Hello I have a strange issue, where I have a log-in page index.php: in which log-in page I am setting:
$_SESSION['user'] = $row['username'];
for users which have been logged in successfully.
Then on the landing page I have a check to see if user is logged in, if not to be redirected to the log-in page:
if(!$session->is_loggedin()) {
// session no set redirects to login page
$session->redirect('index.php');
}
Inside the class file:
public function is_loggedin() {
if(isset($_SESSION['user'])) {
return true;
}
}
So the problem which I am facing is presented only on the internet server on the local host xampp everything works fine. Problem is if I log-in to the site. then If do log out and type the log-in URL I am getting redirected to the home.php where I am making a print_r($_SESSION) and it shows that there is session in the array like the session still exists. but when I click on any links on the menu I am send back to log-in page without a session.
and have to log-in.
code on the index.php page to check if session exists:
if($login->is_loggedin()!="") {
$login->redirect('home.php');
}
So in this case every time a user comes to the page it shows like he is logged in but it is not and then he can see the home.php which is supposed to be protected. Once a user click on any menu link it get's redirected to the log-in page.
I guess it might be some php configuration since on the localhost XAMPP is working. Any idea where I have to look ?
EDIT: I have placed the following check on the index page:
if(isset($_SESSION['user']) && !empty($_SESSION['user'])) {
echo 'Set and not empty, and no undefined index error!';
}
to check if there is a session , so each time when I open the URL it shows TRUE. when I open /home.php it opens home page clicking on any links redirected to home page where it does not echo anything. It feels like the server is caching the first page with session each time when I open it. or the browser automatically is sending this information to the server.
Or another case scenario which is experienced sometimes is. I am opening the site and getting logged it. clicking any button I am redirected to log-in page after second log-in attempt everything works just fine.
Another thing that occures is that when a fake session is established all the Bootstrap Glyphicon are showing squares instead of actual icons
I see that the in php info session.use_only_cookies is set to ON maybe this is the issue.
for starters, your login check,
if($login->is_loggedin()!="")
{
$login->redirect('home.php');
}
why is this not if($login->is_loggedin()!== true)
This would take out any strange returns on the if check,
Currently if it sees anything that is not "", it will not redirect to home, ie. if your function returns false.
Thats the main thing that stands out to me, (i may be way off base here)
Related
I built a php website where a user signs in and a session with the user credentials are created. For every page that requires users to be signed in, I created a function where it checks for the session variables. Now all of my code seems to work like a charm when I use the site directly with the server IP address (example: http://123.45.67.891/mywebsite). However, once I assigned a subdomain via "domain masking" from GoDaddy, all the session seems to not work at all. I tried to search through other Stackoverflow posts and any google searches but cannot seem to resolve it. The website does not redirect any pages to a different subdomain like I've read to other posts. All redirects on this website I built is within the same subdomain masking. Now, I do suspect that this masking is causing the cookies to get confused...
So the result I'm getting currently is that when you submit the signin form, the php code runs, creates the sessions successfully, returns success info to ajax, the ajax success function redirects to the next page, but as soon as it reaches to the next page, my code to check for credentials immediately throws the user back to the index page as it does not see any Sessions. The function is working as intended as I wrote it to prevent anyone from accessing the page without being signed in. But with the domain masking, a user is never able to signin...
Is there a solution to this or do I need to rid the subdomain masking and purchase a separate domain for this so it can work like a normal website?
Below is a snippet where I create the session and the snippet where I run the credential check.
Thanks!
//====== Create sessions at signin
... mysqli calls before this with Posts from ajax ...
session_set_cookie_params(0,'/','.mywebsite.com');
session_start();
$_SESSION["TYPE"] = $row[3];
$_SESSION["USERNAME"] = $row[0];
$_SESSION["FULLNAME"] = $row[2];
session_write_close();
... some codes returning success call to ajax where javascript then redirects to the user dashboard page...
//======= Credential Check
function checksignin(){
session_set_cookie_params(0,'/','.mywebsite.com');
session_start();
if(!isset($_SESSION["USERNAME"])){
session_destroy();
header('Location: ../index.php');
exit;
else if(empty($_SESSION["USERNAME"])){
session_destroy();
header('Location: ../index.php');
exit;
}
}
Imagine I have a page called index.php and several other pages that are linked to it. Any link on index.php requires logging in to access it. All the links on index.php should redirect me to another page but only after a successful login.
How can I go to any link I clicked automatically after I log in successfully. An example is, when I click on xxxxxxxxxxx.php, it takes me to the login page first and, after I successfully login, I would prefer it takes me to xxxxxxxxxxx.php for that instance.
you can achieve this in two method
while redirecting to login page add current link as get parameter like
redirect to login.php?from=xxxxxxxxxxx.php
or using $_SERVER['HTTP_REFERER'] from login page it will give the the priovious page url
Here is the solution i got based on your requirements:
in any page you don't want a user to access unless he is logged in you must do the following
<?php
if(!isset($_SESSION['activeUser'])){
echo "please login to view this page";
header("refresh:3; url=login.php"); // you can set how many seconds you want before redirecting the user
die();
}
?>
in your login page, you need to setup a session named for example $_SESSION['activeUser'], in which you can validate where a user can and can not enter.
Side note, users should not be able to see links that you don't want them to click on unless they are logged in. my answer above is for validating when a user tries to access a page in your website from the url.
I came up with a solution and it works. I'm not quite sure how safe it is but check it out
First, if the person is not logged in I redirect to the login page with the requested page set to $_SERVER['PHP_SELF'];.
if (!isset($_SESSION['user_id'])) {
header('Location: ../login?next='.$_SERVER['PHP_SELF']);
$db = null;
die();
}
Then is the person logs in successfully I set the requested page to the header() if it exists else I proceed to the dashboard.
if (isset($_GET['next'])) {
$location_redirect = $_GET['next'];
} else {
$location_redirect = "member/dashboard";
}
header("location: $location_redirect");
I've got a question.. I have 3 main files on my root directory which looks like this:
1- index.php
2- login.php
3- dashboard.php
Basically If a user goes to my site ,he will redirected automatically to index.php file which contains a captcha code & if he enters the correct code ,he will redirected to the login.php file. So he can use his information to sign in to the dashboard.php file.
The problem is ,he can access to the login page without entering any code at index page. for example he can go to this url and access the login page manually:
http://www.example.com/login.php
Is there a way to reject and deny the accessing of a user from a custom page ? So in this situation ,he MUST access the index page and after that he will be redirected to the login page.
It would be very helpful if you know how to solve this question ... Thanks in advance!
I have this at the top of each of my pages. If the session variable is not set, provide a link to the login page (this could be a redirect if you want), and do not display anything else. If the session variable has been set, meaning the user is logged in, then proceed with displaying the page.
<?php
//start the session
session_start();
//If the user is not logged in: provide a link to the login page.
if (!isset($_SESSION["CurrentUser"])){
?><a href="login.php"' >Click here to Login</a><?php
exit(); //Do not display the rest of the page. This will stop the PHP from executing. Important!
//If the user is logged in: show them the page
}else{
require_once('top.php');
//in addition to including top.php, the code below this line will execute.
}
?>
On your login page, wherever you do the authentication piece, just add this upon successful login.
$_SESSION["CurrentUser"] = $username
on each file except the index,, check for the session,,create the session into the index.php, so the other file will catch the session, if there is no session setted, then show message,,,
session_start();
if(!isset($_SESSION['session_name'])){
echo '<script language="javascript">';
echo 'alert("Please Insert The Code")';
echo '</script>';
echo("<script>location.href = 'index.php';</script>");
}
So for some reason, I tried http_referer and it isn't working for me...or maybe it is but this is the reason why I'm trying a workaround. I'm testing a login script in my browser and I want the user to go back to the previous page which they were visiting.
The issue I ran into is when I put in my login credentials, Firefox and Chrome pop out a "Save Password" option and I THINK it acts like a page. So when http_referer is called or when
echo '<script type="text/javascript">javascript:history.go(-1);</script>';
The page is still on the login page! Well what if the user clicks once "Don't Save" and that option is saved...then using history.go(-2) wouldn't work. Here's the workaround I tried but I can't get it to work.
Initially if the login info is correct, I call the first history.go(-1). Then I'm using this function to get the current page and if it matches login.php, I want to go back one more page! But it's not working. Please advise me
if($login_check > 0){
echo '<script type="text/javascript">javascript:history.go(-1);</script>';
function curPageName() {
return substr($_SERVER["SCRIPT_NAME"],strrpos($_SERVER["SCRIPT_NAME"],"/")+1);
}
$curpage = curPageName();
if ($curpage = "login.php"){
echo '<script type="text/javascript">javascript:history.go(-1);</script>';
}
}
I've also read to use sessions but my session array saves data for the shopping cart so I'm not sure how I would use sessions for navigation.
Why not store the URL of the page that redirects to the login page in a session and then redirect to it on a successful login? That way even if the user has a few failed login attempts they'll still get to the right page.
Another benefit for this method over javascript is that the redirect is sent in the header on page request, no need to send the user js.
Save the URL as a session variable when the user is not logged in.
// not logged in
$_SESSION['redirect_url'] = 'http://'.$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
//now redirect to login page, something like
header("Location: http://www.site.com/login");
Nb. The URL above is crudely constructed, if you are using SSL or a different port (not 80) you'll need to change it accordingly.
Retrieve it on successful login
//login successful
header("Location: ".$_SESSION['redirect_url']);
exit;
I am working on creating a website from scratch and am currently stuck with session stuff.. I know generally how sessions work and how to store things into $_SESSION after session_start() but my main problem is this. After clearing the cache and opening a new window, submitting a login request the FIRST time wont submit correctly and the page reloads and nothing has changed, but AFTER the first time, it works fine...
my login.php handles either a) the post request, or b) the login via url (for testing purposes) so a link to "user/login.php?username=facebook&method=get" would be sent to the code below and set the user to logged in with the name facebook..
<?php
session_start();
$method = $_GET['method'];
if($method == "get") $_SESSION['username'] = $_GET['username'];
else $_SESSION['username'] = $_POST['username'];
header('Location: http://www.imggroups.com');
?>
Im not sure if this matters, but, on the index page, I check to see if the user is logged in by doing this. starting session obviously, then doing. if(isset($_SESSION['username'])) echo whatever i need for logged in.. else echo whatever for not logged in.....
The issue is that you are redirecting the user to a new page, but the old page has not finished closing, so the session is not yet saved.
In order to fix this I usually setup an interum page which redirects to the correct page.
Alternatively you might be able to use session_write_close() (http://www.php.net/manual/en/function.session-write-close.php) before using the header redirect
The fact of the matter is, it is setting the session, BUT it's redirecting you to a different domain that the session isn't allowed on. If you access the website without the 'www.' in front then get redirected to the www version afterwards, then it's going to say your session doesn't exist. Use the following:
session_set_cookie_params(0, '/', ".imggroups.com");
Put it before your session_start() and it will work for both www and non-www versions of your site.
If that is the total of the login.php, I believe there is easier ways to do that:
If it does not matter whether the username actually comes in via _GET or _POST, then use _REQUEST as it encapsulates both.
if( isset($_POST['username'] ) {
$_SESSION['username'] = $_REQUEST['username'];
}
If it does matter, you don't have to trust or use an external parameter, just look at what's there:
if( isset($_POST['username'] ) {
$_SESSION['username'] = $_POST['username'];
} else if( isset($_GET['username'] ) {
$_SESSION['username'] = $_GET['username'];
} else {
// whinge
}
I've not run into that issue with PHP before, but you can also do a session_write_close(); to force it to write out the session before it redirects to the other page.
I also had this same issue if i open new window after logout in new tab or browser and try to log in login page stuck at loading i can see that session has been started because if i refresh on same stuck window i logged in to my dashboard.
But it was resolved later by redirecting it right:
Before
login.php (after ajax successful) --> index.php (if logged in) --> dashboard.php
After
login.php (after ajax successful) --> dashboard.php
hope it saves anybody's time & effort because i suffered alot!