session_variable

Jack2003

Hi,

I am building a secure part of a website. In my MySQL database I have stored usercode and password. If the check turns out to be ok I would like to set a session variable to be used in the next pages. I my point of view I can prevent other users to acces these pages directly.

Can somebody tell me if this is the way to do it and if yes what is wrong with the code I am using?

<?php
if ($totalRows_Recordset1 == 0) {echo "<script>window.location='errorpage.htm';</script>";}
else {
$user = $HTTP_POST_VARS['usercode'];
session_start();
session_register("user");
echo "<script>window.location='nextpage.php';</script>";}
?>

Thanks in advance,
Jack

tomwerner

seems ok to me although any system is never 100% secure. Sessions (which you have used) are securer and in my opinion easier to get using than cookies anyway. You might want to use the meta refresh(html) or header (php) functions instead of <script> just in case javascript is turned off at the client.

Jack2003

Problem is that I get a message telling me:
'Cannot send session cookie - Headers allready send' ???

tomwerner

that error is appering because something is being output before session_start() on the page. so if have some html then start that code block it will not work. Even something as stupid as a space before <?PHP can stop it working. If this isn't the case then try doing the above with this reworked code:

<?php 
// Start the Session
session_start(); 

// You may need to insert your DB code here to provide the var
// for the IF statement if the script requires it.

// Do the IF satement
if ($totalRows_Recordset1 == 0) {
echo "<head><meta http-equiv=\"refresh\" content=\"2;URL=errorpage.htm\"></head>";
} else { 
$user = $HTTP_POST_VARS['usercode']; 
session_register("user"); 
echo "<head><meta http-equiv=\"refresh\" content=\"2;URL=nextpage.php\"></head>";
print("You are logged in, {$user}");
}

?>

This will start the session whatever but the user variable doesn't get declared unless $totalrows_recordset1 is not 0.

Looking at your code I assume that there is some Database code before it, that is probably why you are getting the error, if the code is outputting anything at all. This is solved by making session_start(); at the very beginning. I have updated the <script> code to use meta refresh which is a bit better. To change the number of seconds before redirect just change the 2 to something else. One last thing, although $HTTP_POST_VARS is still valid it is depreciated, I prefer to use $_POST mainly because it is shorter!

I would also echo out your variables in the script to make sure the right things are happening, in particular the if statement. you can never be to careful because logical (opposed to syntax) errors are not detected by PHP!