I am quite insecure about sessions. I am making a site where a user can login. All my pages, no matter if you are logged in or not, is calling a header.html. So on my index.php, which everybody can see I have the following code:
**index.php**
<?php
if( !isset( $_SESSION['username'])) include('resources/auth/login.php');
else exit( header('Location: home.php') );
if( !isset( $_SESSION ) ) session_start();
if( isset( $_GET['todo'] ) && $_GET['todo'] == 'logout'){
session_unset();
session_destroy();
//echo 'You have been logged out!';
}
?>
<?php include 'resources/includes/header.html';?>
<!-- A lot of code -->
<?php include 'resources/includes/footer.html';?>
The session code comes before my header, and I am redirected to home.php. Should I have that session code in my header instead?
home.php
<?php
if( !isset( $_SESSION ) ) session_start();
?>
<?php include 'resources/includes/header.html';?>
<!-- A lot of code -->
<?php include 'resources/includes/footer.html';?>
So I just thought of earlier today, that I am actually including a session in my body? Because in my header.html I do not have anything with sessions. So should I have the session in my header.html? And in case how can I do that the most smart way?
The session_start() must always be run BEFORE you attempt to access any $_SESSION variables.
So the safest way to code it is to always add it just after your first <?php in the script.
index.php
<?php
session_start();
if( !isset( $_SESSION['username'])) include('resources/auth/login.php');
And
<?php
session_start();
if( !isset( $_SESSION ) )
include 'resources/includes/header.html';
include 'resources/includes/footer.html';
?>
Related
In my login php page, after I check if the user's info is saved in the database, I set a session:
$_SESSION['username'] = $user;
if (isset($_SESSION['username'])) {
header( 'Location: index.php' );
}
and put session_start(); on this page at the tippy top.
Then it redirects me to index.php, telling me that the session has been set. On this page, I put session_start(); at the top but in the login area, I type:
<?php if (!isset($_SESSION['username'])) { echo $_SESSION['username'];?><li class="cat_0" id="login_btn_1">Login / SignUp</li>
<?php }
else {?>
<span id="login_show"><?php echo $_SESSION['username']; ?><a href="/account/logout.php?logout=1" id="logout_btn">LOGOUT</a></span>
<?php }?>
but every time, even if I reload, it shows the result for the !isset(), so that is telling em the session variable is not set. I check in my chrome cookies settings and it shows that PHPSESSID is set each time I test the Login. Can anyone explain why my session is not starting or what the problem is?
This is probably due to a simple race condition between your script and your session handling.
$_SESSION is a superglobal which has a specific way of working.
You are actually trying to access a superglobal variable which still only exists in the buffer of the session handler. If you want to access the session variable, you need to write the buffered data to the session by calling session_write_close() first:
$_SESSION['username'] = $user;
session_write_close(); // remember, you can no longer write to the sessions any more
if (isset($_SESSION['username'])) {
header( 'Location: index.php' );
exit; // just for safety
}
On the login page
-----------------
session_start();
if( !isset( $_SESSION['usename'] ) && isset( $user ) ) $_SESSION['username'] = $user;
if( isset( $_SESSION['username'] ) ) header( 'Location: index.php' );
On the index page
-----------------
if ( isset( $_SESSION['username'] ) ) {
echo '<span id="login_show">
'.$_SESSION['username'].'
LOGOUT
</span>';
} else {
echo "
<a href='/login.php'>
<li class='cat_0' id='login_btn_1'>Login / SignUp</li>
</a>";
}
There was an error in the html - there were two closing a tags together and quite often badly formed html can do all sorts of weird things to the display of the page.
EDIT: Just wanted to add that by not having
exit();
As pointed by zerkms and user1578653 makes this code useless and probably dangerous, it should not be used.
Im writing a small cms and checking to see if the user is logged in trough sessions. Every page in my backoffice has a:
require('includes/security.php');
with the following code
<?php
session_start();
session_regenerate_id();
if (!isset($_SESSION["user_logged"]) or !isset($_SESSION["ip"]) )
{
session_destroy();
unset($_SESSION['user_logged']);
unset($_SESSION['ip']);
unset ( $_SESSION );
header("location: index.php");
}
if ($_SESSION["ip"] != $_SERVER['REMOTE_ADDR'])
{
session_destroy();
unset($_SESSION['user_logged']);
unset($_SESSION['ip']);
unset ( $_SESSION );
header("location: index.php");
}
if ($_SESSION["user_logged"] != "yes")
{
session_destroy();
unset($_SESSION['user_logged']);
unset($_SESSION['ip']);
unset ( $_SESSION );
header("location: index.php");
}
?>
If I try to acess any page directly it works as intended and redirects me to index.php except for a single page.
This page simple takes in data from a POST and updates/deletes the images/data in the Database.
The only difference I can think about is that this page doesn't have any html, and its on the same folder as every other.
But when I try to access it directly instead of redirecting me it trows:
Notice: Undefined variable: _SESSION
Warning: session_destroy() [<a href='function.session-destroy'>function.session-destroy</a>]: Trying to destroy uninitialized session
This page starts exactly like this:
<?php
require('includes/security.php');
// Engine - Update and Delete Images
What could be causing this?
Your code is most likely trying to destroy the session multiple times (once in each 'if'). You're also doing the exact same thing in each 'if' - try changing the code in security.php to:
<?php
session_start();
session_regenerate_id();
if(
!isset($_SESSION["user_logged"]) ||
!isset($_SESSION["ip"]) ||
$_SESSION["ip"] != $_SERVER['REMOTE_ADDR'] ||
$_SESSION["user_logged"] != "yes"
) {
session_destroy();
unset($_SESSION['user_logged']);
unset($_SESSION['ip']);
unset ( $_SESSION );
header("location: index.php");
exit();
}
?>
This is my code for userslist.php. I put it above the head of this page so if this link is clicked, only admin can enter the page as filtered that is why I have redirections.
session_start();
$loggedInfo['username'] = $_SESSION['username'];
if(
isset($loggedInfo['username']) && $loggedInfo['username']==="admin" &&
trim($loggedInfo['username']) != "guest"
)
{
header('Location: userslist.php');
}
else {
header('Location: ../index.php');
}
This is my php script and I got a problem with redirecting. On the header(location ...) when I changed it to echo true or false, the echo returns the value correctly. But when I put a redirect/location, it does say:
This webpage has a redirect loop
Why is that? :(
Put this code in top of the userlist.php.An try what you got
<?php session_start();
$loggedInfo['username'] = $_SESSION['username'];
if(isset($loggedInfo['username']) && $loggedInfo['username']!="admin"){
header('Location: ../index.php');
exit();
}else if(isset($loggedInfo['username']) && $loggedInfo['username']=="admin"){
?>
You page code here goes
<?php } ?>
You're probably including this code in all pages. Thus on userslist.php it will also redirect to userslist.php. This causes permanent redirects, which is a redirect loop.
This conclusion is however difficult to support without seeing all the code you are using.
i want to redirect login.php to index.php when $_SESSION['user'] is not empty (user logged in)
<?php
session_start();
if (isset($_SESSION['user'])){
header ('refresh:3 ; URL:index.php');
}
?>
but when user log in the page doesn't redirect to the index.php
This should work:
<?php
session_start();
if (isset($_SESSION['user'])){
header('Location: http://www.yoursite.com/');
die();
}
?>
If you want to redirect the user after x senconds, then use
<?php
session_start();
if (isset($_SESSION['user'])){
header( "refresh:3;url=whatever.php" );
}
?>
You're doing it wrong. Example of how to do it and some more info about the header.
<?php
session_start ();
if (isset($_SESSION['user'])
{
header ('Refresh: 3; url=index.php');
// ^
}
?>
You used : it should be an equal sign.
I wonder if the following is possible?
My website have a secret link (website.com/?secret=yes) I wanted to make the url look (website.com) after they have entered + show them the special content because they are from the secret link.
I thought about something like this possibly can work?
1. User Navigate to (website.com/?secret=yes) create a $_SESSION and make it true + Instant navigate to website.com
2. Checks to see if $_SESSION = true if true show the special content?
I have the the following code:
<?php $secret = isset( $_GET[ 'secret' ] ) ? sanitize_text_field( $_GET[ 'secret' ] ) : false; ?>
<?php if( 'yes' === $secret ) : ?>
<div>
<p>My secret content</p>
</div>
<?php endif; ?>
If it was possible to make use of this + $_SESSION or if you have any ideas? I don't really know how $_SESSION works but i read in php.net about it and i think it's possible?
Thank you!
p.s I use wordpress.
You could try this inside of your index.php page:
<?php
session_start();
if(isset($_GET['secret']) && $_GET['secret'] === 'yes') {
$_SESSION['secret'] = true;
header('Location: www.website.com');
}
if(isset($_SESSION['secret']) && $_SESSION['secret'] === true) {
//Yay! Display secret content
}
?>
I've rewritten your code to work without a redirect at all. The secret sections can exist in the same page as the landing page, or in different pages. I've also modified the logic so that it will not "forget" the secret status if they come back to the landing page without "?secret=yes" in the URL. I've also updated the code with some basic Javascript that will allow you to remove the "?secret=yes" from the URL without redirecting.
This code would go in any landing page:
<?php
session_start();
if(isset($_GET['secret']) && 'yes' === $_GET[ 'secret' ])
{
$_SESSION['secret'] = true;
}
?>
This code would go in the head section of your page, or the body section if you can't access the head.
<?php
if(isset($_GET['secret']) && 'yes' === $_GET[ 'secret' ])
{
echo '<script>history.pushState({},"","http://yourdomain.com/pageinurl/");</script>';
}
?>
This code would go on any page with secret code:
<?php if(isset($_SESSION['secret']) && true === $_SESSION['secret']) { ?>
<div>
<p>My secret content</p>
</div>
<?php } ?>