I have a strange problem that does not set the user as logged in to the SESSION until a second click (although they are logged in)
So, I have a login dropdown that looks like this:
I send the user to the ACCOUNT-SELECTOR. PHP to determine the approprirate validation based on a business or individual account:
if (isset($_POST['loginAccountType']) && $_POST['loginAccountType'] == 'individual') {
include('ind_login.php');;
} elseif (isset($_POST['loginAccountType']) && $_POST['loginAccountType'] == 'business') {
include('bus_login.php');
} else {
include('error_login.php');
}
I have session_start(); on my account-selector.php page as well as my ind_login.php page. And, both are located at the very top of the page (before anything else).
Once I log in, this is my view:
As you can see, I am able to set and return the $_SESSION['Ind_ID'] on the ind_login.php page and VIEW YOUR PROFILE works (which is linked to the SESSION ID).
However, we still see a LOG IN button on the navigation when the code says this button should be set to display:none:
if(isset($_SESSION['Ind_ID'])) {
$accIndStyle = "visibility: visible;";
} else {
$accIndStyle = "display:none;";
}
I know this is the correct code as the button does become display: none for other buttons. However, if I log in a second time, or go to a different page with the session(start), the site will read the $_SESSION['Ind_ID'] as set and hide the Login button and replace it with a logout button.
Any help very much appreciated.
Put your session_start() on the top of your index.php file (That file which includes the others.)
seem like your page needs to be refreshed, or just throw an ajax call in there to update the button value according to session.
Related
Hello I have a strange issue, where I have a log-in page index.php: in which log-in page I am setting:
$_SESSION['user'] = $row['username'];
for users which have been logged in successfully.
Then on the landing page I have a check to see if user is logged in, if not to be redirected to the log-in page:
if(!$session->is_loggedin()) {
// session no set redirects to login page
$session->redirect('index.php');
}
Inside the class file:
public function is_loggedin() {
if(isset($_SESSION['user'])) {
return true;
}
}
So the problem which I am facing is presented only on the internet server on the local host xampp everything works fine. Problem is if I log-in to the site. then If do log out and type the log-in URL I am getting redirected to the home.php where I am making a print_r($_SESSION) and it shows that there is session in the array like the session still exists. but when I click on any links on the menu I am send back to log-in page without a session.
and have to log-in.
code on the index.php page to check if session exists:
if($login->is_loggedin()!="") {
$login->redirect('home.php');
}
So in this case every time a user comes to the page it shows like he is logged in but it is not and then he can see the home.php which is supposed to be protected. Once a user click on any menu link it get's redirected to the log-in page.
I guess it might be some php configuration since on the localhost XAMPP is working. Any idea where I have to look ?
EDIT: I have placed the following check on the index page:
if(isset($_SESSION['user']) && !empty($_SESSION['user'])) {
echo 'Set and not empty, and no undefined index error!';
}
to check if there is a session , so each time when I open the URL it shows TRUE. when I open /home.php it opens home page clicking on any links redirected to home page where it does not echo anything. It feels like the server is caching the first page with session each time when I open it. or the browser automatically is sending this information to the server.
Or another case scenario which is experienced sometimes is. I am opening the site and getting logged it. clicking any button I am redirected to log-in page after second log-in attempt everything works just fine.
Another thing that occures is that when a fake session is established all the Bootstrap Glyphicon are showing squares instead of actual icons
I see that the in php info session.use_only_cookies is set to ON maybe this is the issue.
for starters, your login check,
if($login->is_loggedin()!="")
{
$login->redirect('home.php');
}
why is this not if($login->is_loggedin()!== true)
This would take out any strange returns on the if check,
Currently if it sees anything that is not "", it will not redirect to home, ie. if your function returns false.
Thats the main thing that stands out to me, (i may be way off base here)
I have an index.php page, which behaves as follows :
if a session var exists and is set, it displays a menu + some info
about the user (userID, IP adress, link to disconnect)
if the session var is not set, it displays a login form
So if you go there for the first time, you'll see the login form.
When the user provides his login+password, there is an AJAX call to login_check.php. The main purpose of this page is to generate a session variable (if the user info meets several requirements), but it also sends error messages back to the bottom of the form (under the form of JSON var) in case of authentification failure.
Here is its core :
login_check.php
if (authentification($login, $password)) {
//creates the session variable
$_SESSION['auth'] = $login;
//? here I'd like to refresh the index page
}
else {
//the error that will be displayed at the bottom of the form
$json_err .= "Incorrect login or password";
}
index.php looks like this :
if (isset($_SESSION['auth'])) {
//the menu is displayed, because the user is looged-in
}
else {
//the login form is displayed, because the user is not authentificated
}
So far, I have to manually refresh the index page so that it takes the session var into account. Is there a way to do it automatically ?
Solutions like "location.reload" are not really suitable, because of the error messages that might be displayed. I also tried to call again index.php from login_check.php using "include" or "header" but it didn't work.
Should I make a conditional refresh within my jQuery function, depending on what data was sent back by login_check.php ?
What would you advice ?
Thanks
I think you need to eun your checklogged.php for example once every 5 min and if user if not logged redirect to login page.
<script type="text/javascript">
$(function() {
getStatus();
});
function getStatus() {
$status = $('#islogged').load('login_check.php');
setTimeout("getStatus()",50000);
}
</script>
When the user decides to sign out, they obviously do so by using a "Sign out" button.
When they do, this script is executed:
if(isset($_POST['submit_Logout'])){
$_SESSION['backend']->logout(); // see this function bellow
unset($_SESSION['user']); // unset only this session since there are other sessions I'd like to keep
session_regenerate_id(true); // makes sure the session id is updated, and the old one is discarded
KD::notice('success',$success_LoggedOut); // adding a notice to another session
KD::redirect('/'); // redirecting the user using header();
session_commit();
}
I'm just unsetting this particular session (user) since there's other sessions that keeps other data available, regardless if the user is logged in or not, to better the user experience.
The logout()-function looks like this - for now:
public function logout(){
$this->accessible=false; // just a flag to check against (see bellow)
$this->username=''; // empty the username
}
Since I'm unsetting the session that holds the related user data, I just realized that this function is probably unnecessary. Alternatively move the unset part etc. into the function..
Anyway, I've come to experience that when a user has logged out, he/she, or somebody else for that matter, has the opportunity to just hit the backwards button in their browser, and voila, they can view the page(s). Of course, if they start clicking on any links, they gets thrown out. But the back-button is still available..
I believe this happens as a result of cached pages/views by the browser. So when they click the back-button, they see a cached page/view stored in the browser memory or something..
Since this page, or view, is loaded into my template trough a index.php page with a permanent <head>, there's not much I can do about the caching of these restricted pages/views. Or is there?
Deleting records from the browsers history is not possible? or preventing these pages from being recorded in the first place?
Point is. What I need to do, i believe, is to force the browser to always request the page from the server. So regardless if the user hits the back-button, or a link to a restricted page, the page should always reqest it from the server, and not the browsers memory..
Or am I not getting this correct?
If so. I do wonder how. How is this usually done?
I have this in my class
private $accessible = false; // when logged in, this is set to true
public function accessible(){
return $this->accessible;
}
At the very top of the page that includes the views into the restricted area I have this:
if($_SESSION['user']->accessible()===true):
Othervise the user is prompted with a login screen.
But that doesn't work as expected. This check is not performed when the user uses the back-button in their browser...
Thanks in advance..
UPDATE
Heres a quick overview of my structure/layout:
/*
when the user is logged in/out, the script that does that is executed up here.
That includes setting the sessions etc. aswell - which means, if the user is not logged in, the access will be set to false.
*/
<head>
</head>
<body>
/*
Here I include different pages with php include;
These pages can be home.pg.php, contact.pg.php, and of course restricted.pg.php
each of these pages includes different content (views as I like to call them) that is presented to the user based on their interaction.
Now. When the user tries to access the restricted.pg.php, I have this at the top:
*/
if($_SESSION['user']->accessible()===true):
/* now each view that is included here should be not accessable if accessable() is not true. */
else:
/* the user is presented with a login form */
endif;
</body>
Did this help?
All the pages that require some to login should have something like this,
session_start();
if(!isset($_SESSION['user']){
//REDIRECT USER TO LOGIN PAGE
}
If its because of the browser caching issue that hitting back is taking you back to cached version of the page (even though user is logged out) then you should redirect the user twice (good practice).
what I mean is create a file called logout.php so when user clicks on logout button,it redirect the user to logout.php (that'll have the session unset code) and after that redirect user to login page.
so current page ----redirects to---> logout.php ----redirects to----> login.php
i think in every page you can just check whether a session is set or not. ex. Session::handlelogin('user')
then you can just make a function namely handlelogin in Session class
Class Session {
function handlelogin($user) {
if (!isset($user)) {
//redirect the user to your login page
}
}
}
Notice: just set this up in top of the page if your using MVC architecture then you can set it up in the Controller
Session::handlelogin('user')
I'm pretty new to programming and gotta do a project for school. My task is to wrinte a ticketsystem with login etc. in PHP.
Since my groupmates aren't to helpful at all i decided to just code the loginsystem and create a .php which loads content dynamicly.
For normal links things went smooth so far but the loginsystem + the dynamic system gives me headache already.
Whenever i hit the login button (even when I don't enter any logindata at all) I endup in the frontpage(home.php) with the header tellin me that I'm on the "user.php".
I don't get any errors or anything, there seems to be just soem logical errors which i don't get :-(
can anybody help me with this?
http://pastebin.com/5XMSje07
Add exit() under all of your header() redirects
What's your directory structure looking like?
It seems like you don't have a check for empty fields when the post comes in. There should be something along the lines of the following in your login function when the post is read in:
if($_POST['Login'] == null || $_POST['Password'] == null)
{
return false;
}
else
{
//do the login check with the sql call to match username and pw
}
Redirects should be used more sparingly than you appear to have done
In your login script, you have:
if(!isset($usergroup))
{
login();
} else {
logout($usergroup);
}
This is all very well if you assigned $usergroup from a $SESSION value, which you haven't done. This page will therefore always show the login form.
$usergroup = $_SESSION['user'];
would be a start.
You also have multiple session_start calls, as it says in Highlander, "There can be only one".
Your code to detect whether someone has posted data to your script is inside the functions and probably should be inside the above test. Something like...
if (!isset($usergroup)) {
// have we recieved post data to login, if logged in set usergroup)
// if we have not logged in, show the login form
}
if (isset($usergroup) {
// show the logout form
}
I have a php login page with session control. It routes a normal user to info.php and an admin user to info_admin.php. If I login with a "normal" user it goes to info.php, however, in the address bar, I can go to info_admin.php and it doesn't kick me out, gives me access. How can I control this or prevent the user from doing this manually?
For info, I'm using this script: http://php-login-script.com/
Thanks very much!
Just to make Lotus Notes' code a bit more compact:
<?php
if (!isset($_SESSION['user_level']) || ($_SESSION['user_level'] != 2)) {
header('Location: login.php');
exit;
}
?>
<!-- Your page HTML here -->
I quickly scanned through the login code, it seems to be setting a variable $_SESSION['user_level'] when the user first logs in.
To allow only user with level 2, for example, put this at the top of your page. It should redirect anyone who is not a level 2 user back to the login page.
<?php
if (isset($_SESSION['user_level'] && $_SESSION['user_level'] == 2) {
?>
<!-- Your page HTML here -->
<?php
} else {
header('Location: login.php');
}
?>
The high level approach is that upon login, store the user's access level in the session or in a database. At each page call, check against that value.
Just add an extra function that checks user level--if it's at or above the desired level, return true. If not, return false and failover. Then in your page you want to protect, fire the function with the desired level of protection.
For instance:
function checkPerms($level) {
if ($level >= number) {
return true
} else {
failover here
}
}
then call in your pages
checkperms(5);
EDIT: If you were really slick, you could just add an extra param to your original function call with the user level, defaulted to the lowest value. Then, if the user validates as registered, it could check the user level at the same time.