User sessions

[duuudie]

Hi,
ok you set your session['loggedin'] to true, which is good. But then what? Maybe that you should redirect your users

PHP Code:

}else{

    $_SESSION['userID'] = $row['userID'];
    $_SESSION['username'] = $row['username'];
    $_SESSION['loggedin'] = TRUE; // Setting session var 'loggedin' to true--> check it on top of each you want to be protected.

//------------------>REDIRECT YOUR USERS
    
} 


To check that a page can be viewed by an authenticated member, the only bit of code you need is that one:

PHP Code:

if ($_SESSION['loggedin'] == TRUE) {
//display page
}
else {
//redirect to another page, like index or login...
} 


There is a little detail that you should not neglect though, this script relies on sessions... So you must make sure that every page you have that uses sessions must have this line at the very top of itself:

PHP Code:

<?php
session_start();

//...
//...
//...
//...

I didn't notice that you removed that line

Everytime you see a session superglobal (ie $_SESSION['whatever']) you will need this at the top of your page, other wise it won't work.

[MilchstrabeStern]

Ah ha, I'm getting much closer now.

so this is the bit of code I'm including at the top of all my authenticated pages:

PHP Code:

<?php
session_start();
if ($_SESSION['loggedin'] == TRUE) {
//display page
}
else {
    header('Location:http://www.mplionhearts.com/login.php'); // Redirect to error page.
    exit;//redirect to another page, like index or login...
} 
?>

yeah it works, if your logged in it will allow you to stay, however I get a nasty error line at the top of the page anyways (even tho the rest of the page displays fine), its one of those common session errors:

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/mplionhe/public_html/welcome.php:5) in /home/mplionhe/public_html/check.php on line 2

Thats the only error I get if I log in, it shows up at the top of the page, but the rest of the page comes up. However try going to http://www.mplionhearts.com/welcome.php and it should redirect you to the login page because your not logged in, but instead you get 3 errors, why is this?

[duuudie]

closer right

that's because you must have the session_start() part at the top of the page including the auth script and not in the auth script itslef:

PHP Code:

<?php
session_start();

require_once('auth.php'); // or require, include etc....

got it now?

[MilchstrabeStern]

Awesome it works now thanks so much for the fast and great help!

[boboli]

Hi MS,

Here is some code you might want to modify and use:

It looks very procedural and I haven't spent much time with security issues, but anyways I am pretty sure that it should get you started:
...

Then use this code on top of each page you want to be protected:

PHP Code:

  
  if ($_SESSION['loggedin'] == TRUE) { 
  //display page 
  } 
  else { 
  //redirect to another page, like index or login... 
  } 


....

that's it pretty much.

'hope that helped

Hi duudie..
I just tryed your code and I have a problem in the page protection...

I do not understand where to start the session...
I have a login form that redirect to the checklogin.php than....I can reach the panel.php page if it is not protected (that means that the user and password are correct...)

If I add the protection to the page...dead end

I'm always redirected to the error page...
thanks
Roberto

[boboli]

closer right

that's because you must have the session_start() part at the top of the page including the auth script and not in the auth script itslef:

PHP Code:

 <?php
 session_start();
 
 require_once('auth.php'); // or require, include etc....

got it now?

I think I have the same prob here...

I do not understand what auth.php is...
sorry to be dummy

[boboli]

me again this is my panel.php page (the one that should be protected...)

PHP Code:

 <?php
 session_start();
 if ($_SESSION['loggedin'] == TRUE) {
 //display page
 ?>
 <head>
 <title>Area Protetta Accademia B&B by BoboliWeb</title>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 <link href="private.css" rel="stylesheet" type="text/css" media="all" />
 </head>
 
 <body><div id="bodyContent">
   <div id="main">
     <div>
     <fieldset>
 <legend>AREA PROTETTA</legend>
 <p>PANNELLO DI CONTROLLO</p>
 <p>USA I LINK PER INSERIRE O MODIFICARE I DATI INSERITI NEL DATABASE</p>
 <p><a href="periodi.php" target="_blank">VISUALIZZA I PERIODI</a></p>
 <p><a href="tariffe.php" target="_blank">MODIFICA LE TARIFFE</a></p>
 <p><a href="new_tariffe.php" target="_blank">INSERISCI NUOVE TARIFFE</a></p>
 
 </fieldset></div><!-- /main -->
    </div><hr />
 
 
 
 
 <!-- pie' di pagina -->
 <div id="piedipagina">
 
         <p class="footer">Copyright by BoboliWeb 2005</p>
 </div>
 <!-- pie' di pagina -->
 </div></body>
 </html>
 
 <?
 }
 else {
     header('Location:http://boboli.altervista.org/biga/index.php'); // Redirect to error page.
     exit;//redirect to another page, like index or login...
 }
 ?>

now it does not take me to panel.php, it stays on login.php but I receive a WHITE page...
if I refresh the panel.php is loaded correctly... any idea ???

[mx2k]

auth.php is just an example name for the file that holds your function or code block that is used to verify users.

require('auth.php'); will import the file and script into the current page

and auth.php will be something on the lines of

PHP Code:

<?php

//intialize variables
$user = "";
$password = "";

if (isset($_POST['submit']))
{

     $user = $_POST['username'];
     $pass = $_POST['password'];

     // sql statement
     $query = "SELECT user, password FROM users WHERE users = " . $user . "";

       // $dbc stands for your database connection
      $result = @mysql_query($query, $dbc);

      // if there was no result, the user name was incorrect ( as long as your database connection is right
      if(!$result) {
            $error = 'your user name was incorrect';
             
      }else {

                while($row = mysql_fetch_array(MYSQL_BOTH, $result) {
                    $pwMatch = $row['password'];
                    $userMatch = $row['user'];

                 } // end while
      


        }// end 2nd if
     
        // if the hashed passwords match
        if (md5($password) == $pwmatch) {
         
               //then user log in is set true
              $_SESSION['loggedIn'] = true;

        }else {
              // if the statement was false, give an error
              $error  = 'your password was incorrect, try again';
        
        }// end 3rd if

}// end main if
?>

i would have more error handling and things like testing string length, but you get the idea

its where your log in script is located. rather than typing it on every page, just include or require it.

(just make sure that you have session_start(); at the top of every page before everything else)

so

PHP Code:

<?php
session_start();
require_once('auth.php'); # or where ever you file is, ie.  includes/auth.php
?>

however if the file is not found, require_once will kill the script's exection unlike include_once()

[duuudie]

don't have anything to add

obviously, it's a very simple example of user auth and there are a lot more checks that can be made. But get started with it and make it more thorough later

[boboli]

thank you duuudie... my problem now is that with IE6 I can reach the protected page only with refreshing the page....
I posted a new thread asking to test tha pages...
Thank You
Roberto