php pages restrictions, how to make it work - php

below is my admin pannel code
<?php
session_start();
if (!isset($_SESSION['username']))
{
header("Location: login.php");
}
if (isset($_SESSION['username'])&& $_SESSION['status'])
{
include('adminnav.php');
}
?>
and this is my usernav bar
<?php
session_start();
if (!isset($_SESSION['username'])&& $_SESSION['status'])
{
header("Location: login.php");
}
if (isset($_SESSION['username'])&& $_SESSION['status'])
{
$_SESSION['status'];
header("Location: usernav.php");
}
?>
i have same interface for admin and user for login , when i log in to system with user profile the user can assess admin pages e.g. remove user etc, all i wanna know it how to restrict user page and admin so that user can access admin page.

Related

php page protected with roles but not agains guests

I am trying to protect some php pages with roles. The code i am using its working when the people make the login but if they know the link and don't make the login they can access the page and i can't understand why.
Can anyone help me?
I am using this code to protect the page where only users with role "admin" can access.
<?php
// Initialize the session
session_start();
// If session variable is not set it will redirect to login page
if(isset($_SESSION['username'])){if ($_SESSION['role']=='admin') {
} else {
header('location: index.php');
}
}
?>
Try this:
<?php
// Initialize the session
if(!isset($_SESSION)) {
session_start();
}
// If session variable is not set it will redirect to login page
if(empty($_SESSION['username'])) {
header('Location: index.php');
} else {
if ($_SESSION['role'] != 'admin') {
header('Location: index.php');
}
}
?>

Preventing access to login and registration script when logged in (PHP SESSION)

I was wondering how i can restrict access to users that is logged in.
I know how to do it the other way around eg. restrict access to people who is not logged in.
I want to do this because i dont want them to access login and registration when they are logged in.
Here is my session if it helps
<?php
session_start();
if(!isset($_SESSION['user_id']) || !isset($_SESSION['logged_in'])){
//User is not logged in. Redirect them back to the login.php page.
header('Location: login.php');
exit;
}
?>
And here is the session when they log in
if($validPassword){
$_SESSION['user_id'] = $user['id'];
$_SESSION['logged_in'] = time();
header('Location: index.php');
exit;
}
Thanks.
Obvioulsy you have to check if user is logged in:
// login.php
if(isset($_SESSION['user_id']) && isset($_SESSION['logged_in'])) {
header('Location: /somewhere');
exit;
} else {
// show form or whatever
}
On login.php, check if they're logged in, and print an error or redirect them.
if (isset($_SESSION['logged_in'])) {
die("You're already logged in");
}

How to create logout without SQL and only PHP?

So far, I have only the login.html files which has login form, redirects user once logged on and logout function. What I want to do is once a user logs in, they redirect to but their username is displayed on the top of the page. And with the file... I just want it to be able to logout the user. So far on my website, I can login as far as I am concerned, and it redirects once user logs in, but I can login as many times as I want, and I can logout as many times as I want.... It's complicated to sort out and I want to do this without SQL or any other server-side storage (since I am only using HTML local storage).
You have to remove the session of username in logout code
unset($_SESSION['username']);
Hope this helps..If not,It would be better if you could provide the code, so that the problem can be sorted out
WRITE THIS ALL IN TOP PAGE
IN YOUR LOGIN PAGE
<?php
session_start();
if (isset($_POST["submit"])) {
$username = $_POST["username"];
$_SESSION["username"] = $username;
header('Refresh: 5; URL=GameWebsite.php')
}
?>
IN YOUR LOGOUT PAGE
if(isset($_SESSION['username']))
{
session_start();
session_unset();
session_destroy();
//Then you may redirect to the login page if you want after sometime.
echo " You have successfully logged out... You will be redirected back to the login page in a moment. ";
header('Refresh: 5; URL=login.php');
}
else
{
header("Location:login.php"); // HERE WHEN USER NO HAVE SESSION
}
IN ANOTHER PAGES YOU CHECK
if(isset($_SESSION['username']))
{
}else
{
header("Location:login.php"); // HERE WHEN USER NO HAVE SESSION
}
in your login page write on top
if(isset($_SESSION['username']))
{
header('Refresh: 5; URL=GameWebsite.html')
}
In your logout.php write
if(isset($_SESSION['username']))
{
session_start();
session_unset();
session_destroy();
//Then you may redirect to the login page if you want after sometime.
echo " You have successfully logged out... You will be redirected back to the login page in a moment. ";
header('Refresh: 5; URL=Login.html');
}
else
{
header("Location: login.php");
}

PHP session does not work to go another page after login

I want to login in a page. If he is admin, then he will redirect to admin home page & If he is user, will redirect to user home page. but my problem is when I set session to the admin homepage or user homepage, it does not work. there is a code named "homepage.php" That I use to create session in the admin homepage. without this part, after login, user enter to the homepage. But with this part user reditect to the index.php page always. Where is the problem in my code?
homepage.php
<?php
session_start();
if(!isset($_SESSION["sess_user"]) || $_SESSION['sess_user']!='1')
{
header("location:../index.php");
}
else
{
$username = $_SESSION['sess_user'];
include ('database.php');
}
?>
try this
<?php
#session_start();
if(isset($_SESSION['sess_user')
{
if($_SESSION['sess_users']=='admin')
{
header("Location: adminhomepage.php");
}
else
{
$username = $_SESSION['sess_user'];
header("Location: userdashboard.php");
}
}
else
{
header("location:../index.php");
}
?>

Add Exception or condition for logged in user PHP MYSQL

Sorry I'm beginner in PHP MYSQL, I want to ask how to add exception in this paged for different type of users.
I only have 3 types, ADMIN, TEAM LEADER and AGENT.
ADMIN = can access all the pages
both TEAM LEADER and AGENT were not.
So the logic only ADMIN can visit this page if not head to the index.php
<?php
session_start();
include_once 'dbconnect.php';
if(!isset($_SESSION['user']))
{ header("Location: employee.php"); }
$res=mysql_query("SELECT * FROM accounts WHERE user_id=".$_GET['id']);
$userRow=mysql_fetch_array($res);
?>
On your log in page place this line in the code block where the user is found and validated... $_SESSION['UserGroup'] = $LoginRS['Permission'];
Whereas $LoginRS is the name of your sql query and ['Permission'] is the field in the database that stores user level permissions.
Then at the top of your page you can determine if the logged in user has permission to view this page...
<?php
if (!isset($_SESSION)) {
session_start();
}
if(isset($_SESSION['UserGroup']) && $_SESSION['UserGroup'] == 'Admin') {
?>
<body>
<html>
Page Content
</body>
</html>
<?php
} else {
header("Location: index.php");
exit;
} // end if user is not admin
?>

Categories