session problem - lost and confused newbie

phpdeano

I have the following script to create a session to authenticate users.

<?php
session_start();
$password = md5($password1);
// check correct values are passed
echo $password,"<br>",$username,"<br>",$custref,"<br>";

// Connecting, selecting database
$link = mysql_connect("localhost", "root")
or die("Could not connect");

mysql_select_db("testdb")
or die("Could not select database");

$sql = "Select * from access where custref='$custref' and username='$username' and password = '$password'";
// run SQL against the DB
$result = mysql_query($sql)
or die("access for this page has failed");
$myrow = mysql_fetch_array($result);
$admin = $myrow['admin'];
$user = $myrow['username'];
$pass = $myrow['password'];
$cref = $myrow['custref'];

echo $admin;

if ($POST['username']=$user && $POST['password']=$pass && $POST['custref']=$cref) {
$SESSION['auth_user']= $user;
$SESSION['auth_ref']= $cref;
$SESSION['auth_pass']= $pass;
$_SESSION['auth_admin']= $admin;

}
else
{
?>

<form method="post" action="login.php">
<b>Log into your account:</b><p>
<table width=100%>
<tr>
<td width=30%>Customer Reference:</td><td><input type="Text" name="custref" maxlength=20 value=""></td>
</tr>
<tr>
<td>Username:</td><td><input type="Text" name="username" maxlength=20 value=""></td>
</tr>
<tr>
<td>Password:</td><td><input type="password" maxlength=10 name="password1" value=""><td>
</tr>
</table>
<p>
<input type="Submit" name="submit" value="Enter">
</form>

<?php
}
?>

</form>

It doesn't work and I can not work out why.

The form at the bottom is just to pass the session details to the next page where I am trying to echo the relevant variables to see it works.

Also, once it does work, what should I put at the top of my pages to determine if the user is looged in or not?

I have read as many tutorials as I can find on the web, but I am just getting more confused!

Please point me in the right direction.

TTT

first check out php.ini, if there is row
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset="

you don't have to use
<form method="post" action="welcome.php?<?=SID?>">
=> <form method="post" action="welcome.php">

problem might be that you dont start session in welcom.php

to determine access:

if (!isset($HTTP_SESSION_VARS['CLuserid'])) {
	print "<SCRIPT LANGUAGE='JavaScript' TYPE='text/javascript'>
           window.location.href ='login.php';
		   </SCRIPT>";
	exit; 
	}
[code=php]

phpdeano

Thank you very much for your help, however please could you explain what this bit means:

if (!isset($HTTP_SESSION_VARS['CLuserid'])) {

I am confused by this line and I know I am just being dumb, but would like to understand it.

TTT

This is method how you validate that user is logged.
well expression is not quite correct... it should be:

if(!isset($HTTP_SESSION_VARS) || (isset($HTTP_SESSION_VARS) && !array_key_exists("CLuserid",$HTTP_SESSION_VARS)))

CLuserid = client user id,
in your code $user === CLuserid ... i think

phpdeano

Thank you for explaining.

I now have this working and have one more question before I mark the thread as resolved.

I have searched but can not find the answer

The question is how to I protect a page that is an "include"?

If I put session_start() in I get errors becuse it already appears at the top of the page once it is called and included.

To explain further. If my page is made up of:

include "head.php";
include "body.php";
include "footer.php";

how do I protect body.php from being opened on its own?

Am I just being stupid or is this a valid question????