Sessions and Access Control

werkkrew

Okay...

Im using sessions to control access to pages in my administration area...

Heres how im trying to do it...

I have a variable called
$access_level

I define it a number based on the level of acess that gets compared to the users level in the database.

On each page I have an include that I start like this

$access_level = 5;
include = 'accessctrl.php';

The session gets registered and the values get stored when the user sucessfully logs in.

here is the code inside the include...

<html>
<head>
<title>WerkkreW Administration Area</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="content.css" rel="stylesheet" type="text/css">
</head>

<body bgcolor="#333333">
<?

session_start();
$user_level = $_SESSION['user_level'];

if ($access_level != $user_level AND $user_level != 5 AND $access_level != 9 OR !isset($user_level)){
     echo "<strong><center><font color=\"red\">You do not have permission to view this page!</font></strong></center>";
     exit();
}

?>
</font>
</center>
</body>
</html>

I call this at the top of every page I want to protect in any way.

The session is registered like this when the user logs in:

<?php
//Check user login script
//MySQL Connection Informaion
include 'db.php';

/*Convert to simple variables
$username = $_POST['username'];
$password = $_POST['password'];
*/

if((!$username) || (!$password)){
        echo "Please enter ALL of the information! <br />";
    include 'login_form.html';
    exit();
}

//convert password to md5 encryption
$password = md5($password);

//Check user info in database
$sql = mysql_query("SELECT * FROM members WHERE username='$username' AND
                                        password='$password' AND activated='1'");
$login_check = mysql_num_rows($sql);

if($login_check > 0){
    while($row = mysql_fetch_array($sql)){
           foreach($row AS $key=>$val){
                    $key = stripslashes($val);
           }

//Register session variables
session_register('first_name');
$_SESSION['first_name'] = $row['first_name'];
session_register('last_name');
$_SESSION['last_name'] = $row['last_name'];
session_register('email_address');
$_SESSION['email_address'] = $row['email_address'];
session_register('special_user');
$_SESSION['user_level'] = $row['user_level'];
session_register('tag');
$_SESSION['tag'] = $row['tag'];
session_register('username');
$_SESSION['username'] = $row['username'];
session_register('info');
$_SESSION['info'] = $row['info'];

mysql_query("UPDATE members SET last_login=now() WHERE username='$username'");

header("Location: login_success.php");
}
} else {
        echo "You could not be logged in! Either the username and password do not
              match or you have not activated your membership!<br />
          Please try again!<br />";
          include 'login_form.html';
}

?>

Every page in my admin area is protected, and if I want all LOGGED IN users to be able to access it, I define $access_level = 9

Now, in certain page calls I continuously get the error:

Warning: Cannot send session cache limiter - headers already sent (output started at /home/msatur/public_html/php/accessctrl.php:9) in /home/msatur/public_html/php/accessctrl.php on line 11

I have checked and double checked for the instance of session_start(); occuring twice in one script and i have gotten rid of it but the error still pops up, in the same scripts all the time, but I cant figure out why.

I also get that error if I try to access a page I dont have access to when im NOT logged in, and understand why this is...I think its because its trying to start a session that hasnt been defined, but when I am logged in (not long enough for the session to expire mind you) I still get the error...Im thinking I can prevent at least this part of it by adding a statement that wont try to start the session if the session doesnt exist, but I dont know how to do this.

Any ideas?

By the way, sorry for the long ass post, but I figured youd need all the info in order to help

altexis

The solution to your first question is to put session_start() at the top of the html code. Even higher then the <html> tag

<?php session_start(); ?>
<html>
<head>
<title>WerkkreW Administration Area</title>

for the rest I would recommend to use session variables for your access level information.
Use session_register("access_level") in your login page to register the var and session_is_registered() function for the rest of your pages to check if the user has logged in properly

The only problem is what happens if the user doesn't use cookies. I think if he doesn't he wont be able to register in sessions. So you'll have to make a comment that your page requires cookies.
(I am not 100% sure about this though)

werkkrew

I dont think I need to, or should register the session var 'access_level' because it needs to change again and again for each page...

Im not an expert on sessions so I dont know if I just dont know exactly how to accomplish what I need to do or what...If I should, or if it would be better for me to define 'access_level' as session variable please describe to me better as far as to how I should accomplish what I want to do

When I add the following to my accessctrl.php include
I cant access anything. I have cookies enabled but not I cant log in.

<?php

if (session_is_registered('first_name')){
    session_start();
}elseif (!session_is_registered('first_name')){
    echo "<br><br><strong><center><font color=\"red\">Either You Do Not have Cookies enabled in your browser, or you are not logged in.<br><br>";
    echo "<strong><center><font color=\"red\">You do not have permission to view this page!</font></strong></center>";
    exit();
}
?>
<html>
<head>
<title>WerkkreW Administration Area</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="content.css" rel="stylesheet" type="text/css">
</head>

<body bgcolor="#333333">
<?

$user_level = $_SESSION['user_level'];

if ($access_level != $user_level AND $user_level != 5 AND $access_level != 9 OR !isset($user_level)){
     echo "<strong><center><font color=\"red\">You do not have permission to view this page!</font></strong></center>";
     exit();
}

?>
</font>
</center>
</body>
</html>

Also, as far as having cookies enabled goes, that isnt a concern, there will be a few select users that have access to administer my site and if they have this problem, I can help them correct it myself when that happens...

Thanks again

altexis

before you use any session related function you should have started the session by the session_start() function

your script doesn't work because session_start() has to be called before the session_is_registered() function. Change your code to this:

<?php
session_start();

if (!session_is_registered('first_name')){
    echo "<br><br><strong><center><font color=\"red\">Either You Do Not have Cookies enabled in your browser, or you are not logged in.<br><br>";
    echo "<strong><center><font color=\"red\">You do not have permission to view this page!</font></strong></center>";
    exit();
}
?>

Now this is how I understand sessions...
Sessions are another name for global variables. When the user gets into your web page he may press the Ctrl+N button to open a second browser and continue using your web page with 2 or 3 or 4 pages all running at the same time. So how can you organize variables that belong to a single page? Each page variable is instantiated for every different page.

Sessions are more global than pages. One session variable is unique nomatter how many pages the user is concurrently viewing. This is how you should view sessions... as an ultra global set of variables.

realtek

You shouldn't need to set the variables on each page.

Once you have used session_register("access_level"); you're variable is now set to whatever $access_level was set to when it was registered.

As long as you are using session_start(); on each page then $access_level will be declared.

werkkrew

that is exactly why I dont want access_level as a session var, its easier because I have to declare it a different value on each page, so I just declare that before the include on every page.

Back to my original question

Why do I get this error on certain pages when trying to start the session:

Warning: Cannot send session cache limiter - headers already sent (output started at /home/msatur/public_html/php/logout.php:9) in /home/msatur/public_html/php/accessctrl.php on line 3

The rest of the shit im good on, my access control functions as desired and im working with session variables just fine.

This error comes up all the time.

realtek

It seems that you have already displayed an HTML page and you are trying to do it again.

Could you please paste line logout.php line 9 and line 3 of accessctrl.php and then maybe I could help further?

Thanks

werkkrew

I will post accessctrl.php, header.php, and logout.php

accessctrl.php (controls access)

<?php

session_start();
if (!session_is_registered('first_name')){
    echo "<br><br><strong><center><font color=\"red\">Either You Do Not have Cookies enabled in your browser, or you are not logged in.<br><br>";
    echo "<strong><center><font color=\"red\">You do not have permission to view this page!</font></strong></center>";
    exit();
}
?>
<html>
<head>
<title>WerkkreW Administration Area</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="content.css" rel="stylesheet" type="text/css">
</head>

<body bgcolor="#333333">
<?

$user_level = $_SESSION['user_level'];

if ($access_level != $user_level AND $user_level != 5 AND $access_level != 9 OR !isset($user_level)){
     echo "<strong><center><font color=\"red\">You do not have permission to view this page!</font></strong></center>";
     exit();
}

?>
</font>
</center>
</body>
</html>

header.php (gets loaded at the top of every page)

<html>
<head>
<title>WerkkreW Administration Area</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="content.css" rel="stylesheet" type="text/css">
</head>

<body bgcolor="#333333">
<div align="center">
  <p><img src="images/footer.gif" width="530" height="72"> </p>
  <p><font color="#FF9900">WerkkreW.com Administration Panel</font></p>
  <p>&nbsp;</p>
</div>
<font color=\"FFFFFF\">
<center>
<?php

if ($user_level == 0){
     //Show links for Bands
     print ":: <a href=\"band_cp.php\" class=\"blue\">Your Page</a> :: ";
     print "<a href=\"shows_cp.php\" class=\"blue\">Show Dates</a> :: ";
     print "<a href=\"img_up_cp.php\" class=\"blue\">Image Upload</a> :: ";
     print "<a href=\"mp3_up_cp.php\" class=\"blue\">Track Uploader</a> :: ";
     print "<a href=\"img_gallery_cp.php\" class=\"blue\">Image Gallery</a> :: ";
     print "<a href=\"link_cp.php\" class=\"blue\">Link Adder</a> :: ";
     print "<a href=\"change_pw.php\" class=\"blue\">Change Password</a> ::";
}
if ($user_level == 1){
     //Show links for writer
     print ":: <a href=\"writer_cp.php\" class=\"blue\">Your Page</a> :: ";
     print "<a href=\"write_cp.php\" class=\"blue\">Your Writing</a> :: ";
     print "<a href=\"img_up_cp.php\" class=\"blue\">Image Upload</a> :: ";
     print "<a href=\"change_pw.php\" class=\"blue\">Change Password</a> ::";
}
if ($user_level == 2){
     //Show links for Artist
     print ":: <a href=\"artist_cp.php\" class=\"blue\">Your Page</a> :: ";
     print "<a href=\"img_up_cp.php\" class=\"blue\">Image Upload</a> :: ";
     print "<a href=\"img_gallery_cp.php\" class=\"blue\">Image Gallery</a> :: ";
     print "<a href=\"link_cp.php\" class=\"blue\">Link Adder</a> :: ";
     print "<a href=\"change_pw.php\" class=\"blue\">Change Password</a> ::";
}
if ($user_level == 3){
     //Show links for News Poster
     print ":: <a href=\"news_cp.php\" class=\"blue\">Post News</a> :: ";
     print "<a href=\"link_cp.php\" class=\"blue\">Link Adder</a> :: ";
     print "<a href=\"change_pw.php\" class=\"blue\">Change Password</a> ::";
}
if ($user_level == 4){
     //Show links for Power User
     print ":: <a href=\"band_cp.php\" class=\"blue\">Band Pages</a> :: ";
     print "<a href=\"writer_cp.php\" class=\"blue\">Writer Pages</a> :: ";
     print "<a href=\"artist_cp.php\" class=\"blue\">Artist Pages</a> :: ";
     print "<a href=\"news_cp.php\" class=\"blue\">Post News</a> :: ";
     print "<a href=\"shows_cp.php\" class=\"blue\">Show Dates</a> :: ";
     print "<a href=\"img_up_cp.php\" class=\"blue\">Image Upload</a> ::<br>";
     print ":: <a href=\"mp3_up_cp.php\" class=\"blue\">Track Uploader</a> :: ";
     print "<a href=\"img_gallery_cp.php\" class=\"blue\">Image Gallery</a> :: ";
     print "<a href=\"link_cp.php\" class=\"blue\">Link Adder</a> :: ";
     print "<a href=\"change_pw.php\" class=\"blue\">Change Password</a> ::";
     print "<a href=\"user_cp.php\" class=\"blue\">User Manager</a> ::";
}
if ($user_level == 5){
     //Show all links
     print ":: <a href=\"band_cp.php\" class=\"blue\">Band Pages</a> :: ";
     print "<a href=\"writer_cp.php\" class=\"blue\">Writer Pages</a> :: ";
     print "<a href=\"artist_cp.php\" class=\"blue\">Artist Pages</a> :: ";
     print "<a href=\"news_cp.php\" class=\"blue\">Post News</a> :: ";
     print "<a href=\"shows_cp.php\" class=\"blue\">Show Dates</a> :: ";
     print "<a href=\"img_up_cp.php\" class=\"blue\">Image Upload</a> ::<br>";
     print ":: <a href=\"mp3_up_cp.php\" class=\"blue\">Track Uploader</a> :: ";
     print "<a href=\"img_gallery_cp.php\" class=\"blue\">Image Gallery</a> :: ";
     print "<a href=\"link_cp.php\" class=\"blue\">Link Adder</a> :: ";
     print "<a href=\"change_pw.php\" class=\"blue\">Change Password</a> ::";
     print "<a href=\"user_cp.php\" class=\"blue\">User Manager</a> ::";
}
print " <a href=\"logout.php\" class=\"blue\">Logout</a> ::"

?>
</center>
</font>
</body>
</html>

logout.php

<html>
<head>
<title>WerkkreW Administration Area</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="content.css" rel="stylesheet" type="text/css">
</head>

<body bgcolor="#333333">
<?php
$access_level = 9;
include 'accessctrl.php';

if(!isset($_REQUEST['logmeout'])){
        echo "<center>Are you sure you want to logout?</center><br />";
    echo "<center><a href=logout.php?logmeout class=\"blue\">Yes</a> | <a href=
              javascript:history.back() class=\"blue\">No<a>";
} else {
    session_destroy();
    if(!session_is_registered('first_name')){
            echo "<center><font color=red><strong>You are now logged out!</strong>
                  </font></center><br />";
        echo "<center><strong>Login:</strong></center><br />";
        include 'login_form.php';
    }
}

?>
</font>
</center>
</body>
</html>

I think I just noticed what it might be...could be trying call several different sets of <head> and or <body> tags in the same page?

altexis

I insist that the error that troubles you is because you don't use session_start() at the beginning of your pages

go to logout.php
and add a <?php session_start(); ?>
at the top of the page (before <html>)

werkkrew

the accessctrl include has session start in it already, if I change it I have to change all of my pages

Think I can just put the include before everything else and that might work?

werkkrew

well, putting the accessctrl.php (which includes session_start in the very beginning of it as the first thing called in the script fixed my problem

Thanks a lot guys