I know this is a bit stupid and there's probably a smarter way. But are there a way to generate a session variable just by visiting a specific website. What I want to do is that I want a customer to visit one website before visiting another website. And also, is there a way so a session variable can only be used once?
thanks! :)
Just to clear everything. What I didn't know existed was the unset function. I wanted the user of the website to visit the first page first, then the next and then the final page. I also wanted it in a way that if the user wants to visit the second page he/she would first have to visit the first again. It's super simple and I don't know why I didn't know this. Here's what I did:
First page:
<?php
session_start();
$_SESSION['second_page']=true;
?>
Second page:
<?php
session_start();
if ($_SESSION['second_page']==true){}
else {
header('Location: example.php');
exit;
}
unset($_SESSION["second_page"]);
$_SESSION['final_page']=true;
?>
Final page:
<?php
session_start();
if ($_SESSION['final_page']==true){}
else {
header('Location: example.php');
exit;
}
?>
Related
I want to ensure that an HTML page only appears if the user has logged in. I'm trying to do it by setting a session variable from the login page then checking if that variable exists when the HTML page is loaded.
This is my code at the very top of the HTML page:-
<?php
session_start();
if (!isset($_SESSION['checks'])) {
header("location: http://localhost/project/fail.php");
}
?>
It doesn't redirect! Nothing happens at all except that the HTML page gets loaded.
Can anyone help please?
Thank you all for your helpful suggestions. The snippet I posted shows the very first lines: i.e. session_start(); is the very first line.
By moving the var check snippet from the session_start() segment and making a separate php check snippet immediately after the body tag, everything works as expected.
You can use header function : https://www.php.net/manual/en/function.header.php
Referring to it :
<?php
session_start();
if (!isset($_SESSION['checks'])) {
header("Location: http://localhost/project/fail.php");
}
?>
make sure that session_start() always come at the first line
if(!isset($_SESSION['checks'])){
header('location: fail.php');
}
I believe your problem is on the login page... Although, if I were to talk about this page, consider trying the following code instead of your snippet first. If it gives the desired outcome then you will know that the problem is with your header and not the session:
<?php
session_start();
if (!isset($_SESSION['checks'])) {
echo "not logged in";
}
?>
Do make sure you're referring to the correct session variable if this code doesn't work and feel free to share how you are starting this session on your login page.
I've been looking through alot of posts about how to check if a user is logged in or not and most answers that I found where making use of sessions (thats how I understood it anyways:-p)
I included the following code in the php file and it kinda seems to work:
<?php
else if ($action =="aboutUs") {
// opens about us page either in secure or unsecured area depending on login
session_start();
if(isset($_SESSION['username']))
{
echo openHTMLsecurearea();
echo aboutUs();
echo closeHTML();
} else {
echo openHTML();
echo aboutUs();
echo closeHTML();
}
}
?>
Basically if the user is loged-in I want to show the secure area and if not, then it should open the "regular" site.
When I first open the browser (and have deleted my history) it works as it is supposed to (opening regular site when not loged in and then secure area when loged in). However, when I then logout again it should show me the regular site again but it doesn't. It still shows me the secure area page.
I think that's because the same session is still running and therefore the username is still set even though I loged off.
I'm pretty sure that there is a way around but I can't figure it out. The openHTML and openHTMLsecurearea set up is probably not the best solution but it's a little too late to change this now so it would be great if someone could help me with a way around this to ensure the user is actually logged in or not.
Any help is really appreciated thank you very much.
First consider using session_start() before any single char outside <?php ?>
Logout code is simply <?php session_destroy ?> and have the same rule as session_start: no html before.
And as everybody tells you... No session, no login system - or really secureless
I'm using a page count to control the number of times a user can view a page before being redirected. the page is profile.php and if a user clicks on a users profile this takes them to profile.php with the extension id=1 or id=8 etc.
at the moment this script is placed in profile.php and it works fine, it limits the number of profiles a user can view. but i want to exclude a few profiles. is this possible?
I'm new and a beginner to php so if someone could please show me that would really help.
Please and thank you.
<?php
!session_id() ? session_start() : null;
if(!isset($_SESSION['page_access_count'])){
$_SESSION['page_access_count'] = 1;
}elseif($_SESSION['page_access_count'] >= 6){
// redirect to signup page
header('Location: limit.php');
exit;
}
// increase the page access session value
$_SESSION['page_access_count']++;
?>
Use an if statement.
if(on profile foo){
do bar
}
else {
count++
}
Yeah. Use an if statement. Looks like you're familiar with them, and you've already got some decent understanding of PHP, so maybe I'm missing something?
Specifically, for ease of maintenance, I'd do:
$free_profiles = array(1,8,12,14,96); // array of profile IDs to exclude
if (! in_array($_GET['id'], $free_profiles)) {
$_SESSION['page_access_count']++;
}
In a Nutshell: this is a question, about improving the security of sessions in-order to prevent them from session fixation/hijacking
I have a user registration form, login and article posting form.
Now, when user registers, logs in or posts somethings there is always thank you page different for all three. More specifically 'thankyou.php'
The problem is users can access the static thank you page, by typing the url 'site.com/thanks.php'
I don't want this to happen, I want those page to show up only when a specific tasks have been arbitrated.
So, I thought about about making sql query's to see if users has posts for the last 5 seconds and show thank you page, or show 404 but, It's seems unnecessary to create a query just for than one. And, Since I think PHP is flexible if you guys give me an idea I could probable learn something new on the way, on how to achieve this.
You can restrict the page with the $_SERVER['HTTP_REFERER'] (enter link description here) viewing from they are coming to thankyou.php page.
You Can Achieve this by settling the session like this:
if($_SESSION['registration']=="registration")
{
echo "Thank you for registering";
unset($_SESSION['registration']);
}
elsif($_SESSION['login']=="login")
{
echo "Thank you for login";
unset($_SESSION['login']);
}
elseif($_SESSION['post']=="post")
{
echo "Thank you for Post";
unset($_SESSION['post']);
}
else
{
echo "session is not set,something is wrong";
}
So set the values in session on html page like.
$_SESSION['login']="login";
//like for others also
I have a web app I am developing for a school project, I am having issues with the logout page. When a user clicks logout it will send them to a logout.php which just looks like this:
<?php include ("includes/check_authorization.php");
// Unset the session and destroy it
session_unset();
session_destroy();
// Redirect to the home page
echo '<META HTTP-EQUIV="Refresh" Content="0; URL=index.php">';
exit;
?>
It is very simple, but it will unset, then destroy the session, and redirect to the index, which is the login page. However when this is run the index immedietley redirects to a user homepage. The check_authorization page included at the top will redirect someone to login if the username and id are not set and matching in the $_SESSION, so this means that it is setting these for me? I am really confused as to how this is happening. I am using CAS for authentication.
EDIT: the check_authorization.php also initializes the session as well as checking those key values
For like this situation I did as follows, this is working for me all the browsers,
#session_unset();
$old_sessid = #session_id();
#session_regenerate_id();
$new_sessid = session_id();
#session_id($old_sessid);
#session_destroy();
Rather than just unsetting the data, try assigning a dummy value to the session, like:
$_SESSION['authKey'] = '!!INVALID!!';
session_unset();
session_destroy();
Even if the session 'revives', the authentication can't possibly succeed anymore because of the "fake" data.
There are some possibilities :
The most simple possibility : did you include the
session_start();
on top the file? before you include a file? I've been there before, and it pissed me off.
The second possibility : try to put
session_regenerate_id();
on the very top of your file (before you declare session_start();). Because in some Server Hosting, their configuration still using "LINUX" style that i can't explain to you here. But, the point is they always using "cache" when you redirect. In other words, you always redirect into your "cached" page when you rediret to another page. See.. it's hard to explain for you here. But just try the session_regenerate_id(); code, maybe it would work.
I never use the "echo" things in doing redirect things. Try :
header("location:index.php");
i don't know if this working or not. I just simply giving you my analysis based of my assumptions.
Hope these helpful. :)