SitePoint Sponsor

User Tag List

Results 1 to 15 of 15
  1. #1
    SitePoint Addict mserms's Avatar
    Join Date
    Jun 2001
    Location
    Scotland
    Posts
    230
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Not sessions and accesscontrol again!

    I've checked some older posts about this, but still can't get it working correctly. What I'm tying to achieve is what Kevin does in this accesscontrol tutorial but with register_globals turned off. I understand all the concepts of sessions (I think!), but can't work out what wrong here. After logging in on the first page, subsequent pages require logging in again. For some reason $_SESSION['uid'] is not set in the if statement near the start...

    After reading some other posts and a bit of hacking around I've come up with this, access.php:

    PHP Code:
    <?PHP
    echo "session uid: " $_SESSION['uid'] . "<br />";
    echo 
    "request uid: " $_REQUEST['uid'] . "<br />";
    if(
    $_REQUEST['uid'] || $_SESSION['uid']) {
        if (
    $_REQUEST['uid'] == "" ) {
            
    $uid $_SESSION['uid'];
            
    $pwd $_SESSION['pwd'];
        }
        else {
            
    $uid $_REQUEST['uid'];
            
    $pwd $_REQUEST['pwd'];
        }
        
    $_SESSION['uid'] = $uid;
        echo 
    "session uid (2): " $_SESSION['uid'] . "<br />";
        
    $_SESSION['pwd'] = $pwd;
        echo 
    "session pwd (2): " $_SESSION['pwd'] . "<br />";
        
        if(
    $uid != "Mark" || $pwd != "pass") { //will change to DB stuff later
            
    unset($_SESSION['uid']);
            unset(
    $_SESSION['pwd']);
    ?>
    <p>denied</p>
    <?PHP
            
    exit();
        }    
    //end big if
    else {
    ?>
    <h2>Login Required</h2>

    <p>You must log in to access the Administration Panel.</p>
    <p><form method="post" action="<?=$_SERVER[PHP_SELF]?>">
    User ID: <input type="text" name="uid" size="8" /><br />
    Password: <input type="password" name="pwd" SIZE="8" /><br />
    <input type="submit" value="Log in">
    </form></p>
    <?PHP
    exit();
    }
    ?>
    my pages looks like this, test.php:

    PHP Code:
    <?PHP
    session_start
    ();
    include(
    "access.php");
    ?>
    <!DOCTYPE...>
    <html>....
    Anyone got any clues? Am I missing something obvious?
    Last edited by mserms; May 4, 2003 at 20:18.

  2. #2
    if($awake){code();} PHP John's Avatar
    Join Date
    Jul 2002
    Location
    Along the Wasatch Fault line.
    Posts
    1,771
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What are you using $_REQUEST[] for?

    Include() something like this at the top of all of the pages that require an authorized user:
    PHP Code:
    <?php

    session_start
    ();

    if(!
    $_SESSION['uid'])
    {
      
    header"location: [your login script]" );
    }
    ?>
    And your login script would look something like this:
    PHP Code:
    <?php

    session_start
    (); 

    $userName = isset( $_POST['userName'] ) ? $_POST['userName'] : '';
    $password = isset( $_POST['password'] ) ? $_POST['password'] : '';

    if( !
    $userName || !$password )
    {
      
    header "location: [your login script]" );
    }

    if( 
    mysql_query"SELECT * FROM [userTable] WHERE [userNameField] = '$userName' AND [passwordField] = 'md5($password)'" );
    {
      
    $_SESSION['uid'] = $userName// <- or whatever value you assign $uid
    }
    ?>
    Last edited by PHP John; May 5, 2003 at 19:52. Reason: Edit of code to add "session_start()"
    John

  3. #3
    SitePoint Addict mserms's Avatar
    Join Date
    Jun 2001
    Location
    Scotland
    Posts
    230
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks John, I'll have a play with that this evening.

    The $_REQUEST was used to catch the variables after the form has been filled in but before it's been checked as a valid user/pass. Must confess it's mostly code someone else on here has written, but seems to make sense.

  4. #4
    SitePoint Addict mserms's Avatar
    Join Date
    Jun 2001
    Location
    Scotland
    Posts
    230
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What I've got isn't a final code layout or anything like that, I'm just trying to get the basics working first. For some reason I still can get variables recognised over sessions:

    login.php:

    PHP Code:
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" >

    <head>
    <title>Login</title>
    </head>

    <body>
    <?php //login.php
    if($_POST['submitlogin']) {
        
    $username = isset( $_POST['username'] ) ? $_POST['username'] : '';
        
    $password = isset( $_POST['password'] ) ? $_POST['password'] : '';
        if(!
    $username || !$password) {
            
    header ("location: login.php");
        }
        echo 
    "un: " $username "<br />";
        echo 
    "pw: " $password "<br />";
        if(
    $username == "Mark" && $password == "pass") {
            
    $_SESSION['uid'] = $username// <- or whatever value you assign $uid
            
    echo "<p>Does the session var get set: " $_SESSION['uid'] . " - yep!<br />";
            echo 
    "<a href=\"admin.php\">Admin page</a></p>";
        }
    }
    ?>
    <form method="get" action="login.php">
    Username: <input type="text" name="username" size="8"><br />
    Password: <input type="password" name="password" SIZE="8"><br />
    <input type="submit" name="submitlogin" value="Log in">
    </form>
    </body>
    </html>
    top of admin.php:

    PHP Code:
    <?php
    session_start
    ();
    echo 
    "ss: " $_SESSION['uid'] . " - bugger, where's it gone?<br />";
    if(!
    $_SESSION['uid'])
    {
        
    header"location: login.php" );
    }
    ?>
    Am I doing something when I set the session var? Is there some mistake I've made in setting up PHP? I'm out of ideas.

  5. #5
    if($awake){code();} PHP John's Avatar
    Join Date
    Jul 2002
    Location
    Along the Wasatch Fault line.
    Posts
    1,771
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You MUST use session_start() on every page you want access to session variables, and it is recommended that you place that line as the FIRST line in your PHP script (an include() that includes a session_start() counts). That mean assigning session variables, as well. Sorry if that was not clear in my previous post.
    John

  6. #6
    SitePoint Addict mserms's Avatar
    Join Date
    Jun 2001
    Location
    Scotland
    Posts
    230
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the help John. Already got session_start() at the very top of the pages, stilll no joy.

    It might be worth noting that I've had what seems to be the same problem with my original code as with the code you gave me. It's as though session_start() doesn't re-initialise the variables for some reason. As you can see, I've checked that the $_SESSION['uid'] is set before leaving the initial script, but it doesn't appear in the next script.

    Maddening!

  7. #7
    if($awake){code();} PHP John's Avatar
    Join Date
    Jul 2002
    Location
    Along the Wasatch Fault line.
    Posts
    1,771
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm a bit confused. I don't see session_start() in your "login.php" script.

    *edit -- TOTALLY my mistake and misdirection. I edited the script I posted above.
    Last edited by PHP John; May 5, 2003 at 19:51.
    John

  8. #8
    SitePoint Addict mserms's Avatar
    Join Date
    Jun 2001
    Location
    Scotland
    Posts
    230
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks John. Made that change (should've spotted that myself) but there's still no change. Hmmm.

  9. #9
    if($awake){code();} PHP John's Avatar
    Join Date
    Jul 2002
    Location
    Along the Wasatch Fault line.
    Posts
    1,771
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hey Mark, the first thing I would change is the "method" in your form to "post".

    Because you are testing for "posted" variables. That is why you are using $_POST[], instead of $_GET[]. These PHP arrays correspond directly with the "post" and "get" methods of forms.

    Sorry I didn't notice it earlier.

    $_POST[] == posted form variables

    $_GET[] == "getted" form variables

    I tested your script locally with the "post" change, and it worked just fine.
    John

  10. #10
    SitePoint Addict mserms's Avatar
    Join Date
    Jun 2001
    Location
    Scotland
    Posts
    230
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah the GET thing was a mistake in the post. No joy even with POST. Think you could mail me the exact files you've tested it with?

  11. #11
    if($awake){code();} PHP John's Avatar
    Join Date
    Jul 2002
    Location
    Along the Wasatch Fault line.
    Posts
    1,771
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'll post them here as well.

    login.php
    PHP Code:
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "[url=http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd]http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd[/url]">
    <html xmlns="[url=http://www.w3.org/1999/xhtml]http://www.w3.org/1999/xhtml[/url]" xml:lang="en" >
      <head>
        <title>Login</title>
        </head>
      <body>
    <?php //login.php
    session_start();
    if(
    $_POST['submitlogin']) {
        
    $username = isset( $_POST['username'] ) ? $_POST['username'] : '';
        
    $password = isset( $_POST['password'] ) ? $_POST['password'] : '';
        if(!
    $username || !$password) {
            
    header ("location: login.php" );
        }
        echo 
    "un: " $username "<br />";
        echo 
    "pw: " $password "<br />";
        if(
    $username == "Mark" && $password == "pass" ) {
            
    $_SESSION['uid'] = $username// <- or whatever value you assign $uid
            
    echo "<p>Does the session var get set: " $_SESSION['uid'] . " - yep!<br />";
            echo 
    "<a href=""\"admin.php\">Admin page</a></p>";
        }
    }
    ?>
        <form method="post" action="login.php">
          Username: <input type="text" name="username" size="8"><br />
          Password: <input type="password" name="password" SIZE="8"><br />
        <input type="submit" name="submitlogin" value="Log in">
        </form>
      </body>
    </html>
    admin.php
    PHP Code:
    <?php
    session_start
    ();
    echo 
    "ss: " $_SESSION['uid'] . " - bugger, where's it gone?<br />";
    if(!
    $_SESSION['uid'])
    {
      
    header"location: login.php" );
    }
    ?>
    The BBS software needs a feature that disables the parsing of URL's and email addressed inside of PHP and CODE tags! [img]images/smilies/frown.gif[/img]

    The DOCTYPE is all screwed up because of it. I'll email you the files as well.
    John

  12. #12
    SitePoint Addict mserms's Avatar
    Join Date
    Jun 2001
    Location
    Scotland
    Posts
    230
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hmmm that doesn't work either so it must be somthing to do with my PHP setup (I can't think of anything else).

    Anyone got any clues as to what might be wrong?

  13. #13
    SitePoint Addict mserms's Avatar
    Join Date
    Jun 2001
    Location
    Scotland
    Posts
    230
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ah... I hadn't changed my sessions directory to something that actually exists :roll:

    Thanks for your help John, your code's been useful.

    Both sets of code are working fine now.

  14. #14
    if($awake){code();} PHP John's Avatar
    Join Date
    Jul 2002
    Location
    Along the Wasatch Fault line.
    Posts
    1,771
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ...oh, the simple things in programming...
    John

  15. #15
    SitePoint Addict mserms's Avatar
    Join Date
    Jun 2001
    Location
    Scotland
    Posts
    230
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It great fun, really it is!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •