I have to pages that requires login. admin.php and rehab.php. upon login i set two session variable:
if($row[2]=='Admin'){
// Initializing Session
session_start();
$_SESSION['user']=$username; // Initializing Session user
$_SESSION['dept']='Admin'; // Initializing Session dept.
header('location: admin.php');
}
else if($row[2]=='Rehabilitation Services'){
$_SESSION['user']=$username; // Initializing Session
$_SESSION['dept']='Rehabilitation Services';
header('location: rehab.php');
}
This both pages have include header.php (where username can be seen). I've decided to put the session validation in header.php:
session_start();
if (!(isset($_SESSION['user']) && $_SESSION['user'] != '')) {
header ("Location: login.php");
}
so whenever someone will access admin page by typing in in the browser (../admin.php) or (../rehab.php) it will be re-directed to the login page.
My problem is, if a REHAB user is now logged on. (../rehab.php) whenever i try to change rehab.php to admin.php IT CAN STILL BE ACCESSED! i try putting this in the top of admin.php but it doesn't seem to work.
if ((isset($_SESSION['dept'])) && $_SESSION['dept']!='Admin'){
session_destroy();
}
In the rehab.php page, if you want to restrict access only to those who are logged in and have a 'Rehabilitation Services' dept assigned, you should use:
session_start();
if(!isset($_SESSION['user']) ||
(isset($_SESSION['dept']) && $_SESSION['dept']!='Rehabilitation Services')){
header ("Location: login.php");
}
This should work; there are couple of things I've noticed and you're code structure is good as far as what you're trying to accomplish:
session_start(); // Have this as the first thing on the script
// at the top before anything else above it
if($row[2]=='Admin'){
// Initializing Session
session_start(); // Remove this; you need to put session_start
// at the top of the script
$_SESSION['user'] = $username; // Is the $username coming in
// from $_POST? Should this be
// $_POST['username'] unless you
// defined it beforehand
$_SESSION['dept'] = "Admin"; // Initializing Session dept.
// This is ok.
header('location: admin.php');
} elseif($row[2] == "Rehabilitation Services"){ //Keep this in one line
$_SESSION['user'] = $username; // Initializing Session
$_SESSION['dept'] = "Rehabilitation Services";
header('location: rehab.php');
}
session_start();
if (!(isset($_SESSION['user']) && $_SESSION['user'] != '')) {
if (!isset($_SESSION['user']) && $_SESSION['user'] != '') {
// corrected line above, you can also use empty() function
header ("Location: login.php");
}
if ((isset($_SESSION['dept'])) && $_SESSION['dept']!='Admin'){
if (isset($_SESSION['dept']) && $_SESSION['dept'] != 'Admin'){
//Corrected line above
session_destroy();
}
Related
In attempt of securing an administrator area of a site I'm working on I made an index.php which contains
if (isset($_POST['password']) && isset($_POST['userName'])) {
if($_POST['password']==$pass && $_POST['userName']==$username)
{
header( 'Location: admin.php' ) ;
}
This redirects to a file in the same folder called admin.php. The problem is that I can access this file if I write localhost/folder/admin.php. Please tell me how to restrict the direct access to this page. The only way accesing it should be from index.php after username and password.
set a session variable and check it everytimes somebody access admin.php
<?php
if (isset($_POST['password']) && isset($_POST['userName'])) {
if ($_POST['password'] == $pass && $_POST['userName'] == $username) {
if (!session_id())
session_start();
$_SESSION['logon'] = true;
header('Location: admin.php');
die();
}
?>
and
//admin.php
if (!session_id()) session_start();
if (!$_SESSION['logon']){
header("Location:index.php");
die();
}
You should look into PHP sessions. You can set a session variable "isLogged" in that redirection file, and then check in admin.php if that session variable is registered, if not redirect to the login page!
session_start();
if (isset($_POST['password']) && isset($_POST['userName'])) {
if($_POST['password']==$pass && $_POST['userName']==$username)
{
header( 'Location: admin.php' ) ;
$_SESSION['isLogged'] = true;
}
admin.php
session_start();
if(!$_SESSION['isLogged']) {
header("location:login.php");
die();
}
Note: session_start(); must be called before the $_SESSION global can be utilised.
Set a session value that signifies that a user has successfully logged in, check for it on every page you want secured, redirect to login if that value isn't set.
I added login to my site, everything works except one thing: if a user who is not logged in is not redirected to login.php, I tried several things please help me, Thanks.
process.php (login process):
if ($row['username'] == $username && $row['password'] == $password && ("" !== $username || "" !== $password)){
$_SESSION["users"] = $row['username'];
$_SESSION['login'] = true;
header("Location: https://**********/inde.php");
} else {
header("Location: error.php");
}
logout.php:
session_start();
$_SESSION['users'] = NULL;
$_SESSION['login'] = false;
header("location: https://**********/login.php");
exit();
On all pages of the website I added:
include("content/login_verif.php");
login_verif.php:
session_start();
if $_SESSION['login'] != true;
{
header('Location: https://**********/login.php');
exit();
}
Simply put a safeguard in your home page. Check whether both $_SESSION['users'] and $_SESSION['login'] is set or not. If either of them is not set, then redirect the user to login page.
login_verif.php
session_start();
if(!isset($_SESSION['users']) || !isset($_SESSION['login'])){
// redirect the user to login page
header('Location: https://ferapps.altervista.org/tia/content/login/login.php');
exit();
}
and include this login_verif.php page in the following way,
require_once("content/login_verif.php");
And that's not how you should logout a user. You need to properly clear the cookies and destroy the sessions, so your logout.php page should be like this:
logout.php
<?php
session_start();
if(!isset($_SESSION['users']) || !isset($_SESSION['login'])){
// redirect the user to login page
header('Location: https://ferapps.altervista.org/tia/content/login/login.php');
exit();
}
$_SESSION = array();
if(isset($_COOKIE[session_name()])){
setcookie(session_name(),'',time()-42000,'/');
}
session_destroy();
// redirect the user to login page
header('Location: https://ferapps.altervista.org/tia/content/login/login.php');
exit();
?>
The issue here is the incorrect use of "file_get_contents".
file_get_contents as explained at http://php.net/manual/en/function.file-get-contents.php is a way to fetch the content of another file and return it in a string format.
If you wanna extend a file with another files code you should look into require and/or include.
For your current code, swap out
file_get_contents("content/login_verif.php");
For
require("content/login_verif.php");
Information regarding include: http://php.net/manual/en/function.include.php
Information regarding require: http://php.net/manual/en/function.require.php
file_get_contents()
is used to output the contents of a file as a string.
You want
include("content/login_verif.php");
instead. And
if $_SESSION['login'] != true;
should be
if ($_SESSION['login'] != true)
i am trying to make a site with a backend where some users can edit some content.
I made a folder with an index.php.
I want the users to login on the index.php, and after its valid, they should be redirecting to a site where they can choose what they wanna edit (lets call it the main.php).
So, now i am finished with the login validation. If the Login is valide i am starting a Session
session_start();
$_SESSION['login'] = 1;
header("location: main.php");
and on the main.php i wanted to start like this
if(!isset($_SESSION['login']) && ($_SESSION['login'] != 1)){
header("location: index.php");
}
I wanted to redirect back to the index.php if the user is not logged in.
But with that, i will neber be logged in, because main.php dont know the $_SESSION['login']...
The Point where my mistake is and what i somehow didnt get is the Session. How can main.php get the Session from index.php at all? Or what is the best way to solve that?
You can access the session variable from main.php. In main.php, start the session using
session_start();
after that you can access $_SESSION['login']
if(!isset($_SESSION['login']) && ($_SESSION['login'] != 1)){
header("location: index.php");
}
Just remember that the session_start(); should be at the top of the page. Like:
<?php
session_start();
if(!isset($_SESSION['login']) && ($_SESSION['login'] != 1)){
header("location: index.php");
}
?>
Add session_start(); before the before accessing the $_SESSION global array. See docs it resumes the session
main.php:
session_start();
if(!isset($_SESSION['login']) && ($_SESSION['login'] != 1)){
header("location: index.php");
}
Session is used for passing data across pages. In your case, Yes: Session is necessary. However, to you must make sure that the $_SESSIONis active on both pages. The Code-Snippets below might illustrate this better:
<?php
// FILE-NAME: index.php
//FIRST CHECK IF SESSION EXIST BEFORE STARTING IT:
if (session_status() == PHP_SESSION_NONE || session_id() == '') {
session_start();
}
// CHECK IF USER HAS CORRECTLY LOGGED IN USING YOUR LOGIC.
// IF USER IS LOGGED IN, THEN SET THE SESSION TO 1
// OTHERWISE SET THE SESSION TO NULL...
$_SESSION['login'] = 0;
if($userIsLoggedIn){
$_SESSION['login'] = 1;
header("location: main.php");
exit;
}
?>
<?php
// FILE-NAME: main.php
//FIRST CHECK IF SESSION EXIST BEFORE STARTING IT:
if (session_status() == PHP_SESSION_NONE || session_id() == '') {
session_start();
}
// FILE-NAME: main.php
if(!isset($_SESSION['login']) && ($_SESSION['login'] != 1)){
header("location: index.php");
}
I am just confused with the session in the login configuration.
For example:
if($ensure_credentials) {
$_SESSION['status'] = 'authorized';
$_SESSION['username'] = $username; /* save the users username to session */
header("location: index.php");
} else return "Please enter a correct username and password";
In there it is declared if the login success so that the session status is authorized. But why in the index page it is declared like this:
session_start();
if($_SESSION['status'] !='authorized') header("location: login.php");
Which it means that if the session status is authorized than it will be directed to login page.
I have to ask this question because it always direct me back to login page.
Anytime you are going to write to a PHP session or read from it you need to make sure a session is started. To do this you can use the following code:
if( !isset( $_SESSION ) ){
session_start();
}
To find out what your session currently holds you can do a:
print_r( $_SESSION );
This will tell you what is currently stored within your active session.
Then you do:
if( $ensure_credentials) {
$_SESSION['status'] = 'authorized';
$_SESSION['username'] = $username;
header("location: index.php");
}
if( $_SESSION['status'] !== 'authorized' ){
header("location: login.php");
}
I am trying to code a simple script,
I created a " ADMIN Panel " , so if the user is admin (admin=1) then he can pass and see the link/file
If he is not (admin=0) then he should be redirected to login page , and if is not Session['username'] he should go back to login page ,
but it seems that i have a problem with this code, in user panel it works , but in admin panel it doesn't
<?php
include './includes/db.php';
session_start();
// ADMIN CHECk
$username = mysql_real_escape_string($_SESSION['username']);
$result = mysql_query("SELECT * FROM users WHERE username='$username' AND admin=1");
$count = mysql_num_rows($result);
if($count != 1) // make sure user is a admin
{
session_start();
session_destroy();
header("location: login.php");
die;
}
if(isset($_GET['act']))
{
if($_GET['act'] == "logout")
{
session_start();
session_destroy();
header("location: login.php");
}
}
?>
Ok, first thing i see is that you don't declare the session first. Secondly, the mysql function is deprecated, mysqli will do what you need done. This fix should work for you. Also it would be easier to have a logout.php.
db.php
<?php
$db = new mysqli(host, user, pass, database);
?>
Then, in your page, you can run the queries like so:
<?php
session_start();
include './includes/db.php';
//check that the session exists
if(!isset($_SESSION['username'])
{
//the session does not exist, redirect
header("location: login.php");
}
// ADMIN CHECk
$username = $db->real_escape_string($_SESSION['username']);
$result = $db->query("SELECT * FROM users WHERE username='$username' AND admin='1'");
$count = $result->num_rows;
if($count != 1) // make sure user is a admin
{
header("location: login.php");
}
?>
Then in logout.php, you should remember to actually unset the session variables
<?php
session_start();
//unset session variables
unset($_SESSION['username']);
session_destroy();
header("location: login.php");
?>