SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Enthusiast
    Join Date
    Dec 2009
    Location
    Port Harcourt
    Posts
    58
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Access Control Not Working

    I Have this code shown below processing my login form:

    HTML Code:
    // process the script only if the form has been submitted
    if (isset($_POST['action']) && $_POST['action'] == 'login') 
    {
    
    // start the session
    session_start();
    // clean the $_POST array and assign to shorter variables
    $userName = trim($_POST['userName']);
    $passWord = trim($_POST['passWord']);
    
    // connect to the database
    $conn = DatabaseManager::getConnection();
    
    // get the username's details from the database
    $sql = "SELECT * FROM user WHERE userName = ?";
    $stmt = $conn->prepare($sql);
    $stmt->execute(array($userName));
    $row = $stmt->fetch();
    
    if (md5($passWord . 'mysecret@#$mysecret') == $row['passWord']) {
    $_SESSION['loggedIn'] = TRUE;
    $_SESSION['userName'] = $_POST['userName'];
    $_SESSION['passWord'] = $passWord;
    }
    
    // if no match, destroy the session and prepare error message
    else {
    $_SESSION = array();
    session_destroy();
    $error = 'Invalid username or password';
    }
    // if the session variable has been set, redirect
    if (isset($_SESSION['loggedIn'])) {
    // get the time the session started
    $_SESSION['start'] = time();
    
    $login = TRUE;
    header('Location: homepage.php');
    exit();
    }
    else
    {
    	$GLOBALS['loginError'] = 'Please fill in both fields';
    	header('Location: index.php');
    	}
    }
    
    else{
    	require $_SERVER['DOCUMENT_ROOT'] . 'mysite/login.php';
    	exit();
    }
    This is my login form
    HTML Code:
    <form action="" method="post">
            <tr>
              <td colspan="2" align="center" valign="middle"><p id="p_header2"><strong> Please Login</strong></p></td>
            </tr>
            <tr>
              <td width="35%" align="right" valign="middle"><label for="username">Username:</label></td>
              <td width="65%"><input type="text" name="userName" placeholder="Your username" required="required" autofocus="autofocus" maxlength="30"/></td>
            </tr>
            <tr>
              <td width="35%" align="right"><label for="password">Password:</label></td>
              <td width="65%"><input type="password" name="passWord" placeholder="Your password" required="required" autofocus="autofocus" maxlength="30"/></td>
            </tr>
            <tr>
              <td colspan="2" align="center" valign="middle">Forgot your password ? <a href="forget_pwd.html.php">Click here</a></td>
            </tr>
            <tr>
              <td colspan="2" align="center" valign="middle"><input type="hidden" name="action" value="login" />
                <input type="reset" name="reset" value="Reset" />
                &nbsp; &nbsp;
                <input type="submit"  value="Log in" /></td>
            </tr>
          </form>
    Everything works fine but the challenge I'm having here is that, the when I tried to use this code below in homepage.php
    HTML Code:
    <?php if ($_POST['action'] == 'login')
    	  { 
    	    echo 'I am logged in';
    	  }
    	  ?>
    It gave me this error message: Notice: Undefined index: action in C:\wamp\www\mysite\homepage.php on line 33

    The major effect this is having on my project is that, as far as $_POST['action'] == 'login' doesn't work, my Access Control List too won't work because it depends on it entirely. I have my $_SESSION variables up and running and the only problem I couldn't figure out is how to get $_POST['action'] == 'login' from the login page to work on other pages. Please note, immediately after the login, it leads straight to homepage.php from where users can select the area they want to go. Thanks in advance.

  2. #2
    SitePoint Member
    Join Date
    Jul 2012
    Location
    Minnesota
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi papadammy, welcome to the forum. I wasnt 100% clear on your question, so please forgive me if my advice is off the mark for your situation.

    if I follow you correctly, you have a login page that redirects to homepage.php if the username and password was valid. You are then using the last code block you posted to see if the user is logged in on homepage.php. Remember that http requests are typically stateless. In other words, homepage.php has no idea what happened on your login page. Your login page doesnt submit your username and password right to homepage.php, so when the check fires on homepage.php, it knows nothing about the hidden action parameter.

    To maintain state across pages, sessions are required, which I see you are using. Instead of checking against $_POST['action'] you should check directly against your session data like so:

    Code:
    if($_SESSION['loggedIn'] == true) {
        echo 'Logged in';
    }
    Also you will want to make sure that your homepage.php file (or one if your main includes) has a call to session_start() before you try to do your auth check.

  3. #3
    SitePoint Enthusiast
    Join Date
    Dec 2009
    Location
    Port Harcourt
    Posts
    58
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by codeatar View Post
    Hi papadammy, welcome to the forum. I wasnt 100% clear on your question, so please forgive me if my advice is off the mark for your situation.

    if I follow you correctly, you have a login page that redirects to homepage.php if the username and password was valid. You are then using the last code block you posted to see if the user is logged in on homepage.php. Remember that http requests are typically stateless. In other words, homepage.php has no idea what happened on your login page. Your login page doesnt submit your username and password right to homepage.php, so when the check fires on homepage.php, it knows nothing about the hidden action parameter.

    To maintain state across pages, sessions are required, which I see you are using. Instead of checking against $_POST['action'] you should check directly against your session data like so:

    Code:
    if($_SESSION['loggedIn'] == true) {
        echo 'Logged in';
    }
    Also you will want to make sure that your homepage.php file (or one if your main includes) has a call to session_start() before you try to do your auth check.

  4. #4
    SitePoint Enthusiast
    Join Date
    Dec 2009
    Location
    Port Harcourt
    Posts
    58
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Codeatar, you really rock. That code did exactly what I wanted, I just tweaked it a little bit and everything is fine now. Thanks man.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •