I have a Google App Engine PHP website. I have a page with the following recaptcha form:
<?php
ob_start();
if($_SERVER["REQUEST_METHOD"] === "POST")
{
//verify captcha
$recaptcha_secret = "6LfkBQMTAAAAABN5yEqoqxoLqKOBKIvoCHZ-3vP3";
$response = file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=".$recaptcha_secret."&response=".$_POST['g-recaptcha-response']);
$response = json_decode($response, true);
while (ob_get_status())
{
ob_end_clean();
}
if($response["success"] === true)
{
echo '<META HTTP-EQUIV="Refresh" Content="0; URL=register.php">';
exit;
}
else
{
echo "Please try again";
}
}
?>
Once the user types in the correct recaptcha they are sent to 'register.php'. This all works fine and the user is sent correctly. But the problem is the user can just type 'register.php' into the URL and access it. I am trying to make it that the user can only access this page if the recaptcha has been entered. (The recaptcha is on a different page to 'register.php').
I am using sessions, when the user is logged in, so have this on register.php and this needs to stay there:
<?php
session_start();
if ( !isset($_SESSION['username']) )
{
header("Location:error.php");
exit();
}
?>
Is there a way to do something like:
<?php
session_start();
if ( !isset($_SESSION['username']) )
{
header("Location:error.php");
exit();
}
and ($response["success"] === false)
header("Location:error.php");
exit();
}
Seems like you're looking for the Or logical operator, save the value before the redirect:
if($response["success"] === true)
{
$_SESSION['success'] = true;
echo '<META HTTP-EQUIV="Refresh" Content="0; URL=register.php">';
exit;
}
And now add a new check:
<?php
session_start();
if ( !isset($_SESSION['username']) || $_SESSION['success'] != true )
{
header("Location:error.php");
exit();
}
?>
If any of those expressions is true then the error block will be executed.
Related
here you may find my verification code
with this code i want not to redirect to another page only after logging in
how shall i do ?
<?php
if (isset($_SESSION['login']))
session_start();
if (!isset($_SESSION['login']) || $_SESSION['login'] != 'ok') {
header("location:login.php");
exit();
}
?>
i would use isset combined with empty just for extra precaution
session_start();
if(isset($_SESSION['login']) && !empty($_SESSION['login'])) {
header("location:user.php");
}
else {
header("location:login_form.php");
}
don't use exit(); just redirect
Trying to make a page redirect if not logged in. I'll try to show what I mean.
In the index.php:
<?php
// initialization of login system and generation code
$oSimpleLoginSystem = new SimpleLoginSystem();
echo $oSimpleLoginSystem->getLoginBox();
session_start();
$_SESSION["loggedin"] = False;
// class SimpleLoginSystem
class SimpleLoginSystem {
// variables
var $aExistedMembers; // Existed members array
// constructor
function SimpleLoginSystem() {
$this->aExistedMembers = array(
'test' => MD5('test'), //Sample: MD5('qwerty')
);
}
function getLoginBox() {
ob_start();
require_once('login_form.html');
$sLoginForm = ob_get_clean();
$sLogoutForm = 'logout';
if ((int)$_REQUEST['logout'] == 1) {
if (isset($_COOKIE['member_name']) && isset($_COOKIE['member_pass']))
$this->simple_logout();
}
if ($_REQUEST['username'] && $_REQUEST['password']) {
if ($this->check_login($_REQUEST['username'], MD5($_REQUEST['password'])))
{
$_SESSION["loggedin"] = True;
$this->simple_login($_REQUEST['username'], $_REQUEST['password']);
header( 'Location: /site.html' );
}
else {
return 'Username or Password is incorrect' . $sLoginForm;
}
} else {
if ($_COOKIE['member_name'] && $_COOKIE['member_pass']) {
if ($this->check_login($_COOKIE['member_name'], $_COOKIE['member_pass'])) {
header( 'Location: /site.html' );
}
}
return $sLoginForm;
}
}
In the site.php:
<?php
session_start();
if ($_SESSION["loggedin"] == 0)
{
header( 'Location: http://test-weeabear.c9users.io/' );
}
else
{
return "It worked!"
}
?>
Why is it when I open site.html, it redirects me back to index.html, even after logging in?
NOTE: Some things I changed, like links and names of files. For privacy.
You need session_start() at the start of your site.php
change the file extension from .html to .php
You are calling getLoginBox and then changing the loggedin back to false. You need to include an exit after the header redirect.
Like this:
header( 'Location: /site.php' );//changed to file extension as .php
exit;
I'm really lost here while trying to send a session with my jquery ajax post call, here is a simplified example of my code.
File fom which request is sent:
<?php
session_start();
$token = md5(rand(1000,9999));
$_SESSION['contactToken'] = $token;
?>
<script type="text/javascript">
$.post(ContactUrl,{req:"contact_sub",tok:"<?php echo $token; ?>"},function(contactAns){
alert(contactAns); return false;
});
</script>
File request is sent to:
<?php
if(#isset($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER']=="url"){
if( isset( $_SERVER['HTTP_X_REQUESTED_WITH'] ) && ( $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest' ) ){
session_start();
$token = $_POST['tok'];
$sess_token = $_SESSION['contactToken'];
if($token == $sess_token){
echo "sessions match"; exit();
}
else{
echo "sessions does not match"; exit();
}
}
else{echo "error"; exit();}
}
else{echo "error"; exit();}
?>
At first the session was not getting recognized, I made all the checks - made sure it was setup in the first place made sure it was posted, declared session start on both pages, never the less if i tried to do this on the second file:
<?php
session_start();
$token = $_POST['tok'];
$sess_token = $_SESSION['contactToken'];
print_r($_SESSION['contactToken']); exit();
?>
I would get an empty alert. Then I transferred the session start to the top of my script on the second page and started getting a value for the session:
<?php
session_start();
$sess_token = $_SESSION['contactToken'];
if(#isset($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER']=="url"){
if( isset( $_SERVER['HTTP_X_REQUESTED_WITH'] ) && ( $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest' ) ){
$token = $_POST['tok'];
echo "$token, $sess_token"; exit();
}
else{echo "error"; exit();}
}
else{echo "error"; exit();}
?>
And what I'm getting now is that the posted variable changes each time I refresh the page but the $sess_token always gives me the same value: 0589dd536fd043ff3865f8223fef3030
I really dont understand this wierd behavior, can some one please assist me with this?
Your problem here is that you're using a PHP var in an JS script without wraping and echoing it.. Here is your code modified:
You're also trying to contatenate with . in JS. That's from PHP too.
<script type="text/javascript">
$.post(ContactUrl, {
req: "contact_sub",
tok: "<?php echo $token; ?>"
}, function(contactAns) {
alert(contactAns);
return false;
});
</script>
Update
I came back to this answer again today. This is what I did:
FILE: index.php
<?php
session_start();
$token = md5(rand(1000,9999));
$_SESSION["contactToken"] = $token;
?>
<script type="text/javascript">
$.post("myOtherScript.php", {
req:"contact_sub",
tok:"<?php echo $token; ?>"
}, function(contactAns){
alert(contactAns);
return false;
});
</script>
FILE: myOtherScript.php
<?php
session_start();
$sess_token = $_SESSION["contactToken"];
if(isset($_SERVER["HTTP_X_REQUESTED_WITH"]) && ($_SERVER["HTTP_X_REQUESTED_WITH"] == "XMLHttpRequest")){
$token = $_POST["tok"];
echo $token ." - ". $sess_token;
} else {
echo "Not an AJAX request";
}
?>
What I get is the alert where one token is equal to the other and both are refreshed each time I reload the index.php file.
As a conclusion, your problem is not in the code you shared.
I have a PHP app where I'm trying to read two files (userdata.txt & passwords.txt). When somebody signs up, the information is sent in the form of these 2 files (with file_put_contents).
Now, how do I read each one's name/pass from these 2 files?
if ($_SESSION['isLogged'] == true) {
echo 'Exit';
header('Location: profile.php');
} else {
if ($_POST) {
$username = trim($_POST['username1']);
$pass = trim($_POST['password1']);
$regnames= fopen('userdata.txt');
$readname = fread($regname,'r');
$regpass= fopen('passwords.txt');
$readpass = fread($regpass,'r');
if ($_POST['username']==$readname && ($_POST['password']==$readpass)) {
header ('Location: profile.php');
exit;
}
else {
echo '<p class=" content alert alert-danger">Error data</p>';
}
}
}
Thanks.
I have a big problem and i cant solve it. My session variables are exchanged between files but after refresh of the second page they disappear.
Here's the code:
index.php
session_start();
header('Title: So random');
header('charset: UTF-8');
//if index.php?login is requested
if(isset($_REQUEST['login'])) {
//'pass' input box value (from POST) is saved to $pass variable.
$pass = $_POST['password'];
//if pasword matches Password.
if($pass == 'Password') {
//session_start();
$_SESSION['logintoken'] = "approoved";
header("Location: list.php");
die();
} else { $error = true; }
}
if(isset($_SESSION['logintoken'])) {
header('Location: list.php');
die();
}
?>
Random HTML With login page goes here...
And then we have page, which is availble only for logged in. After redirecting from login to it it's okay but after refresh i have "logintoken not defined".
list.php
<?php
session_start();
if($_SESSION['logintoken'] != "approoved") {
//'<meta http-equiv="REFRESH" content="0; url=index.php">'
die();
}
?>
<html> goes here....
header('Title: So random');
header('charset: UTF-8');
$_SESSION['logintoken']='' ;
EDIT:
perhaps this is better
if(isset($_SESSION['logintoken']) && ($_SESSION['logintoken'] != "approoved"))
EDIT 2:
header("Location: list.php?token=".$_SESSION['logintoken']);
list.php
if($_REQUEST['token'] != "approoved") {
//'<meta http-equiv="REFRESH" content="0; url=index.php">'
die();
}