Single Login

PHP
1

I have done a few log in system posts in the past, and with the help I received here, they ended up working. Instead of having a login for a few directories, I want to make a single log in form at the root.

So if I wanted to protect:

  1. /test.php
  2. /dir1/
  3. /dir3/form.php

When I visit the links above, I want to be bounced to /login.php. I have only tried this on one page so far. On that page I put:

session_start();
  if(!isset($_SESSION['user'])){ 
   header('Location: login.php'); 
  }

  $this_url = $_SERVER['REQUEST_URI'];
  $_SESSION['this_url'] = $this_url;

on the login form, I used my old code to check login and such. On the action attribute I did

action="http://site.com<?php echo $_SESSION['this_url']; ?>"

However, when I hit submit, I get redirected to the log in form, like my sessions aren’t carrying.

2

You POST your login details to the page that redirected to login.php, instead of to login.php which has the code for actually logging you in. It’s a loop where the form processing code never gets run.

3

Are you saying that is what I am doing, or what I need to do? On login.php I have:

  session_start();
  if(isset($_POST['user'], $_POST['pass'])) { 
    if($_POST['user'] === 'xxx' && $_POST['pass'] === 'xxx'){
      $_SESSION['user'] = $_POST['user'];
      $_SESSION['pass'] = $_POST['pass'];
    }
  }?>

the action on the form is the last code block in #1. On test.php I have


  session_start();
  if(empty($_SESSION['user']) && empty($_SESSION['pass'])){ 
    header('Location:login.php');
  }
4

Check what is in $_SESSION[‘this_url’] - that is where your POST goes.
You should exit; after a header(‘Location…’); All that does function does is send a header to the browser, the “browser” doesn’t have to follow, and your script will still be executing.

5

hash, the $_SESSION[‘this_url’] is in test.php, it would also be in dir/index.php, /dir3/form.php as well as any other page/directory, that needs ‘locked’. The code in those pages looks like:


session_start(); 
  if(!isset($_SESSION['user'])){ 
   header('Location: login.php'); 
  } 

  $this_url = $_SERVER['REQUEST_URI']; // this page relative to root
  $_SESSION['this_url'] = $this_url;

Maybe the $_SESSION[‘this_url’] needs to be initiated prior to header redirect? These pages don’t necessarily have POST information. For example, test.php just has code snippets. So I am not following what your first comment means.

6

action=“http://site.com<?php echo $_SESSION[‘this_url’]; ?>”

this is your login form action? this is where your form submits values to. think about it :stuck_out_tongue:


// protected
if not logged in
    store redirect url
    send to login page
else
    page

// login.php
if login worked
    send to redirect url
else
    show form and erros
7

Hi hash, sorry for the delay
Yes that is my login form action. I was thinking you meant what was the action of the form on test.php, so I was confused because I didn’t think that I said test.php had a form. Would a protected page then becomes a big if else statement?

test.php


<?php
  session_start();
  if(isset($_SESSION['user'])){ 
  $this_url = $_SERVER['REQUEST_URI']; // this page relative to root 
  $_SESSION['this_url'] = $this_url;
  header('Location: login.php'); 
  exit;
  } else { ?>
 <!DOCTYPE html PUBLIC "-//W3C 
  ....
  <?php } //end else ?>

…yuck

8

You don’t need to write the else, since the exit serves the same purpose of preventing the “else” code from running if you’re redirecting.

9

gotcha Dan. I was thinking that,but wasn’t 100%

10

I think I am missing a step here and I am not sure where exactly. Test.php is the same as in post #7. Login.php changed slightly from before:


  session_start();
  if(isset($_POST['user'], $_POST['pass'])) { 
    if($_POST['user'] === 'zzz' && $_POST['pass'] === 'zzz'){
      $_SESSION['user'] = $_POST['user'];
      $_SESSION['pass'] = $_POST['pass'];
      header('Location: http://site.com/'.$_SESSION['this_url']);
      exit;
    }
  }

I tried to doing what hash said, but I am not sure what is wrong now.




  if(isset($_POST['submit'])){
?>
  <form id="template" method="post" action="http://site.com<?php echo $_SESSION['this_url'];?>">
       Name <input id="user" type="text" /><br />
       Pass <input id="pass" type="password" /><br />
       <input id="submit" type="submit" />
   </form>
<?php }elseif($_POST['user'] !== 'zzz' && $_POST['pass'] !== 'zzz'){
      echo '<p>Bad Username/password. Please Retry</p>';?>
      <form id="template" method="post" action="http://site.com<?php echo $_SESSION['this_url'];?>">
       Name <input id="user" type="text" value="<?php echo $_POST['user'];?>" /><br />
       Pass <input id="pass" type="password" /><br />
       <input id="submit" type="submit" />
      </form>
    <?php }?>

Correct me if I am off, it checks to see if submit is set, if not, show form. If it is set, check if the user/pass match. If not show form again, with user filled in.

I think part of the the issue is not quite knowing about how isset works exactly. Several sites say isset works like this:


if(isset($blah)){
 #evaluate as false
}else{
 #eval as true
}

There are sites that say that true is first then false. Not sure which is correct cause I have done a few examples. I have gotten both answers, but that may be server lag…

11

Your form action has been the problem from the beginning and still is –

  <form id="template" method="post" action="http://site.com<?php echo $_SESSION['this_url'];?>">

You’re saying that the browser should POST the data from this form to the page at “this_url”, which is the one that redirected them to the login form.

But that’s not where you want it POSTed, you want it sent to login.php which is where the code to process this form is.

If you POST it to the page that requires a login, you’re still not logged in, it’s going to redirect you right back to login.php and show the form again.

Make it

<form id="template" method="post" action="login.php">
12

/facepalm
oi I didn’t realize that is what you guys meant. There is something I am still not catching something, since I am still in a loop. i made it login.php as well as putting the full path, neither work

13

I think that at this stage it would be useful to see the full code for a test form that bounces you to the login page, and the code for the login page itself.

14

sure Paul
test.php

<?php 
  session_start();
  if(!isset($_SESSION['user'])){ 
   $this_url = 'http://rbenson.info'.$_SERVER['REQUEST_URI'];
   $_SESSION['this_url'] = $this_url;
   header('Location:login.php');
  }  #if you take out the stuff above this line, it works correctly.
  $title = "Template :: rbenson.info";
  $page_title = "Template";
  include_once($_SERVER['DOCUMENT_ROOT']."/incs/header.php");
  include_once 'incs/geshi/geshi.php';
?>
  <h1>Template</h1>
  <?php
  $source = "<?php
  \\$title = \\"Template :: rbenson.info\\";
  \\$page_title = \\"Template\\";
  \\$addCSS = \\"...\\"; #If I need CSS for that page
  include_once(\\$_SERVER['DOCUMENT_ROOT'].\\"/incs/header.php\\");
?>
  <!---Content Goes Here -->
<?php
  include_once(\\$_SERVER['DOCUMENT_ROOT'].\\"/incs/footer.php\\");
?>";
  $language = 'php';
  $geshi = new GeSHi($source,$language);
  $geshi->set_header_type(GESHI_HEADER_PRE_TABLE);
  $geshi->enable_line_numbers(GESHI_FANCY_LINE_NUMBERS,2);
  $geshi->set_line_style('background: #fcfcfc;', 'background: #f0f0f0;');
  echo $geshi->parse_code();
  include_once($_SERVER['DOCUMENT_ROOT']."/incs/footer.php"); ?>

login.php


<?php
  session_start();
  if(isset($_POST['user'],$_POST['pass'])){
    if($_POST['user'] === 'user' && $_POST['pass'] === 'password'){
      $_SESSION['user'] = $_POST['user'];
      $_SESSION['pass'] = $_POST['pass'];
      header("Location:".$_SESSION['this_url']);
    }
  }
  $title = "Login :: rbenson.info";
  $page_title = "Login";
  include_once("incs/header.php");
  if(!isset($_POST['submit'])){
?>
  <h1>Login</h1>
  <form id="template" method="post" action="/login.php">
       Name <input id="user" type="text" /><br />
       Pass <input id="pass" type="password" /><br />
       <input id="submit" type="submit" />
   </form>
<?php }elseif($_POST['user'] !== 'user' && $_POST['pass'] !== 'password'){
     if(isset($_POST['submit'])){
      echo '<p>Bad Username/password. Please Retry</p>'; }?>
      <form id="template" method="post" action="/login.php">
       Name <input id="user" type="text" value="<?php echo $_POST['user'];?>" /><br />
       Pass <input id="pass" type="password" /><br />
       <input id="submit" type="submit" />
      </form>
<?php } include_once("incs/footer.php"); ?>

For testing sake i took out

}elseif($_POST['user'] === 'user' && $_POST['pass'] === 'password'){
     if(isset($_POST['submit'])){
      echo '<p>Bad Username/password. Please Retry</p>'; }?>
      <form id="template" method="post" action="/login.php">
       Name <input id="user" type="text" value="<?php echo $_POST['user'];?>" /><br />
       Pass <input id="pass" type="password" /><br />
       <input id="submit" type="submit" />
      </form>
<?php }?>
15

I see on the login page that the form fields have no name.

Change id=“user” to name=“user”
and change id=“pass” to name=“pass”

after which the page will then submit those form fields.

16

Thanks Paul, I get mixed up sometimes, because at work have mods to HTML (don’t ask) and unless you use a special include you get a funky error.