SitePoint Sponsor

User Tag List

Results 1 to 2 of 2

Thread: PHP Sessions

  1. #1
    SitePoint Enthusiast
    Join Date
    Jun 2008
    Posts
    39
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    PHP Sessions

    Hi All,

    I'm currently working on a Member Log-in Script. I'm trying to set up the sessions. I have session_start() on each page and when they've logged in, I store their username in $_SESSION['username'] which I can carry through on other pages.

    I need to have the username displayed on each page but at the same time, if they manually type in the URL of another page then they need to either be redirected to the login page (if they haven't logged in yet) or if their access level doesn't authorize them to be on that page, then also redirect or display an error message.

    I'm assuming I will need to use isset to check if they are logged in. Basically what I'm asking is, am I doing this correctly as currently the username carries through but is present on every page - even if they aren't supposed to have access to it.

    Login Page:
    PHP Code:
    <?php
        
    include('functions.php');
        
    session_start();
        
    $mysqli openConnection();
            
        if (!isset(
    $_POST['username'])) //Checks to see if any values have been inputted into form fields.
        
    {
            
    $message "Please log in";
        }
        else
        {
            
    $_SESSION["username"] = $_POST["username"];
            
    $username $_POST['username'];
            
    $password $_POST['password'];
            if (
    validateUser($username$password) != 0)
            {
                
    $accessLevel getAccess($username);
                if (
    $accessLevel == 0)
                {
                    
    $message "Unable to determine access level, redirecting to Member Portal";
                }
                elseif(
    $accessLevel == 1)
                {
                    
    $message "Logged in as Member";
                }
                elseif(
    $accessLevel == 2)
                {
                    
    header("Location: manager.php");
                }
                else
                {
                    
    header("Location: admin.php");
                }
            }
            else
            {
                
    $message "Unable to log you in, please try again";
            }
        }
        print 
    $message;
    ?>

    <html>
        <head>
            <title> User Login </title>
        </head>
        <body>
            <form action = "<?php echo $_SERVER["PHP_SELF"]; ?>" method = "POST">
                Username: <input type = "text" name = "username" value ="" /> <br/>
                Password: <input type = "password" name = "password" value = "" /> <br/>
                <input type = "submit" name = "submit" value = "Login" />
                <input type = "reset" name = "reset" value = "Reset" />
            </form>
        </body>
    </html>
    manager.php
    PHP Code:
    <?php
        
    include('functions.php');
        
    session_start();
        
    $mysqli openConnection();
        if (!isset(
    $_SESSION['username']))
        {
            
    header("Location: userLogin.php");
        }
        else
        {
            print(
    $_SESSION['username']);
            print(
    "<br/>Logged in as Manager");
        }
    ?>
    Thanks.

  2. #2
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Once you verify that the user is logged in, you also need to check that they have access to the current page, on every single page. Not just at login time.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •