I have a log in script where I have been able to successfully make users, and log in. Now my issue is that whenever I try to use my method of protecting pages, being seeing if there is a SESSION for 'user' if not it directs you back to the login page.
Here is me checking for the session,
require("common.php");
if(empty($_SESSION['user']))
{
header("Location: login");
die("Redirecting to login");
}
Here is where I am setting my session, I am ONLY setting a session_start(); on login.php
if($login_ok)
{
unset($row['salt']);
unset($row['password']);
$_SESSION['user'] = $row;
header("Location: home?worked=1");
die("Redirecting to: home?worked=1");
session_start();
}
else
{
print("Login Failed.");
$submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
}
}
What this does, is I log in, and it will process and bring me to my home page, then process the header back to the login page acting as if I am not logged in. I tested a false login and it IS telling that its the correct login.
Thanks for any help, I'm pulling my hair out here!
Necro
EDIT
I moved session_start(); to the top of my common.php, and everything is perfect.
You have session_start(); after $_SESSION['user'] = $row;
Actually you have it after a die(); command. Nothing happens after that.
Put session_start(); at the top of PHP in every page (pref common.php since you have one) not just one page.
It would be better to set the session_start() on top
You need to put session_start(); on every page you want to use the session.
Related
I'm securing single page with session:
if($username === 'admin' && $password === 'admin1'){
$_SESSION['secured'] = "Secured";
header('LOCATION:admin/approve.php'); //go to location after successful login.
die();
}
In approve page I'm checking if session is set:
session_start(); //starting session to acces to it
if(!isset($_SESSION['secured'])){
exit();
}
I made a logout button that redirect to site index, but after logout when I'm tring to reach the secure page i dont have problem to enter, and session is still set.
Logout code:
unset($_SESSION); //clear session array
session_destroy(); //Destroy session
unset($_SESSION['secured']);
header("Location: ../index.html");
You mean the approve page?
What I see is that you did not specify where the page should exit to...
Maybe you should try something like this:
session_start(); //starting session to acces to it
if(!isset($_SESSION['secured'])){
header("Location: ../index.html");
exit();
}
I hope it helps
This is just about the last thing I have left to do and I will have officially created my first PHP registration/login system.
What I have is a file called checksession.php. This file checks to see if a user is logged in/has a session created. If the user does, it should let them view their account page. If it isnt, it should send them to index.php.
As it stands, it is sending the user back to index.php even after successfully logging in. I am not sure what I am doing wrong in this script.
checksession.php
<?php
include('includes/db.php');
session_start();
$userSession = $_SESSION['username'];
$sql = mysqli_query($db, "SELECT emailAddress FROM users WHERE emailAddress='$username' ");
$row=mysqli_fetch_array($sql,MYSQLI_ASSOC);
$login_user=$row['emailAddress'];
if(!isset($userSession )) {
header("Location: index.php");
}
?>
username is referencing the username field they are filling out when logging in on the login form which is login.php.
On their account page, which in this case is account.php, I have the following:
<?php
include("includes/checksession.php");
?>
Should this be redirecting to index.php or should it be setting the session based on the username they are inputting? I did make sure the start_session(); on my login.php page as well.
Make sure its session_start(); on my login.php page not start_session();
Try to echo out the $userSession and $_SESSION['username'] to see what they actually hold
Try the statement this way
.
if(isset($_SESSION['username'])) {
//do what ever
}else{
header("Location: index.php");
}
The Variable $userSession will always be set, it may me be null or empty string but it will always be set from your code.
Change the check to:
if(!isset($_SESSION['username'])) {
header("Location: index.php");
}
Ok
I dont know if this is the best way to do this as I think I may be over complicating this but here we go:
I took the check.php code and actually dropped this into my login code in order to set the SESSION.
Right below that I have the following code:
if(mysqli_num_rows($result) == 1) {
$_SESSION['username'] = $login_user; // Initializing Session
header("location: account.php"); // Redirecting To Other Page
} else {...
Logged in and voila. I am taken to my account.php like I would expect to be. If I log out and then try to view account.php, I am bounced back over to index.php.
I have a log in script where I have been able to successfully make users, and log in. Now my issue is that whenever I try to use my method of protecting pages, being seeing if there is a SESSION for 'user' if not it directs you back to the login page.
Here is me checking for the session,
require("common.php");
if(empty($_SESSION['user']))
{
header("Location: login");
die("Redirecting to login");
}
Here is where I am setting my session, I am ONLY setting a session_start(); on login.php
if($login_ok)
{
unset($row['salt']);
unset($row['password']);
$_SESSION['user'] = $row;
header("Location: home?worked=1");
die("Redirecting to: home?worked=1");
session_start();
}
else
{
print("Login Failed.");
$submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
}
}
What this does, is I log in, and it will process and bring me to my home page, then process the header back to the login page acting as if I am not logged in. I tested a false login and it IS telling that its the correct login.
Thanks for any help, I'm pulling my hair out here!
Necro
EDIT
I moved session_start(); to the top of my common.php, and everything is perfect.
You have session_start(); after $_SESSION['user'] = $row;
Actually you have it after a die(); command. Nothing happens after that.
Put session_start(); at the top of PHP in every page (pref common.php since you have one) not just one page.
It would be better to set the session_start() on top
You need to put session_start(); on every page you want to use the session.
I have a simple website that lets the admins and users log in. There credentials are saved onto a mysql server in 2 separate tables. 1 for user, 1 for admin.
They both of different login pages, user has userlogin.php and admin has adminlogin.php
What i want is, when they are both done with accessing the site, i want them to click logout and through session variables, use just the one logout.php and redirect them to their respective login pages.
So if the user logs out, they should be redirected to userlogin.php and if admin logs out, they should be redirected to adminlogin.php
<?PHP
session_start();
unset($_SESSION["userid"]);
header("Location: userlogin.php");
unset($_SESSION["adminid"]);
header("Location: adminlogin.php");
?>
This is what i have so far.
if(isset($_SESSION["userid"]))
{
unset($_SESSION["userid"]);
header("Location: userlogin.php");
}
elseif(isset($_SESSION["adminid"]))
{
unset($_SESSION["adminid"]);
header("Location: adminlogin.php");
}
die();
Use session_destroy()
logout.php
<?php
session_start();
if(isset($_SESSION["adminid"]))
{
unset($_SESSION["adminid"]);
session_destroy();
header("Location: adminlogin.php");
}
else
{
unset($_SESSION["userid"]);
session_destroy();
header("Location: userlogin.php");
}
?>
<?php
session_start();
header ('Location: ' . (isset($_SESSION['adminid']) ? 'adminlogin.php' : 'userlogin.php'));
$_SESSION = array();
session_destroy();
?>
Since some people asked for an explanation, this code first starts the session with session_start();.
After that, it sets the location header to be sent to the client. The code checks if the adminid is set, if so, we'll redirect to adminlogin.php. If not, we'll just redirect to userlogin.php.
Then, the code sets the $_SESSION to array(); (basically just empties it) so that all the previously set data is gone.
Finally, the session is destroyed and the client will get redirected.
Again, extremely noob PHP question.
I have a very simple login page
<?php
session_start();
if (isset($_SESSION['username']))
{
header('Location: main.php');
exit();
}
if (isset($_POST['submit']))
{
$user = $_POST['user'];
$pass = $_POST['pass'];
if (try_login($user,$pass))
{
$_SESSION['username'] = $user;
header('Location: main.php');
exit();
}
}
?>
<html> <!-- and login form below... >
And also a very simple main page:
<?php
session_start();
if (!isset($_SESSION['username']))
{
header('Location: .');
exit();
}
?>
<html> <!-- etc, etc -->
I expect the following things to happen:
If I navigate to http://localhost/main.php before logging in, I should be redirected to http://localhost/.
If I navigate to http://localhost/ and log in successfully, I should be redirected to http://localhost/.
Unfortunately, #2 doesn't happen. What could be wrong with my code?
You should use fully qualified url:
header('Location: http://localhost/main.php ');
You may be running into a race condition here. I've run into it several times...you set some stuff in the session, but the next page doesn't see it. This is usually caused by the browser requesting the second page so quickly that the first hasn't had time to write the session -- so the second doesn't see the changes to the session variables.
Try calling session_write_close() before you send your redirect header.
You must use absolute URIs like Location: / or Location: /main.php.
<?php
session_start();
if (isset($_SESSION['username']))
{
header('Location: main.php');
exit();
}
How is the person supposed to log in? You redirect if the $_SESSION doesn't have the username set BEFORE you do any code that would actually set that variable. That makes the login code effectively unreachable.