For a small comments widget.
I'm trying to include that widget into any .php file at wish- in the most practical way for the user with just:
<?php include "comments.php"; ?>
I'm trying to create an admin-login-panel right into the widget, to offer the logged admin to delete the posts (and more other options).
The problem is: i have now to start to use the $_SESSION, to prevent the admin having to login over and over again at each change / page-refresh.
But, using sessions inside the widget I can only see header and session WARNINGS ...olready started... ....and so on.
Is NOT an option to force the user to put into his pages top 'session_starts', I'd like to keep things simple. Just php-include the widget.
Can I still keep trying with php sessions or should I try something else?
Thanks in advance for any suggestion.
Alright, with what information you have given us, this is what your problem is: PHP Sessions uses a special cookie that is sent in a header. So you must perform a session_start(); before any other content it sent to the browser, so it can set the cookie in the header. So unfortunately, it looks like you will have to start a session outside of their including of a widget.
Why is starting the session outside of the widget not an option? Do you not have control over the other PHP pages?
It might be possible to configure your site to auto-start the session on each page.
You can typically accomplish this by modifying a PHP configuration value for the directory via a .htaccess file like so:
<IfModule mod_php5.c>
php_flag session.auto_start on
</IfModule>
Also I would recommend referrencing the root path of your website in the include, so you can use that comment include statement on any page without having to add a bunch of '../../../' to the path.
<?php
include($_SERVER['DOCUMENT_ROOT'] . "/header.php");
?>
Related
The context:
I'm building a PHP 7 web application, it uses a PHP session to login and check to see if the user is logged in on each page. Here is the basic makeup of most pages:
<?php session_start(); ?>
<?php include 'the_header_and_menu.php'; ?>
<p>Page content</p>
<?php include 'the_footer.php'; ?>
At the top of the_header_and_menu.php file is an include to session_check.php which is located outside the site's directory. This PHP process does five checks, the most basic one included below.
if (!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] == 'false') { // If loggedin is not set, or is false, then run this block.
header('Location: http://example.com/index?eject=noLogin'); // Send the user to the eject page.
die(); // Exit the process.
}
Process summary: User logs in, which creates a session and its variables. When the user loads a page, a session check is performed to make sure that the user's account is valid and authorised. If the account or session is no longer valid/authorised, then the user is redirected to the login page (index).
The issue: When someone who's not logged in enters http://example.com/dashboard, they are ejected using the first check (featured above). However, if they enter http://example.com/process/, the checks seem to count for nothing and the user is shown the page. This page does not just include a directory listing, but calls the http://example.com/process/index.php file to represent it instead.
The question: How can I apply the same logic that protects individual pages like dashboard.php, to the case of protecting directory indexes?
Own answer:
The issue here was one which was simple, but overlooked.
At the top of the_header_and_menu.php file is an include to session_check.php which is located outside the site's directory.
Within the header and menu file was the session check include. However, because the session check was located outside the main directory (like much of the back-end), I had referenced to it through a relative path, similar to the one below.
include_once '../mainfolder/php/subfolder/sessioncheck.php';
However, because the file was being included to a subdirectory, it should've included a further ../ operator.
include_once '../../safe/php/users/sessioncheck.php';
The solution: Instead of performing a session check through the header and menu, I am now including it on every page I want to protect. This is by no means a perfect solution and simply acts to get things working again.
Thank you to Daniel Schmidt, who got me looking in the right direction!
Directory indexes don't usually come from PHP - they are served by your webserver (nginx, apache, ..). Today, there is obviously no need to have that indexes enabled.
It looks like you're not sending each request to you're PHP process(es). I tend to suggest checking your webserver configuration.
The issue here was one which was simple, but overlooked.
At the top of the_header_and_menu.php file is an include to session_check.php which is located outside the site's directory.
Within the header and menu file was the session check include. However, because the session check was located outside the main directory (like much of the back-end), I had referenced to it through a relative path, similar to the one below.
include_once '../mainfolder/php/subfolder/sessioncheck.php';
However, because the file was being included to a subdirectory, it should've included a further ../ operator.
include_once '../../safe/php/users/sessioncheck.php';
The solution: Instead of performing a session check through the header and menu, I am now including it on every page I want to protect. This is by no means a perfect solution and simply acts to get things working again.
I have a set of PHP files that I am including and using as templates for information that I am storing in a MYSQL Database. These files can be accessed with the link to them. I do not want these files to be accessed if they are not being loaded by another file.
For example:
I have a file called errorBox.php which should only be visible when included in mainPage.php. However, currently, by going to http://myUrl.com/errorBox.php I can access the page.
I have tried using the following:
header("Location: http://myUrl.com");
but unfortunately it doesn't seem to work.
Is there a way to redirect automatically from these pages if they have not been included? Or is there a different solution to my problem?
Thank you in advance.
May you can check if was included/required using the get_included_files function.
And if was not included/required, you can redirect:
header('Location: http://myurl.com');
die;
Use die after to stop execute things.
I have a simple login page that checks credentials against database and then every page includes auth.php that verifies $_SESSION['logged'] is set and that session isn't expired.
Problem is that every page also includes another page tab.php (something like a menu), which I also need to restrict access to, but including auth.php inside tab.php makes the inclusion occur twice. If I don't include the auth.php in tab.php, though, anyone can access tab.php directly bypassing authentication check and possibly retrieve private information.
Any best practice to solve this situation?
EDIT:
And I forgot to ask, but what path you use to make it relative to site root? As both auth.php and tab.php are in folder and the index.php which includes tab.php is in root - the include function gives an error for either index.php or tab.php according to what path I use ('./includes/auth.php' OR './auth.php') - If you know what I mean. I tried '/includes/auth.php' but that doesn't work.
Use include_once instead of include in your files (or require_once and require). This will insure that your auth.php file will only be included once in the lifetime of the script.
include_once and require_once will definitely assure that you don't have the same file included more than once (at the same time make sure you're authenticated).
What I would do, however, is add your includes in a "include" folder and forbid access - to people who would type in the path manually - through an htaccess file. This way you could keep your includes in one place (whatever your header includes might look like) and keep your include files clean and still out of reach. If you were to do this you'd only have to do what Jan. mentioned in the answer above and check if your $_SESSION['logged'] is set (and whatever other checks you need)
Just check in tab.php if the session is initialized and $_SESSION['logged'] is true. This will work fine, if auth.php is loaded first.
What about using require_once("auth.php");? This makes sure, that auth.php is included (otherwise application will stop) but only includes the file once which seems to be your goal.
Try include_once(). See ( http://php.net/manual/en/function.include-once.php )
I was following a tutorial I found on how to create a simple login using sessions and a database. I followed it to the T (with the exception of tidying up all of the code because theirs was a mess and I'm OCD like that).
I get no errors at all on the page, it just comes up with a blank screen and I can't work out for the life of me why it's doing. I've been trying to get it working for the best part of about 3 hours.
There are 4 files:
index.php - Contains the form for the login script
login.php - Where the form data is processed, which is "require_once"'d into the index.php page at the very start.
config.php - Database connection info
cpanel.php - Where I want the user to be sent once they logged in
And here are those 4 files in action (although I guess they're not in action since they don't actually work!):
index.php
login.php
config.php
cpanel.php
And here's the tutorial I used.
Lastly here's a link to the original (non-source) index.php file
Hope you guys can help, it's driving me crazy now.
Just change
if($jackin) {
to
if(isset($jackin)) {
in login.php file
Also put ini_set('short_open_tag',1)
in your cpanel.php file if short_open_tag is disabled in php.ini
You should try error_reporting(E_ALL); for additional Error output. Check all POST Variables with an echo() / var_dump(), Check the Ifs also with echo() and make sure thats everything is OK.
The echo for $error is doubled.
Additional you should not use the Location Element on the Header with an relative Path.
I have a website which uses PHP and HTML pages, I want to create a session which stores a username from the login page. But the login pages are php and the next pages are html.
Is this a problem or can I just add a small statement of php into the html page saying
<?PHP session_start();
$_session['loginid']=$_post['username'];
?>
Or am I doing it wrong?
This is the first time i've used sessions and they confuse me a little.
thanks for any help.
If you have access to your apache configuration, or a simple .htaccess file, you can tell Apache to handle php code inside of an .html file. You can do this by creating an .htaccess file (remember the . (dot) as the first character in that filename) on the document root of the site (probably public_html/) and putting this into it:
# Add this to public_html/.htaccess file
AddHandler application/x-httpd-php .html
AddHandler application/x-httpd-php .htm
You should be able to reload the html page and your PHP code (from Michael Matthews answer) will run great.
You are trying to share a PHP session variable with a page that is of type text/html. As you suggested you must make the HTML page a PHP page for this to work and add a little snippet of PHP somewhere to display the user name.
Change your HTML page to PHP. At the top of the page add something like this:
<?php
session_start(); // must be before any output
$username = $_SESSION['username']; // or whatever you called it
// check that $username is valid here (safe to display)
?>
html here
Hello <?= $username ?>!
As the sessions are handled by PHP, it needs PHP to maintain the state. You need at least session_start() to use the session variables stored in $_SESSION.
You can't put php into .html files without playing around with your server's configuration files. You should only put php into .php files.
If you have a lot of .html files, you can simply rename them to .php files. It's okay to put pure html into something.php. So, you should make sure that all of your files end with .php, and then you can put any session logic you want into them.