PHP - Session - log in

I have a login html form, which logs in a user using a php script which creates a session (code below).  There is an if else statement in the code that says if the login information is incorrect - then prompt the user to log in with correct information (or register - also on the same html form).  Else - create the session variables for username and password - and go on to the next page (admin.php).
On the admin.php script - the first thing that i'm doing is starting the session and checking the variables - that they are set.  (Code below the login script).
However - I notice that I can still access the page, even when i'm not in a session.  Any ideas on how to fix this?

Also - I have a couple of other pages, where I need to set up the same deal.  How can this be done on an .html page?

Many thanks in advance for your help.

//login script
<?php
session_start();
if (empty($_POST['username']) || empty($_POST['password'])) {
	$error = "<p>You must enter a username and password.  Click <a href='logininfo.html'>here</a> to return to the previous page.</p>";
}
else if (strlen($_POST['password']) < 6 || strlen($_POST['password']) > 8) {
	$error = "<p>Your password must be between 6 and 8 characters.  Click <a href='logininfo.html'>here</a> to return to the previous page.</p>";
}
else {
if(isset($_POST['username'])){$username = $_POST['username'];}
if(isset($_POST['password'])){$password = $_POST['password'];}
 
$connection = mysqli_connect("localhost", "username", "password", "databasename");
$query = "SELECT * FROM newuser WHERE username = '$username' AND password = '$password'";
$result = mysqli_query($connection, $query);
 
if (!(mysqli_num_rows($result) > 0)) {
	$error = "<p>Incorrect Login Information.  Click <a href='logininfo.html'>here</a> to return to the previous page.</p>";
}
else 	{$_SESSION['username'] = "$username";
	$_SESSION['password'] = "$password";
	header('Location:admin.php');
}
 
mysqli_close($connection);
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset==iso-8859-1" />
<title>PHP Login Script</title>
</head>
<body>
<font color='#a3b9cb'>
<h1 align="center">Log In</h1>
<?php 
echo $error;
?>
</body>
</html>
 
 
 
//admin.php script
<?php
session_start();
if (!isset($_SESSION['username']) || $_SESSION['username']=="") {
	header("Location: logininfo.html");
}
else {
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset==iso-8859-1" />
<title>Admin</title>
</head>
<body>
<font color='#a3b9cb'>
<?php
	echo "<h1 align='center'>Welcome to the Administrators Page</h1>";
	echo "<table align='center' bgcolor='#333333' border='2' width='800'cellpadding='2' cellspacing='2'>";
	echo "<tr><td align='center'>Please select a link below:</td></tr>";
	echo "<tr><td><a href='requestform.html'>Display Records</a></td></tr>";
	echo "<tr><td><a href='addentry.html'>Insert A Contact</a></td></tr>";
	echo "<tr><td><a href='#'>Modify an existing record</a></td></tr>";
	echo "<tr><td><a href='#'>Delete a record</a></td></tr>";
	echo "<tr><td><a href='logout.php'>Log Off</a></td></tr>";
	echo "</table>";
}
?>
</body>
</html>

Open in new window

techlindenAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Roger BaklundCommented:
>> even when i'm not in a session

How do you know you are not in a session? How do you log out? Did you delete the session cookie?

>> How can this be done on an .html page?

It can't (except for using javascript, which can be disabled). You must use .php files to validate the session.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
techlindenAuthor Commented:
Ah - could it be my log out page not running correctly?
Below is my logout.php page.

So all of my pages should be php pages if I want to validate the session, correct?  With the exception of my html form page which allows the user to log in.  Is that right?
<?php
session_start();
if (!isset($_SESSION['username']) || $_SESSION['username']=="") {
	session_unset();
	session_destroy();
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset==iso-8859-1" />
<title>Administrator PHP Script</title>
</head>
<body>
<font color='#a3b9cb'>
<h1 align="center">Log In</h1>
<?php
echo "<p>You have successfully logged out!</p>";
echo "<p>Please click <a href='logininfo.html'>here</a> to return to the Login Page.</p>";
?>
</body>
</html>

Open in new window

0
Roger BaklundCommented:
>> So all of my pages should be php pages if I want to validate the session, correct?  

Yes.
>> With the exception of my html form page which allows the user to log in.  Is that right?

Yes, any page that does NOT need to be protected can have .html extension.

if (!isset($_SESSION['username']) || $_SESSION['username']=="") {

Here you are only destroying the session if $_SESSION['username'] is NOT set or if it is blank. Remove the if() statement, execute session_unset() and session_destroy() regardless of the existence of/value of $_SESSION['username'].
0
techlindenAuthor Commented:
That did it!  I really appreciate the help!
One quick question - if i'm not in a session - i'm unable to access certain pages - it just brings me directly to the login page (via a header).  How can I create a message that says (you are not logged in) - and which page does it go on - the login page?  Or the page that is directing me back to the login page?

Thanks again
0
Roger BaklundCommented:
>> How can I create a message that says (you are not logged in)

Put a parameter in the redirect url, and check for this parameter on the target page. In this case the login page should be a .php page, so that yu can test for the parameter:

if (!isset($_SESSION['username']) || $_SESSION['username']=="") {
        header("Location: logininfo.php?msg=notloggedin");
        exit;
}

..and in logininfo.php fetch it like this:

<?php
  if(isset($_GET['msg']) and $_GET['msg']=='notloggedin')
    echo '<p style="color:red">You need to log in before you can access this page!</p>';
?>

I inserted an "exit;" after the redirect. This is good practice, otherwise the rest of the protected page is executed before the actual redirect is executed. You used an else-clause to prevent this, this is easy to forget. When using exit the else-clause is not needed.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.