Crazy Horse
asked on
Reverse asset logic not working
If I do this:
then it works fine. If no session or cookie is set then the user is redirected. I don't want to do it this way because I don't actually want to do anything if the user is logged in, I only want to worry about if the cookie or session isn't set so I can redirect them. I tried to reverse the logic like this:
but it doesn't work. I THINK it is saying, if no session is found OR if no cookie is found, redirect. If I enter correct login details it doesn't log me in, just sends me back to the login page.
if(isset($_SESSION['sessionID']) || isset($_COOKIE['userID'])) {
echo "Welcome";
} else {
header("location:login.php");
exit;
}
then it works fine. If no session or cookie is set then the user is redirected. I don't want to do it this way because I don't actually want to do anything if the user is logged in, I only want to worry about if the cookie or session isn't set so I can redirect them. I tried to reverse the logic like this:
if(!isset($_SESSION['sessionID']) || !isset($_COOKIE['userID'])) {
header("location:login.php");
exit;
}
but it doesn't work. I THINK it is saying, if no session is found OR if no cookie is found, redirect. If I enter correct login details it doesn't log me in, just sends me back to the login page.
ASKER
Sorry, I did type isset but I noticed when typing it now that spell check changed it to asset, haha!
Thanks, Ray. I have been reading that from your previous post on my last question.
I think this is your code which is doing a similar thing:
But then you also have this going on:
Thanks, Ray. I have been reading that from your previous post on my last question.
I think this is your code which is doing a similar thing:
function access_control($test=FALSE)
{
// REMEMBER HOW WE GOT HERE
$_SESSION["entry_uri"] = $_SERVER["REQUEST_URI"];
// IF THE UID IS SET, WE ARE LOGGED IN
if (isset($_SESSION["uid"])) return $_SESSION["uid"];
// IF WE ARE NOT LOGGED IN - RESPOND TO THE TEST REQUEST
if ($test) return FALSE;
// IF THIS IS NOT A TEST, REDIRECT TO CALL FOR A LOGIN
header("Location: RAY_EE_login.php");
exit;
}
But then you also have this going on:
if (!isset($_SESSION["uid"]))
{
// DETERMINE IF THE CLIENT IS ALREADY LOGGED IN BECAUSE OF "REMEMBER ME" FEATURE
if (isset($_COOKIE["uuk"]))
{
ASKER
PS. I did try empty and I got the same result:
if(empty($_SESSION['sessionID']) || empty($_COOKIE['userID'])) {
header("location:login.php");
exit;
}
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ah, can't believe I didn't see that as that seems really obvious now that you pointed it out!
ASKER
Regarding this...
Would you only use this as an extra security layer with a session based login because then you will always have to come from the login page to get to your account area? But it would not work with cookies because I might just open my browser and go directly to the account page and completely bypass the login page?
$_SESSION["entry_uri"] = $_SERVER["REQUEST_URI"];
Would you only use this as an extra security layer with a session based login because then you will always have to come from the login page to get to your account area? But it would not work with cookies because I might just open my browser and go directly to the account page and completely bypass the login page?
$_SERVER["REQUEST_URI"] is the page you are currently on. If you want to see where you came from, use $_SERVER["HTTP_REFERER"]. $_SERVER["HTTP_REFERER"] is Not set if you went directly to the page instead of from another page. And since it can be spoofed, you should not rely only on it. I do use it on a lot of pages though. If they can't get that right, they shouldn't be there anyway.
http://php.net/manual/en/reserved.variables.server.php
http://php.net/manual/en/reserved.variables.server.php
This is a complicated issue that produces a simple, intuitive, "good-UX" result. If you read the article and still have questions about why we use that, please post a new question and I'll try to explain.
$_SESSION["entry_uri"] = $_SERVER["REQUEST_URI"];
ASKER
Thanks guys. Ray, I have read the part of the article which explains it and I have looked at the code but I still can't understand why exactly you do it. I initially thought that maybe it was for if you are browsing a site and for example find a page with a particular product or article and you want to make a purchase, then if you login you will stay on that page instead of being taken to your dashboard and you have to hunt for that page again. But that probably isn't it. I will open a related question.
I posted in the related question. HTH, ~Ray
The best approach might be to follow the design pattern in this article.
https://www.experts-exchange.com/articles/2391/PHP-Client-Registration-Login-Logout-and-Easy-Access-Control.html