I am trying to protect some php pages with roles. The code i am using its working when the people make the login but if they know the link and don't make the login they can access the page and i can't understand why.
Can anyone help me?
I am using this code to protect the page where only users with role "admin" can access.
<?php
// Initialize the session
session_start();
// If session variable is not set it will redirect to login page
if(isset($_SESSION['username'])){if ($_SESSION['role']=='admin') {
} else {
header('location: index.php');
}
}
?>
Try this:
<?php
// Initialize the session
if(!isset($_SESSION)) {
session_start();
}
// If session variable is not set it will redirect to login page
if(empty($_SESSION['username'])) {
header('Location: index.php');
} else {
if ($_SESSION['role'] != 'admin') {
header('Location: index.php');
}
}
?>
Related
I was wondering how i can restrict access to users that is logged in.
I know how to do it the other way around eg. restrict access to people who is not logged in.
I want to do this because i dont want them to access login and registration when they are logged in.
Here is my session if it helps
<?php
session_start();
if(!isset($_SESSION['user_id']) || !isset($_SESSION['logged_in'])){
//User is not logged in. Redirect them back to the login.php page.
header('Location: login.php');
exit;
}
?>
And here is the session when they log in
if($validPassword){
$_SESSION['user_id'] = $user['id'];
$_SESSION['logged_in'] = time();
header('Location: index.php');
exit;
}
Thanks.
Obvioulsy you have to check if user is logged in:
// login.php
if(isset($_SESSION['user_id']) && isset($_SESSION['logged_in'])) {
header('Location: /somewhere');
exit;
} else {
// show form or whatever
}
On login.php, check if they're logged in, and print an error or redirect them.
if (isset($_SESSION['logged_in'])) {
die("You're already logged in");
}
below is my admin pannel code
<?php
session_start();
if (!isset($_SESSION['username']))
{
header("Location: login.php");
}
if (isset($_SESSION['username'])&& $_SESSION['status'])
{
include('adminnav.php');
}
?>
and this is my usernav bar
<?php
session_start();
if (!isset($_SESSION['username'])&& $_SESSION['status'])
{
header("Location: login.php");
}
if (isset($_SESSION['username'])&& $_SESSION['status'])
{
$_SESSION['status'];
header("Location: usernav.php");
}
?>
i have same interface for admin and user for login , when i log in to system with user profile the user can assess admin pages e.g. remove user etc, all i wanna know it how to restrict user page and admin so that user can access admin page.
So far, I have only the login.html files which has login form, redirects user once logged on and logout function. What I want to do is once a user logs in, they redirect to but their username is displayed on the top of the page. And with the file... I just want it to be able to logout the user. So far on my website, I can login as far as I am concerned, and it redirects once user logs in, but I can login as many times as I want, and I can logout as many times as I want.... It's complicated to sort out and I want to do this without SQL or any other server-side storage (since I am only using HTML local storage).
You have to remove the session of username in logout code
unset($_SESSION['username']);
Hope this helps..If not,It would be better if you could provide the code, so that the problem can be sorted out
WRITE THIS ALL IN TOP PAGE
IN YOUR LOGIN PAGE
<?php
session_start();
if (isset($_POST["submit"])) {
$username = $_POST["username"];
$_SESSION["username"] = $username;
header('Refresh: 5; URL=GameWebsite.php')
}
?>
IN YOUR LOGOUT PAGE
if(isset($_SESSION['username']))
{
session_start();
session_unset();
session_destroy();
//Then you may redirect to the login page if you want after sometime.
echo " You have successfully logged out... You will be redirected back to the login page in a moment. ";
header('Refresh: 5; URL=login.php');
}
else
{
header("Location:login.php"); // HERE WHEN USER NO HAVE SESSION
}
IN ANOTHER PAGES YOU CHECK
if(isset($_SESSION['username']))
{
}else
{
header("Location:login.php"); // HERE WHEN USER NO HAVE SESSION
}
in your login page write on top
if(isset($_SESSION['username']))
{
header('Refresh: 5; URL=GameWebsite.html')
}
In your logout.php write
if(isset($_SESSION['username']))
{
session_start();
session_unset();
session_destroy();
//Then you may redirect to the login page if you want after sometime.
echo " You have successfully logged out... You will be redirected back to the login page in a moment. ";
header('Refresh: 5; URL=Login.html');
}
else
{
header("Location: login.php");
}
I want to login in a page. If he is admin, then he will redirect to admin home page & If he is user, will redirect to user home page. but my problem is when I set session to the admin homepage or user homepage, it does not work. there is a code named "homepage.php" That I use to create session in the admin homepage. without this part, after login, user enter to the homepage. But with this part user reditect to the index.php page always. Where is the problem in my code?
homepage.php
<?php
session_start();
if(!isset($_SESSION["sess_user"]) || $_SESSION['sess_user']!='1')
{
header("location:../index.php");
}
else
{
$username = $_SESSION['sess_user'];
include ('database.php');
}
?>
try this
<?php
#session_start();
if(isset($_SESSION['sess_user')
{
if($_SESSION['sess_users']=='admin')
{
header("Location: adminhomepage.php");
}
else
{
$username = $_SESSION['sess_user'];
header("Location: userdashboard.php");
}
}
else
{
header("location:../index.php");
}
?>
I'm pretty noob in PHP but I'm trying to exercise. Since yesterday I'm on a problem I can't even understand, I thought my code was correct but it seems wrong
So here is my function to allow pages for logged users only
functions.php
function logged_only()
{
if(session_status() == PHP_SESSION_NONE)
{
session_start();
}
if(!isset($_SESSION['auth']))
{
$_SESSION['flash']['danger'] = "You can't enter this page - not logged in";
header('Location: login/login.php');
exit();
}
}
So It's supposed to redirect me to login page if I'm not logged-in, simple
login.php
elseif(password_verify($_POST['password'], $user->password)){
$_SESSION['auth'] = $user;
$_SESSION['flash']['success'] = 'You're now connected';
header('Location: ../profile.php'); // user's homepage
exit();
There is some code above and under this, but it works pretty good.
So in this case the script should insert user's informations into his $_SESSION but it does nothing but redirect me at login.php. Also, the "profile.php" only contains "logged_only();" and a print_r (when I delete the redirection to login.php) of the $_SESSION, which shows nothing but "You can't access this page" (as I'm sending a message via $_SESSION)
Someone to guide me ? Thanks
You maybe should read about the session_start() in PHP: PHP Manual
In short words: session_start() starts a new session or recovers the already existing session with the client.
So after each redirect (also to your login.php) you need to call session_start().
There is no need for
if (session_status() == PHP_SESSION_NONE){
session_start();
}
You should only use
session_start();
(In both, your functions.php and your login.php) before accessing the $_SESSION variable.
functions.php
function logged_only(){
session_start();
if(!isset($_SESSION['auth'])){
$_SESSION['flash']['danger'] = "You can't enter this page - not logged in";
header('Location: login/login.php');
exit();
}
}
login.php
session_start();
// ... Rest of code
elseif(password_verify($_POST['password'], $user->password)){
$_SESSION['auth'] = $user;
$_SESSION['flash']['success'] = 'You're now connected';
header('Location: ../profile.php'); // user's homepage
exit();