Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Reverse asset logic not working

Posted on 2016-10-04
11
Medium Priority
?
73 Views
Last Modified: 2016-10-05
If I do this:

if(isset($_SESSION['sessionID']) || isset($_COOKIE['userID'])) {

echo "Welcome";

} else {

header("location:login.php");
exit;
}

Open in new window


then it works fine. If no session or cookie is set then the user is redirected. I don't want to do it this way because I don't actually want to do anything if the user is logged in, I only want to worry about if the cookie or session isn't set so I can redirect them. I tried to reverse the logic like this:

if(!isset($_SESSION['sessionID']) || !isset($_COOKIE['userID'])) {
	
	header("location:login.php");
	exit;
	
	}

Open in new window


but it doesn't work. I THINK it is saying, if no session is found OR if no cookie is found, redirect. If I enter correct login details it doesn't log me in, just sends me back to the login page.
0
Comment
Question by:Black Sulfur
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
11 Comments
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 41828599
Not sure whether this is the problem or not, but isset() may be too sensitive a test.  You might want to use empty() instead.  A field can be TRUE for isset() but FALSE for empty(), according to the man pages.  

The best approach might be to follow the design pattern in this article.
https://www.experts-exchange.com/articles/2391/PHP-Client-Registration-Login-Logout-and-Easy-Access-Control.html
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41828615
Sorry, I did type isset but I noticed when typing it now that spell check changed it to asset, haha!

Thanks, Ray. I have been reading that from your previous post on my last question.

I think this is your code which is doing a similar thing:

function access_control($test=FALSE)
{
    // REMEMBER HOW WE GOT HERE
    $_SESSION["entry_uri"] = $_SERVER["REQUEST_URI"];

    // IF THE UID IS SET, WE ARE LOGGED IN
    if (isset($_SESSION["uid"])) return $_SESSION["uid"];

    // IF WE ARE NOT LOGGED IN - RESPOND TO THE TEST REQUEST
    if ($test) return FALSE;

    // IF THIS IS NOT A TEST, REDIRECT TO CALL FOR A LOGIN
    header("Location: RAY_EE_login.php");
    exit;
}

Open in new window


But then you also have this going on:

if (!isset($_SESSION["uid"]))
{

    // DETERMINE IF THE CLIENT IS ALREADY LOGGED IN BECAUSE OF "REMEMBER ME" FEATURE
    if (isset($_COOKIE["uuk"]))
    {

Open in new window

0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41828618
PS. I did try empty and I got the same result:

if(empty($_SESSION['sessionID']) || empty($_COOKIE['userID'])) {
	
	header("location:login.php");
	exit;
	
	}

Open in new window

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 111

Assisted Solution

by:Ray Paseur
Ray Paseur earned 600 total points
ID: 41828654
The general logic I follow goes like this...

1. Test the session value.  If it's set, the client is logged in.
2. Test the cookie value.  If it's set, look up the client information and set the session value.
3. Else, the client is not logged in.

In this logic, the session is the canonical indicator of whether the client is logged in.  The cookie is used only to set the session value.

Consider this if statement:
if(empty($_SESSION['sessionID']) || empty($_COOKIE['userID'])) {
	
	header("location:login.php");
	exit;
	
	}

Open in new window

This is saying that if either the session or cookie is empty(), return TRUE.  In other words, a session alone is not going to allow the client to be logged in; there must be a separate cookie, too.  That's probably not what you want.
0
 
LVL 84

Accepted Solution

by:
Dave Baldwin earned 1400 total points
ID: 41828671
I think you want to use 'AND' logic to test for both of them being empty.
if(empty($_SESSION['sessionID']) && empty($_COOKIE['userID'])) {

Open in new window

0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41828682
Ah, can't believe I didn't see that as that seems really obvious now that you pointed it out!
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41828690
Regarding this...

  $_SESSION["entry_uri"] = $_SERVER["REQUEST_URI"];

Open in new window


Would you only use this as an extra security layer with a session based login because then you will always have to come from the login page to get to your account area? But it would not  work with cookies because I might just open my browser and go directly to the account page and completely bypass the login page?
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 41828735
$_SERVER["REQUEST_URI"] is the page you are currently on.  If you want to see where you came from, use $_SERVER["HTTP_REFERER"].  $_SERVER["HTTP_REFERER"] is Not set if you went directly to the page instead of from another page.  And since it can be spoofed, you should not rely only on it.  I do use it on a lot of pages though.  If they can't get that right, they shouldn't be there anyway.

http://php.net/manual/en/reserved.variables.server.php
1
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 41828922
This is a complicated issue that produces a simple, intuitive, "good-UX" result.  If you read the article and still have questions about why we use that, please post a new question and I'll try to explain.
$_SESSION["entry_uri"] = $_SERVER["REQUEST_URI"];

Open in new window

0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41829300
Thanks guys. Ray, I have read the part of the article which explains it and I have looked at the code but I still can't understand why exactly you do it. I initially thought that maybe it was for if you are browsing a site and for example find a page with a particular product or article and you want to make a purchase, then if you login you will stay on that page instead of being taken to your dashboard and you have to hunt for that page again. But that probably isn't it. I will open a related question.
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 41830108
I posted in the related question.  HTH, ~Ray
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to count occurrences of each item in an array.
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question