Login Check Does Not Work

Hi Experts,

I have the following screen that checks if the user is logged in, if they are not they are redirected to the login page. I am artificially setting $isLoggingIn to FALSE, so I meet the first condition for testing purposes, as well I am including beneath the script my browser output

//Login Check
    $isLoggingIn = FALSE;
echo '<br> check sec sess = ' . $_SESSION['sess_id']; 
echo '<br> check sec server sess = ' . session_id(); 
echo '<br> is logging in = ' . $isLoggingIn; 
echo '<br> is logging in set = ' . isset($isLoggingIn); 

    if ($isLoggingIn == FALSE){
        if (!isset($_SESSION['sess_id']) && ($_SESSION['sess_id'] != session_id())){

            echo 'need to redirect.';
            header('Location:' . $env['url'] . '/?type=err&msg=Must Login First.');
            exit();
        } 
    }

Open in new window


Browser Output:
check sec sess =
check sec server sess = d0b6cjkvsk97tpdsf344462gb3
is logging in =
is logging in set = 1 

Open in new window

APD TorontoSoftware DeveloperAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Phil DavidsonCommented:
Can you rephrase your question?  I'm not sure what the problem is.
0
Ryan ChongCommented:
Did you put session_start() in your php scripts?

http://php.net/manual/en/function.session-start.php
0
Marco GasiFreelancerCommented:
Hi,  APD_Toronto. Can you show the code which pass the values to this page?
0
Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

Ray PaseurCommented:
Here is how I do it. There are a lot of moving parts to a system like this.  Please read the article and check the code examples, then post back if you still have questions.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html
0
APD TorontoSoftware DeveloperAuthor Commented:
My question is simply why is the following not being met?

 if (!isset($_SESSION['sess_id']) && ($_SESSION['sess_id'] != session_id())){

Open in new window


Considering my browser output above
0
Ray PaseurCommented:
There is no way to know from the information we have here.  

What is in $_SESSION['sess_id']?  What is the return value from session_id()?  Was session_start() used in all of the related scripts?
0
APD TorontoSoftware DeveloperAuthor Commented:
Ray, I thought that all of these questions i covered in my original post, with my echo statements and browser output?
0
Ray PaseurCommented:
How would we be able to tell that session_start() was used?  It's not in the code.  And since browser output cannot come before header() commands, if the browser output occurred, the header() will not work.

You don't have to reinvent this wheel - you can just copy and paste the code from the article, and it will work well for you.
0
hieloCommented:
>> if (!isset($_SESSION['sess_id']) && ($_SESSION['sess_id'] != session_id())){
First of all, it should be `OR` not `AND`

if (!isset($_SESSION['sess_id']) || ($_SESSION['sess_id'] != session_id())){

Open in new window


Secondly, you cannot send output to the browser before redirecting.  All those echo statements will prevent the redirection from taking place.  Try:
//Login Check
$str='';
    $isLoggingIn = FALSE;
$str .= '<br> check sec sess = ' . $_SESSION['sess_id']; 
$str .= '<br> check sec server sess = ' . session_id(); 
$str .= '<br> is logging in = ' . $isLoggingIn; 
$str .= '<br> is logging in set = ' . isset($isLoggingIn); 

    if ($isLoggingIn == FALSE){
        if (!isset($_SESSION['sess_id']) || ($_SESSION['sess_id'] != session_id())){
            // echo 'need to redirect.';
            header('Location:' . $env['url'] . '/?type=err&msg=Must Login First.');
            exit();
        }
       // if it makes it here, then you can see your output
       echo $str;
    }

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
APD TorontoSoftware DeveloperAuthor Commented:
Ray, so I either use your code or hit highway?

I'm outputing $_SESSION['sess_id'] as an empty string, which obviously doesn't match sess_id

Forget about that this is a login script, why does a session variable, which is blank, when compared to a non-blank scrip, doesn't return false?  Yes ,  I have a session_start(); on each page, that's part of a general includ, but if I didn't, this the more reason that I should get a false
0
APD TorontoSoftware DeveloperAuthor Commented:
I know that you can not echo before header , but you can on IIS, regardless, that's why I'm doing the echo 'need to redirect'

The OR instead of AND makes sesmse, will try that as soon as I get to my office
0
Marco GasiFreelancerCommented:
First look at hielo's comment && should be ||.
Second, the first condition (if (!isset($_SESSION['sess_id'])) will always be evaluated as false: the variable $_SESSION['sess_id'] is set but it is empty and these are two different things. Since the first condition will never be evaluated true the check is interrupted and the second condition will not evaluated at all.
Try this:

 if (!empty($_SESSION['sess_id']) || ($_SESSION['sess_id'] != session_id())){
0
hieloCommented:
isset(): Determine if a variable is set and is not NULL.

Open in new window


If you have initialized $_SESSION['sess_id'] to anything other than NULL ( for instance, an empty string or false), then the left-most expression in your if clause would prevent the if block from executing since you have an "AND" condition.
0
Ray PaseurCommented:
This is another useful function.  It will return true in case things are empty or missing.  Useful when you want to see if there is a value in an array or object (eg: session).  It can help remove some of the compound if() statements.
http://php.net/manual/en/function.empty.php

Also, you don't have to use my code, but if you read the article you will see how you want your code to work, and you may find the design pattern in the examples to be useful.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.