Authentication

Anon

Here's what I'm trying to do:

<?php
session_start();
$loggedin = false;
if($username == "xxxx" && $userpwd == "xxxx"){
$loggedin=true;
session_register("loggedin");
}

if($loggedin){
header("Location: index.php?".SID);
} else {
header("Location: login.html");
}
?>

index.php:
(very first lines of the file)
<?php
session_start();
if(!$loggedin){
header("Location: login.html");
}
?>
(further down we have this)
<a href="logout.php?<?php echo SID; ?>">Logout</a>

logout.php:
<?php
session_start();
session_destroy();
header("Location: login.html");
?>

track_vars is on
register_globals is on

The first time through, everything works as expected. Login page runs login script and I get a session id that I can pass around. When I click the logout link, I am logged out (I think) and redirected to the login page. If I try to log in again, I get no session id (just question marks after the url's) and I can go back to index.php without any redirect occurring. Also, if I don't log back in, I can still get to index.php.

I'm trying to accomplish a redirect if the user isn't logged in yet to avoid skipping it altogether - and it works well if I haven't logged in yet. After I log out, or try to go to the index page without the session id while still logged in, this mechanism doesn't work.

Is there something I'm missing/is there a better way to do this?

Thanks for any help.

Anon

I'm calling session_destroy before registering any variables. No problems that I know about.

Feel free to grab the source code from stonemountain.yi.org; it's GPLed.

Anon

Thanks for the link. I got the code and took a look at it. With the exception of not explicitly passing the SID around, it's what I'm trying to do.

I changed the code as follows:

<?php
session_start();
session_destroy(); // New
$loggedin = false;
if($username == "xxxx" && $userpwd == "xxxx"){
$loggedin=true;
session_register("loggedin");
header("Location: index.php?".SID);
} else {
header("Location: login.html");
}
?>

index.php:
(very first lines of the file)
<?php
session_start();
if(!isset($loggedin)){ // Changed echo "<head></head><body>";
echo "SID=".SID."<br>";
echo "loggedin=$loggedin";
echo "</body>";
//header("Location: login.html");
} else {
?>

page html here with echos of SID and loggedin
like above

<?php
}
?>

logout.php:
<?php
session_start();
session_destroy();
header("Location: login.html");
?>

Here are the steps I followed.
1. Open browser.
2. Navigate to login.html
3. Enter info that passes the checks and click the button.
4. login.php runs and index.php starts with output of:

SID=PHPSESSID=5b450dcf62c2a5438681358b2e964a79
loggedin=

(from index.php's !isset() part)

Click back button.
Re-enter same information and click the button.
Output of index.php's page html (else part) and SID is empty and loggedin = 1.

This is kind of confusing. I have a working example in ASP that works as expected. (Validate login, set session variable, every page checks the variable) I have emulated it as close as can be. Could my problems lie in my settings somewhere?

Anon

You may need to register the variable $loggedin BEFORE assigning it a value.