techlinden
asked on
PHP - Session - log in
I have a login html form, which logs in a user using a php script which creates a session (code below). There is an if else statement in the code that says if the login information is incorrect - then prompt the user to log in with correct information (or register - also on the same html form). Else - create the session variables for username and password - and go on to the next page (admin.php).
On the admin.php script - the first thing that i'm doing is starting the session and checking the variables - that they are set. (Code below the login script).
However - I notice that I can still access the page, even when i'm not in a session. Any ideas on how to fix this?
Also - I have a couple of other pages, where I need to set up the same deal. How can this be done on an .html page?
Many thanks in advance for your help.
On the admin.php script - the first thing that i'm doing is starting the session and checking the variables - that they are set. (Code below the login script).
However - I notice that I can still access the page, even when i'm not in a session. Any ideas on how to fix this?
Also - I have a couple of other pages, where I need to set up the same deal. How can this be done on an .html page?
Many thanks in advance for your help.
//login script
<?php
session_start();
if (empty($_POST['username']) || empty($_POST['password'])) {
$error = "<p>You must enter a username and password. Click <a href='logininfo.html'>here</a> to return to the previous page.</p>";
}
else if (strlen($_POST['password']) < 6 || strlen($_POST['password']) > 8) {
$error = "<p>Your password must be between 6 and 8 characters. Click <a href='logininfo.html'>here</a> to return to the previous page.</p>";
}
else {
if(isset($_POST['username'])){$username = $_POST['username'];}
if(isset($_POST['password'])){$password = $_POST['password'];}
$connection = mysqli_connect("localhost", "username", "password", "databasename");
$query = "SELECT * FROM newuser WHERE username = '$username' AND password = '$password'";
$result = mysqli_query($connection, $query);
if (!(mysqli_num_rows($result) > 0)) {
$error = "<p>Incorrect Login Information. Click <a href='logininfo.html'>here</a> to return to the previous page.</p>";
}
else {$_SESSION['username'] = "$username";
$_SESSION['password'] = "$password";
header('Location:admin.php');
}
mysqli_close($connection);
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset==iso-8859-1" />
<title>PHP Login Script</title>
</head>
<body>
<font color='#a3b9cb'>
<h1 align="center">Log In</h1>
<?php
echo $error;
?>
</body>
</html>
//admin.php script
<?php
session_start();
if (!isset($_SESSION['username']) || $_SESSION['username']=="") {
header("Location: logininfo.html");
}
else {
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset==iso-8859-1" />
<title>Admin</title>
</head>
<body>
<font color='#a3b9cb'>
<?php
echo "<h1 align='center'>Welcome to the Administrators Page</h1>";
echo "<table align='center' bgcolor='#333333' border='2' width='800'cellpadding='2' cellspacing='2'>";
echo "<tr><td align='center'>Please select a link below:</td></tr>";
echo "<tr><td><a href='requestform.html'>Display Records</a></td></tr>";
echo "<tr><td><a href='addentry.html'>Insert A Contact</a></td></tr>";
echo "<tr><td><a href='#'>Modify an existing record</a></td></tr>";
echo "<tr><td><a href='#'>Delete a record</a></td></tr>";
echo "<tr><td><a href='logout.php'>Log Off</a></td></tr>";
echo "</table>";
}
?>
</body>
</html>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That did it! I really appreciate the help!
One quick question - if i'm not in a session - i'm unable to access certain pages - it just brings me directly to the login page (via a header). How can I create a message that says (you are not logged in) - and which page does it go on - the login page? Or the page that is directing me back to the login page?
Thanks again
One quick question - if i'm not in a session - i'm unable to access certain pages - it just brings me directly to the login page (via a header). How can I create a message that says (you are not logged in) - and which page does it go on - the login page? Or the page that is directing me back to the login page?
Thanks again
>> How can I create a message that says (you are not logged in)
Put a parameter in the redirect url, and check for this parameter on the target page. In this case the login page should be a .php page, so that yu can test for the parameter:
if (!isset($_SESSION['usernam e']) || $_SESSION['username']=="") {
header("Location: logininfo.php?msg=notlogge din");
exit;
}
..and in logininfo.php fetch it like this:
<?php
if(isset($_GET['msg']) and $_GET['msg']=='notloggedin ')
echo '<p style="color:red">You need to log in before you can access this page!</p>';
?>
I inserted an "exit;" after the redirect. This is good practice, otherwise the rest of the protected page is executed before the actual redirect is executed. You used an else-clause to prevent this, this is easy to forget. When using exit the else-clause is not needed.
Put a parameter in the redirect url, and check for this parameter on the target page. In this case the login page should be a .php page, so that yu can test for the parameter:
if (!isset($_SESSION['usernam
header("Location: logininfo.php?msg=notlogge
exit;
}
..and in logininfo.php fetch it like this:
<?php
if(isset($_GET['msg']) and $_GET['msg']=='notloggedin
echo '<p style="color:red">You need to log in before you can access this page!</p>';
?>
I inserted an "exit;" after the redirect. This is good practice, otherwise the rest of the protected page is executed before the actual redirect is executed. You used an else-clause to prevent this, this is easy to forget. When using exit the else-clause is not needed.
ASKER
Below is my logout.php page.
So all of my pages should be php pages if I want to validate the session, correct? With the exception of my html form page which allows the user to log in. Is that right?
Open in new window