION['disallowed'] is now set at first pageview, but continues to be set after log-in. But as soon as I reload the page after login, 'disallowed' get's unset and 'allowed' get's set as it should. But why is the browserrefresh necessary to get there? Link to comment https://forums.phpfreaks.com/topic/63322-unset-_session-set-anyway/#findComment-315660 Share on other sites More sharing options...
spookztar Posted August 5, 2007 Author Share Posted August 5, 2007 None higher? Link to comment https://forums.phpfreaks.com/topic/63322-unset-_session-set-anyway/#findComment-315890 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.