asked on

PHP - Session - log in

I have a login html form, which logs in a user using a php script which creates a session (code below). There is an if else statement in the code that says if the login information is incorrect - then prompt the user to log in with correct information (or register - also on the same html form). Else - create the session variables for username and password - and go on to the next page (admin.php).
On the admin.php script - the first thing that i'm doing is starting the session and checking the variables - that they are set. (Code below the login script).
However - I notice that I can still access the page, even when i'm not in a session. Any ideas on how to fix this?

Also - I have a couple of other pages, where I need to set up the same deal. How can this be done on an .html page?

Many thanks in advance for your help.

//login script
<?php
session_start();
if (empty($_POST['username']) || empty($_POST['password'])) {
	$error = "<p>You must enter a username and password.  Click <a href='logininfo.html'>here</a> to return to the previous page.</p>";
}
else if (strlen($_POST['password']) < 6 || strlen($_POST['password']) > 8) {
	$error = "<p>Your password must be between 6 and 8 characters.  Click <a href='logininfo.html'>here</a> to return to the previous page.</p>";
}
else {
if(isset($_POST['username'])){$username = $_POST['username'];}
if(isset($_POST['password'])){$password = $_POST['password'];}
 
$connection = mysqli_connect("localhost", "username", "password", "databasename");
$query = "SELECT * FROM newuser WHERE username = '$username' AND password = '$password'";
$result = mysqli_query($connection, $query);
 
if (!(mysqli_num_rows($result) > 0)) {
	$error = "<p>Incorrect Login Information.  Click <a href='logininfo.html'>here</a> to return to the previous page.</p>";
}
else 	{$_SESSION['username'] = "$username";
	$_SESSION['password'] = "$password";
	header('Location:admin.php');
}
 
mysqli_close($connection);
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset==iso-8859-1" />
<title>PHP Login Script</title>
</head>
<body>
<font color='#a3b9cb'>
<h1 align="center">Log In</h1>
<?php 
echo $error;
?>
</body>
</html>
 
 
 
//admin.php script
<?php
session_start();
if (!isset($_SESSION['username']) || $_SESSION['username']=="") {
	header("Location: logininfo.html");
}
else {
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset==iso-8859-1" />
<title>Admin</title>
</head>
<body>
<font color='#a3b9cb'>
<?php
	echo "<h1 align='center'>Welcome to the Administrators Page</h1>";
	echo "<table align='center' bgcolor='#333333' border='2' width='800'cellpadding='2' cellspacing='2'>";
	echo "<tr><td align='center'>Please select a link below:</td></tr>";
	echo "<tr><td><a href='requestform.html'>Display Records</a></td></tr>";
	echo "<tr><td><a href='addentry.html'>Insert A Contact</a></td></tr>";
	echo "<tr><td><a href='#'>Modify an existing record</a></td></tr>";
	echo "<tr><td><a href='#'>Delete a record</a></td></tr>";
	echo "<tr><td><a href='logout.php'>Log Off</a></td></tr>";
	echo "</table>";
}
?>
</body>
</html>

Open in new window

ASKER CERTIFIED SOLUTION

Roger Baklund

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

techlinden

ASKER

Ah - could it be my log out page not running correctly?
Below is my logout.php page.

So all of my pages should be php pages if I want to validate the session, correct? With the exception of my html form page which allows the user to log in. Is that right?

<?php
session_start();
if (!isset($_SESSION['username']) || $_SESSION['username']=="") {
	session_unset();
	session_destroy();
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset==iso-8859-1" />
<title>Administrator PHP Script</title>
</head>
<body>
<font color='#a3b9cb'>
<h1 align="center">Log In</h1>
<?php
echo "<p>You have successfully logged out!</p>";
echo "<p>Please click <a href='logininfo.html'>here</a> to return to the Login Page.</p>";
?>
</body>
</html>

Open in new window

SOLUTION

Roger Baklund

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

techlinden

ASKER

That did it! I really appreciate the help!
One quick question - if i'm not in a session - i'm unable to access certain pages - it just brings me directly to the login page (via a header). How can I create a message that says (you are not logged in) - and which page does it go on - the login page? Or the page that is directing me back to the login page?

Thanks again

Roger Baklund

>> How can I create a message that says (you are not logged in)

Put a parameter in the redirect url, and check for this parameter on the target page. In this case the login page should be a .php page, so that yu can test for the parameter:

if (!isset($_SESSION['username']) || $_SESSION['username']=="") {
header("Location: logininfo.php?msg=notloggedin");
exit;
}

..and in logininfo.php fetch it like this:

<?php
if(isset($_GET['msg']) and $_GET['msg']=='notloggedin')
echo '<p style="color:red">You need to log in before you can access this page!</p>';
?>

I inserted an "exit;" after the redirect. This is good practice, otherwise the rest of the protected page is executed before the actual redirect is executed. You used an else-clause to prevent this, this is easy to forget. When using exit the else-clause is not needed.