I am new to php, and I want to know if it is safe to do it like this...
I currently have a login system to protect a few pages.
Is it possible for a hacker to change the value of $logged_in?
Is this safe?
If it isn't. what is the best way to do it?
Files:
- not_logged_in.php
- test.php
- login.php
- logout.php
- protected_page_1
- protected_page_2
- unprotected_page_1
Code:
not_logged_in.php:
<html>
You are not logged in!
</html>
test.php:
<?php
$logged_in = false;
function protect_page() {
if($logged_in == false) {
header('Location: index.php');
exit();
}
}
?>
login.php:
<?php
include "test.php";
$logged_in = true;
?>
logout.php:
<?php
include "test.php";
$logged_in = false;
?>
protected_page_1.php:
<?php
include "test.php";
protect_page();
?>
<html>
Content
</html>
protected_page_2:
<?php
include "test.php";
protect_page();
?>
<html>
Content
</html>
unprotected_page_1:
<html>
Content
</html>
I completely understand that the login.php page just logs in and you don't have to give in a password, but that is just for testing currently...
Thanks for reading!
I think the way of using this $logged_in variable is too loose.
I suggest to make use of sessions.
session.php:
<?php
session_start(); // start on top of your page before any output
if(!isset($_SESSION['loggedin'])) {
$_SESSION['loggedin'] = false;
}
function loggedin()
{
return $_SESSION['loggedin'];
}
?>
and in any page with protected content.
<?php
include 'session.php';
if(!logged_in()) {
include 'login.php';
exit();
}
// some info
?>
login.php will have a form to log in. (and to $_SESSION['loggedin'] = true;
every page could include session.php.
Yes, it's protected. Maybe you can store the variable that shows weather the user is logged or not in a session storage to make it even more efficient.
Related
Good morning/evening,
I'm stuck and I need some help in PHP.
I am trying to code up an admin dashboard. And I want to check if user is logged in, if not , redirect to the login page.
My index.php is this:
<?php
$pagename ="Index";
#require_once('inc/head.php');
?>
<body>
CONGRATS! Welcome to the Admin dashboard.
</body>
</html>
My login page:
<?php
$pagename = "login";
$adminUser = "admin";
$adminPass = "admin";
#require_once('inc/head.php');
// If POST is submitted and IDs match the ones set
if($_SERVER["REQUEST_METHOD"] == "POST")
{
if($_POST["username"] == $adminUser && $_POST["password"] == $adminPass)
{
session_start();
$_SESSION["username"] = $adminUser;
$_SESSION["login"] = true;
echo '<script>alert("Congrats, you logged in");
window.location = "index.php"; </script>';
/* I skip the line underneath because for unknown reasons my code
Doesn't fully run through. So I redirected with the JS above instead.
header("Location: index.php");
exit(); */
}else{
echo '<script>alert("Incorrect username or password!'");</script>';
}
}
?>
<html>
<!-- login page here -->
</html>
And here goes my head.php:
<?php
// If we AREN'T on the login page , check if session exist. If not send to login
if($pagename != "login")
{ if(!$_SESSION['login'])
{
header('location: login.php');
exit();
}
}
?>
There is alot of things wrong with this and I know but as of now I'm trying to fix my login in issue. Whenever I log in I get the JS pop up that says I successfully logged in, but I don't get redirected to the index. I think I do get sent to my index.php ( there's no reason for my JS redirect to NOT function ) but my index sends me right back to login and I don't understand why.
Start Session in head.php page.
head.php
<?php
if($pagename != "login") {
session_start();
if(!$_SESSION['login']) {
header('location: login.php');
exit();
}
}
?>
I have created a login script and it works fine, however, I would like to implement sessions.. I am currently having some trouble with it because my session script is only partially executed. Below is my login script and the test page I'd like it to redirect to, IF the user is logged in.. I want it to display the test page, if not, then I want it to redirect back to the login page (or in this case, the index.php file) and ask the user to login... see code below:
loginconfig.php:
<?php
// Create a connection
include("dbconfig.php");
if (isset($_POST['submit'])) {
if (empty($_POST['username']) or empty($_POST['password'])) {
header("location:index.php?msg0=Please complete the required fields.");
}
elseif (!empty($_POST['username']) && !empty($_POST['password'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$sql = mysqli_query($conn, "SELECT * FROM logininformation WHERE username = '$username' and password = '$password'") or die(mysqli_error($conn));
$login = ($sql) ? mysqli_fetch_assoc($sql) : false;
if (($login) == 0) {
header("location:index.php?msg1=Invalid username or password, please try again.");
}
elseif (($login) > 0) {
session_start();
$_SESSION['login'] = $_POST['username'];
//header("location:index.php?bid=$username&msg2=You are unable to log in at this time. Website is under construction.");
header("location:test.php?bid=$sessionwork");
}
}
}
?>
test.php:
<?php
session_start();
include("dbconfig.php");
$username = $_GET['bid'];
var_dump($_SESSION['login'];
// If user is logged in:
if(!empty($_SESSION['login'])){
echo "Welcome $username";
}
// If user is not logged in:
elseif(!isset($_SESSION['login'])){
header("location:index.php?msg4=You need to be logged in!");
}
?>
<html>
<head>
<title> user page </title>
</head>
<body>
<form name="logout" method="post" action="logout.php">
<input type="submit" name="logout" value="logout">
</form>
</body>
</html>
logout.php
<?php
session_start();
if(!empty($_SESSION['login'])){
session_destroy();
?>
<html>
Homepage
</html>
Now if you look at the test.php file.. I have sort of told it to check if a user is logged in. But unfortunately, the script only manages to execute the script where it says if the user is not logged in.. redirect to index.php... even if the user enters the correct login credentials and actually logs in. What could be the issue?
Any help will be much appreciated.
It should be like this in test.php:
if(isset($_SESSION['login'])){
echo "Welcome $_SESSION['login']";
}
else{
header("location:index.php?msg4=You need to be logged in!");
}
The same error is repeated in loginconfig.php.
Initially, I did not have a logout.php file.. therefore I was making the mistake of not destroying my session. The change I had to make to my initial scripting was to create a logout.php file. But when I did, the problem was still present.. in order for it to work.. I made the following changes to the logout.php file.. see below:
BEFORE:
<?php
session_start();
if(!empty($_SESSION['login'])){
session_destroy();
?>
<html>
Homepage
</html>
AFTER:
<?php
session_start();
session_destroy();
header("location:index.php");
exit();
?>
Thank you for those who helped, especially #Epodax for the GREAT support.
I have been beating my my head over this. My code is virtually identical to other projects where this DOES work. Here is how I do it:
session_start();
set_up_session($username);
redirect_to('index.php');
And the two functions:
function redirect_to($location=null) {
if($location!=null) {
header("Location: {$location}");
exit;
}
}
function set_up_session($username) {
session_start();
$_SESSION['user_id']=$id;
$_SESSION['logged_in']=true;
$_SESSION['username']=$username;
}
if I comment out the redirect and echo any of the $_SESSION var's, the var reads correctly. But after the redirect, the session ends.
This is what's on the next page.
<?php if (!isset($_SESSION['logged_in'])) { ?>
// do stuff <-- this is what gets shown showing session is no longer active
<?php } else { ?>
<p>Hi, <?php echo $_SESSION['username']; ?></p>
<?php } ?>
make sure the page you are redirecting to has session_start() at the top of the document
if(!isset($_SESSION)){
session_start();
}
My first step I would do is try this on the next page:
<?php
if (isset($_SESSION['logged_in'])) {
echo $_SESSION['username'];
} else {
//do stuff
}
?>
I had a problem a posted earlier in dealing with sessions. My resolution to the problem was to set a $_SESSION[]; to a variable. EX:
<?php
$Username = "Guest"; //Set your variable before you actually need it. (This is what fixed my problem)
if (isset($_SESSION['logged_in'])) {
$Username = $_SESSION['username'];
}
?>
NOTE: You might want to change the if (isset($_SESSION['logged_in'])) to instead check for if the username is set. For example:
<?php
$User = "Guest";
if (isset($_SESSION['username'])) {
$User = $_SESSION['username'];
} else {
//do stuff
}
?>
Also, as stated by the other user, make sure the page you redirect to has a session_start(); function in it. Otherwise, this will not work.
I'm using the following code. Session is working on the same page; on the next page it is not showing the session variable value. Please let me know what I'm doing wrong?
<?php
session_start();
$_SESSION['emailaddress']=$emailAddress;
header("Location: $success "); /* Redirect browser */
exit;
?>
use session_start() in the page that you are redirecting to, as well ($success), before accessing the session values there
So that the "success.php" page looks something like:
<?
session_start();
print_r($_SESSION);
?>
<?php
if(some_condition is true)
{
session_regenerate_id();
session_start();
$_SESSION['emailaddress']=$emailAddress;
header("location: member-index.php");
exit();
}
on secure page:
<?php
//Start session
session_start();
//Check whether the session variable is present or not
if(!$_SESSION['emailAddress'])
{
header("location: access-denied.php");
exit();
}
?>
<p>This is secured page with session: <b><?php echo $_SESSION['emailAddress']; ?></b>
I like to know how to use a condition on php sessions
in this code if the user is not loged in page will redirect to login.php.
<?
session_start();
if(!session_is_registered(username)){
header("location: login.php");
}
?>
what i want is to redirect user to another php if the user is loged in. if not stay on the same page. like if user is not loged in keep the user in index page and if user is loged in redirect the user to user.php
for the login script im using a code fount in this site :http://www.phpeasystep.com/phptu/6.html
thanks in advance.
Set a variable in $_SESSION when you have logged in.
i.e. in login.php:
if ( $passWordCorrect ) {
session_start();
$_SESSION['loggedIn'] = true;
}
in index.php:
session_start();
if ( !empty( $_SESSION['loggedIn'] ) ) {
// User logged in; do magic.
} else {
header('Location: user.php');
}
<?
session_start();
if(!$_SESSION['username]){
header("location: login.php");
}
?>
And in login page you asign the variable like this:
<?php
session_start();
$_SESSION['username']='JohnDoe';
?>
The code is on the same page as the tutorial you linked to:
<?php
session_start();
if(!session_is_registered(myusername)){
header("location:main_login.php");
}
?>
But really you should be using the $_SESSION variable. On the login page:
<?php
session_start()
$_SESSION['username'] = $username;
?>
And then on the other pages:
<?php
session_start()
if (!isset($_SESSION['username'])) {
header('location: login.php')
}
?>
UPDATE
It is better to not use short tags (i.e. <?php instead of ?>)