Jump to content

Unset $_SESSION set anyway?


spookztar

Recommended Posts

Hi guys,

 

a bit puzzled here  ???

 

On first pageview $_SESSION['allowed'] is set and  $_SESSION['disallowed'] is not. Why? This should only happen upon successfull log-in.

 

The code appears a bit long, but it's mostly just a log-in routine with various checks. When "allowed" is set, sections should be accessible from links in the menu.

 

can someone explain this behaviour to me?

top of script:

session_start();
include 'musicart_files/music_includes/dbconnector.php';
include 'musicart_files/music_includes/musicart_functions.php';
if ($_SESSION['allowed'] = TRUE) unset($_SESSION['disallowed']);
$_SESSION['unauthorized'] = TRUE;
print_r($_SESSION);
ini_set('display_errors', ON);
error_reporting(E_ALL);
?>

included menu:

function menu()
{
echo "<span>";
//$link = array();
$links[1] = "Product Handling";
$links[2] = "Misc. Parameters";
$links[3] = "Statistics";
$links[4] = "Look 'n' Feel";
foreach ($links as $key => $value)
{
echo "<a href=\"".$_SERVER['PHP_SELF']."?sectionid=".$key."\">".$value."</a>";
}
echo "</span>";
}

The code:

$sectionid = (isset($_GET['sectionid']) AND is_numeric($_GET['sectionid'])) ? $_GET['sectionid'] : "failed";
$loginform = "<form method='post' action='{$_SERVER['PHP_SELF']}'>
<fieldset>
<legend>LOG-IN</legend>
<p><label>Name:</label><input name='formusername' type='text' size='15' maxlength='20' /></p>
<p><label>Password:</label><input name='formpassword' type='password' size='15' maxlength='20' /></p>
<p><input class='submit' type='submit' value='Log-in' name='login' /></p>
</fieldset>
</form>";
if ($sectionid == 1) //AND ($_SESSION['allowed'] == TRUE))
      {
      echo "<div class='adminbox'>";
      echo menu();
      echo "</div><!-- adminbox end -->";
      echo "<div class='applicationarea'>";
      echo "Welcome to section 1!";
      die("</div><!-- applicationarea end -->");
      }
if ($sectionid == 2)
      {
      echo "<div class='adminbox'>";
      echo menu();
      echo "</div><!-- adminbox end -->";
      echo "<div class='applicationarea'>";
      echo "Welcome to section 2!";
      die("</div><!-- applicationarea end -->");
      }
if ($sectionid == 3)
      {
      echo "<div class='adminbox'>";
      echo menu();
      echo "</div><!-- adminbox end -->";
      echo "<div class='applicationarea'>";
      echo "Welcome to section 3!";
      die("</div><!-- applicationarea end -->");
      }
if ($sectionid == 4)
      {
      echo "<div class='adminbox'>";
      echo menu();
      echo "</div><!-- adminbox end -->";
      echo "<div class='applicationarea'>";
      echo "Welcome to section 4!";
      die("</div><!-- applicationarea end -->");
      }
if (isset($_POST['login']))
{
$formusername = mysql_real_escape_string(strip_tags(trim($_POST['formusername'])));
$formpassword = mysql_real_escape_string(strip_tags(trim($_POST['formpassword'])));
              if (!preg_match('/[a-z]+/', $formusername) OR
                  !preg_match('/[A-Z]+/', $formusername) OR
                  !preg_match('/[0-9]+/', $formusername))
                  {
                  echo "<div class='applicationarea'>";
                  echo "<span class='warning'>FAILURE: Authentication failed. Username failed character criteria.</span>";
                  echo $loginform;
                  die("</div><!-- applicationarea end -->");
                  } 
              if (!preg_match('/[a-z]+/', $formpassword) OR
                  !preg_match('/[A-Z]+/', $formpassword) OR
                  !preg_match('/[0-9]+/', $formpassword))
                  {
                  echo "<div class='applicationarea'>";
                  echo "<span class='warning'>$formpassword FAILURE: Authentication failed. Password failed character criteria.</span>";
                  echo $loginform;
                  die("</div><!-- applicationarea end -->");
                  }
                  elseif (strlen($formusername) <5 OR strlen($formusername) >20)
                         {
                         echo "<div class='applicationarea'>";
                         echo "<span class='warning'>FAILURE: Authentication failed. Username illegal length.</span>";
                         echo $loginform;
                         die("</div><!-- applicationarea end -->");
                         }                   
                  elseif (strlen($formpassword) <8 OR strlen($formpassword) >20)
                         {
                         echo "<div class='applicationarea'>";
                         echo "<span class='warning'>FAILURE: Authentication failed. Password illegal length.</span>";
                         echo $loginform;
                         die("</div><!-- applicationarea end -->");
                         }
                      else 
                         {
                         $formpassword = md5($formpassword);
                         $formusername = md5($formusername);
//
// DB stuff below and authorization if userdata validates and matches fetched DB values.
//
$query = mysql_query("SELECT name, param FROM parameter WHERE name='siteuser' OR name='siteuserpasswd'") OR die(mysql_error());
while($row = mysql_fetch_array($query))
      {
      $$row['name'] = $row['param'];
      }
   if ($siteuser !== $formusername)
      {
      echo "<div class='applicationarea'>";
      echo "<span class='warning'>FAILURE: Authentication failed. Wrong username.</span>";
      echo $loginform;
      die("</div><!-- applicationarea end -->");
      }
   if ($siteuserpasswd !== $formpassword)
      {
      echo "<div class='applicationarea'>";
      echo "<span class='warning'>FAILURE: Authentication failed. Wrong password.</span>";
      echo $loginform;
      die("</div><!-- applicationarea end -->");
      }
   if (($siteuser == $formusername) AND ($siteuserpasswd == $formpassword)) 
      {
      //$_SESSION['allowed'] = TRUE;
      echo "<div class='adminbox'>";
      echo menu();
      echo "</div><!-- adminbox end -->";
      echo "<div class='applicationarea'>";
      echo "<h1>Greetings 0' exalted one, my master!</h1>";
      die("</div><!-- applicationarea end -->");
      } 
    }
  }
else {
echo "<div class='applicationarea'>";
echo $loginform;
die("</div><!-- applicationarea end -->");
}

 

Thanx,

 

Link to comment
https://forums.phpfreaks.com/topic/63322-unset-_session-set-anyway/
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.