Solved

PHP - Session - log in

Posted on 2009-07-11
5
742 Views
Last Modified: 2013-12-13
I have a login html form, which logs in a user using a php script which creates a session (code below).  There is an if else statement in the code that says if the login information is incorrect - then prompt the user to log in with correct information (or register - also on the same html form).  Else - create the session variables for username and password - and go on to the next page (admin.php).
On the admin.php script - the first thing that i'm doing is starting the session and checking the variables - that they are set.  (Code below the login script).
However - I notice that I can still access the page, even when i'm not in a session.  Any ideas on how to fix this?

Also - I have a couple of other pages, where I need to set up the same deal.  How can this be done on an .html page?

Many thanks in advance for your help.

//login script

<?php

session_start();

if (empty($_POST['username']) || empty($_POST['password'])) {

	$error = "<p>You must enter a username and password.  Click <a href='logininfo.html'>here</a> to return to the previous page.</p>";

}

else if (strlen($_POST['password']) < 6 || strlen($_POST['password']) > 8) {

	$error = "<p>Your password must be between 6 and 8 characters.  Click <a href='logininfo.html'>here</a> to return to the previous page.</p>";

}

else {

if(isset($_POST['username'])){$username = $_POST['username'];}

if(isset($_POST['password'])){$password = $_POST['password'];}
 

$connection = mysqli_connect("localhost", "username", "password", "databasename");

$query = "SELECT * FROM newuser WHERE username = '$username' AND password = '$password'";

$result = mysqli_query($connection, $query);
 

if (!(mysqli_num_rows($result) > 0)) {

	$error = "<p>Incorrect Login Information.  Click <a href='logininfo.html'>here</a> to return to the previous page.</p>";

}

else 	{$_SESSION['username'] = "$username";

	$_SESSION['password'] = "$password";

	header('Location:admin.php');

}
 

mysqli_close($connection);

}

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset==iso-8859-1" />

<title>PHP Login Script</title>

</head>

<body>

<font color='#a3b9cb'>

<h1 align="center">Log In</h1>

<?php 

echo $error;

?>

</body>

</html>
 
 
 

//admin.php script

<?php

session_start();

if (!isset($_SESSION['username']) || $_SESSION['username']=="") {

	header("Location: logininfo.html");

}

else {

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset==iso-8859-1" />

<title>Admin</title>

</head>

<body>

<font color='#a3b9cb'>

<?php

	echo "<h1 align='center'>Welcome to the Administrators Page</h1>";

	echo "<table align='center' bgcolor='#333333' border='2' width='800'cellpadding='2' cellspacing='2'>";

	echo "<tr><td align='center'>Please select a link below:</td></tr>";

	echo "<tr><td><a href='requestform.html'>Display Records</a></td></tr>";

	echo "<tr><td><a href='addentry.html'>Insert A Contact</a></td></tr>";

	echo "<tr><td><a href='#'>Modify an existing record</a></td></tr>";

	echo "<tr><td><a href='#'>Delete a record</a></td></tr>";

	echo "<tr><td><a href='logout.php'>Log Off</a></td></tr>";

	echo "</table>";

}

?>

</body>

</html>

Open in new window

0
Comment
Question by:techlinden
  • 3
  • 2
5 Comments
 
LVL 39

Accepted Solution

by:
Roger Baklund earned 500 total points
ID: 24830465
>> even when i'm not in a session

How do you know you are not in a session? How do you log out? Did you delete the session cookie?

>> How can this be done on an .html page?

It can't (except for using javascript, which can be disabled). You must use .php files to validate the session.
0
 

Author Comment

by:techlinden
ID: 24830491
Ah - could it be my log out page not running correctly?
Below is my logout.php page.

So all of my pages should be php pages if I want to validate the session, correct?  With the exception of my html form page which allows the user to log in.  Is that right?
<?php

session_start();

if (!isset($_SESSION['username']) || $_SESSION['username']=="") {

	session_unset();

	session_destroy();

}

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset==iso-8859-1" />

<title>Administrator PHP Script</title>

</head>

<body>

<font color='#a3b9cb'>

<h1 align="center">Log In</h1>

<?php

echo "<p>You have successfully logged out!</p>";

echo "<p>Please click <a href='logininfo.html'>here</a> to return to the Login Page.</p>";

?>

</body>

</html>

Open in new window

0
 
LVL 39

Assisted Solution

by:Roger Baklund
Roger Baklund earned 500 total points
ID: 24830642
>> So all of my pages should be php pages if I want to validate the session, correct?  

Yes.
>> With the exception of my html form page which allows the user to log in.  Is that right?

Yes, any page that does NOT need to be protected can have .html extension.

if (!isset($_SESSION['username']) || $_SESSION['username']=="") {

Here you are only destroying the session if $_SESSION['username'] is NOT set or if it is blank. Remove the if() statement, execute session_unset() and session_destroy() regardless of the existence of/value of $_SESSION['username'].
0
 

Author Closing Comment

by:techlinden
ID: 31656993
That did it!  I really appreciate the help!
One quick question - if i'm not in a session - i'm unable to access certain pages - it just brings me directly to the login page (via a header).  How can I create a message that says (you are not logged in) - and which page does it go on - the login page?  Or the page that is directing me back to the login page?

Thanks again
0
 
LVL 39

Expert Comment

by:Roger Baklund
ID: 24830827
>> How can I create a message that says (you are not logged in)

Put a parameter in the redirect url, and check for this parameter on the target page. In this case the login page should be a .php page, so that yu can test for the parameter:

if (!isset($_SESSION['username']) || $_SESSION['username']=="") {
        header("Location: logininfo.php?msg=notloggedin");
        exit;
}

..and in logininfo.php fetch it like this:

<?php
  if(isset($_GET['msg']) and $_GET['msg']=='notloggedin')
    echo '<p style="color:red">You need to log in before you can access this page!</p>';
?>

I inserted an "exit;" after the redirect. This is good practice, otherwise the rest of the protected page is executed before the actual redirect is executed. You used an else-clause to prevent this, this is easy to forget. When using exit the else-clause is not needed.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

These days socially coordinated efforts have turned into a critical requirement for enterprises.
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now