Using Sessions

ofSHIZ

Ok.. so here is my situation
I have a login script on my page when a user logs in, it will take him to a page i want only registered users to be abled to access. If you type the adress in the adress bar, and the person didn't login, they can acesss it. How would I make it so they could not acess it unless they logged in here.

djoseph74

Hi,

One simple way to keep people out is something like:

if (!$SESSION["id"] || $SESSION["id"] == "") {
header ("Location: index.php");
}

That's a simple way to keep people out.

One thing you really should do is set register_globals to off in your php.ini file. If you're just using the $id variable, the user could potentially do a page.php?id=1 and get right in.

Also, you could check for a session to be equal to a specified value.

Might wanna do a search on PHP security also, this could open a whole new can of worms. I'm also not the foremost authority on security.

Hope that gets you started... Post more if you have anymore questions.

-Dan Joseph

ScubaDvr2

This is one approach you could take.

session_start();
if ($HTTP_SESSION_VARS[username])
{
     echo "You are logged in! Congratulations!";
}
else
{
    echo "You are not logged in. I'm sorry.";
}

souravsasi

Hi,

while checking login

session_start();
session_register("your_session_variable");

//login code

//if the logged in successfully
$your_session_variable =1;
//else
$your_session_variable=0;

//add this code to all the files where you need to check whether logged in or not.

session_start();
session_register("your_session_variable");

if($your_session_variable <> 1)
{
exit();
header("Location: YOUR_INDEX_PAGE or LOGIN PAGE");
}

hope this helps.

ofSHIZ

On My checkuser page I get this error
(My global thing is on)

Warning: session_start() [function.session-start]: open(/tmp\sess_81ad554ced8de365266635c9e41b1f38, O_RDWR) failed: No such file or directory (2) in c:\program files\apache group\apache\htdocs\checkuser.php on line 2

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at c:\program files\apache group\apache\htdocs\checkuser.php:2) in c:\program files\apache group\apache\htdocs\checkuser.php on line 2

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at c:\program files\apache group\apache\htdocs\checkuser.php:2) in c:\program files\apache group\apache\htdocs\checkuser.php on line 2

Warning: Cannot modify header information - headers already sent by (output started at c:\program files\apache group\apache\htdocs\checkuser.php:2) in c:\program files\apache group\apache\htdocs\checkuser.php on line 19

Warning: Unknown(): open(/tmp\sess_81ad554ced8de365266635c9e41b1f38, O_RDWR) failed: No such file or directory (2) in Unknown on line 0

Warning: Unknown(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0

ofSHIZ

My checkuser.php

<?php
session_start(); 
session_register("your_session_variable"); 


//login code 

//if the logged in successfully 
$your_session_variable =1; 
//else 
$your_session_variable=0;
?>
<?php 

if ($username == xxxxx && $password == xxxxx)

{

header("Location: [url]http://12.226.40.198/addthenews.php[/url]");

}

else

{

echo"Wrong Username or Password";
}
?>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Check User</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="keywords" content="Game, Game Estate, Video Games, Cheats, Codes, Playstation, Playstation2, Xbox, GC, Gamecube, Walkthroughs, Help, Faqs, Forums">
<meta name="description" content="Game Estate is a website containing all of the gaming information that you will need. There are reviews, forums, and much more!">
<LINK REL=STYLESHEET TYPE="text/css" HREF="style.css">
<script src="fade.js" language="Javascript"></script>
</head>
<body bgcolor="#000000" alink="#BBBBBB" link="#BBBBBB" text="#DDDDDD" vlink="#BBBBBB"> 
</body>
</html>

djoseph74

It looks like you don't have a directory called /tmp. This is specified in your php.ini file. You should create a c:\tmp directory on your machine to fix this.

-Dan Joseph

keith73

This is a common issue with running apache and PHP on a windows machine. PHP is defaulted to look for /tmp as the temp directory which is where sessions are stored. That dir already exists on most linux machines.

On another note, I used to use session_register and global variables, until a few folks on this very forum alerted me to the dangers of using those.

please read these pages in the PHP manual.
http://www.php.net/manual/en/language.variables.predefined.php
http://www.php.net/manual/en/reserved.variables.php#reserved.variables.session

If you are using PHP 4+ you should be using $_SESSION['var'] = "value";
instead of session_register(var);

$_SESSION is the replacement for $HTTP_SESSION_VARS

I recommend you read about register_globals and sessions in the manual.

keith

ofSHIZ

my php version is 4.3.1
when i make the tmp directory.. it just comes up with a blank page after checkuser.php send it to addthenews.php
should I turn global variables off? I did that once.. and then I couldn't login to my site..

refer above to see my validate user script..

keith73

Originally posted by ofSHIZ
my php version is 4.3.1
when i make the tmp directory.. it just comes up with a blank page after checkuser.php send it to addthenews.php
should I turn global variables off? I did that once.. and then I couldn't login to my site..

refer above to see my validate user script..

on my local windows machine, I have apache in C:\apache
and tmp is in C:\apache\tmp

my php.ini file has
session.save_path = /tmp

this works.
you can try 1 of 2 things:

1) create /tmp in c:\program files\apache group\apache

2) create c:\tmp and then change your php.ini file
session.save_path = c:/tmp

turn register_globals off and use
the superglobal arrays
http://www.php.net/manual/en/language.variables.predefined.php

or you can call import_request_variables at the top of your script.

http://www.php.net/manual/en/function.import-request-variables.php

keith

ofSHIZ

Ok, so I got the temp problem solved.. now when I check the session it made in temp, I logged in with the correct username and password, it gave me a 0.. I want it to have 1..
my global variables is on.. should I turn it off? If I turn it off, it makes my single user authenication system all messed up. Can someone just give me this code? The one thing that I'm stumped on..

keith73

The problem in your code was you have no if statement when setting your_session_variable so after setting your_session_variable to 1, you turn around and set it to 0. plus, I'm not sure if session_register works if you call it before assigning the variable.

With register globals turned off, try this code:

checkuser.php

<?php
session_start();
/*
import_request_variables will import the variables in $_POST,$_GET or $_COOKIE
into the global namespace. read more about it at:
[url]http://www.php.net/import_request_variables[/url]
*/
//if register_globals is turned off, uncomment the next line
//import_request_variables("gp");
session_register("your_session_variable");

OR -

<?php
session_start();
//login code 

//retrieve username and password from database or file
if($_POST['password'] == $dbpassword){
  $_SESSION['your_session_variable'] = 1; 
} else { 
  $_SESSION['your_session_variable'] = 0; 
}

if ($username == xxxxx && $password == xxxxx){
	header("Location: [url]http://12.226.40.198/addthenews.php[/url]");
} else {
	echo"Wrong Username or Password";
}//end if
?>

keith