problem with login script

fristi

Hi,

I was wondering if someone could help me with the following.
I'm trying to make an admin page for my site but I'm new at this and still learning. After some searching I found this tutorial on the net, using sessions:

http://www.phptutorial.info/learn/session.html

it contains this script:


<?php if ($HTTP_POST_VARS["username"]=="") { ?> 
<html>
<title>Our private pages</title>
<body>
In order to access this pages fill the form below:<BR>
<form method="post" action="index.php">
Username: <input type="text" name="username" size="20"><BR>
Password: <input type="password" name="password" size="15"><BR> 
<input type="Submit" value="Submit">
</form>
</body>
</html>

<?php }else{ 
$username=$HTTP_POST_VARS["username"];
$password=$HTTP_POST_VARS["password"];

session_start();
if ($username=="Joe" AND $password=="hi"){ $permission="yes";}
if ($username=="Peter" AND $password=="hello"){ $permission="yes";}

$username=$HTTP_POST_VARS["username"];
session_register("permission");   

session_register("username");  

if ($permission=="yes"){
?> 
<html>
<title>Our private pages</title>
<body>

Hi, you are allow to see these pages: <BR>
<A HREF="page1.php">Page 1</A><BR>
<A HREF="page2.php">Page 2</A>

</body>
</html>

<?php }else{ ?>

Error in username or password

<?php } ?>
<?php } ?>

This part works fine but when I try to acces page1.php it always sais that I'm not allowed, meaning it doesn't recognizes the variables of the session.

script for page1:


<?php 
session_start();
if ($permission=="yes") { 
?> 
<html>
<title>Page 1</title>
<body>

Hi, welcome to Page 1 <BR> 
This page is empty at the moment, but it will be very interesting in the next future

</body>
</html>

<?php }else{ ?> 
You are not allowed to access this page

<?php } ?>

It there a mistake in the script or is ith something with the apache version and settings I'm running?

thank you for any help.

tsinka

Hi,

maybe register_globals is set to off. In this case you have to use the super global $SESSION to access session variables. Try to use $SESSION['permission'] instead of $permission in the second script.

Thomas

fristi

Originally posted by tsinka
Hi,

maybe register_globals is set to off. In this case you have to use the super global $SESSION to access session variables. Try to use $SESSION['permission'] instead of $permission in the second script.

Thomas

Thank you for your fast reply.

I tried your suggestion and replaced $permission with $_SESSION['permission'] but it didn't have any effect.

Any other suggestions?

tsinka

Too bad,

a first point to start with is to check the session settings. Please create a little script that just contains

<?PHP
phpinfo();
?>

and post the session part of the output.

Thomas

fristi

Originally posted by tsinka
Too bad,

a first point to start with is to check the session settings. Please create a little script that just contains
<?PHP
phpinfo();
?>
and post the session part of the output.

Thomas [/B]

Once mote thanks for your reply. This is what I'm getting:


session
Session Support  enabled  

Registered save handlers  files user  

Directive Local Value Master Value 
session.auto_start Off Off 
session.bug_compat_42 Off Off 
session.bug_compat_warn On On 
session.cache_expire 180 180 
session.cache_limiter nocache nocache 
session.cookie_domain no value no value 
session.cookie_lifetime 0 0 
session.cookie_path / / 
session.cookie_secure Off Off 
session.entropy_file no value no value 
session.entropy_length 0 0 
session.gc_divisor 1000 1000 
session.gc_maxlifetime 1440 1440 
session.gc_probability 1 1 
session.name PHPSESSID PHPSESSID 
session.referer_check no value no value 
session.save_handler files files 
session.save_path /tmp /tmp 
session.serialize_handler php php 
session.use_cookies On On 
session.use_only_cookies Off Off 
session.use_trans_sid Off Off

I hope this is what you ment.

tsinka

Hi,

PHP is configured to use cookies to store the session id. Check your browser settings if cookies are enabled.

Additionally, add the following line to the second PHP script:

print_r($_SESSION);

This will print out the session data (if any exists).

Thomas

fristi

Originally posted by tsinka
Hi,

PHP is configured to use cookies to store the session id. Check your browser settings if cookies are enabled.

Additionally, add the following line to the second PHP script:
print_r($_SESSION);
This will print out the session data (if any exists).

Thomas [/B]

My browser was set to accept some coocies. I then changed it to accepting all cookies.

I added the extra line and it printed an empty array. So basicly there aren't any session variables that are beeing passed through then?

I have changed me cookie settings back to its original setting.

Thanks for putting up with me.

tsinka

I changed the settings of my apache installation to match your session settings and tried the two scripts. They worked like expected. Maybe another problem.

Try to put

ini_set("error_reporting",E_ALL);

at the very beginning of both PHP scripts just to check for possible problems.

Thomas

tsinka

by the way ... which PHP and os versions do you use ?

fristi

I didn't get an error after I added the line you suggest.

I'm using windows 2000Pro and my PHP is Version 4.3.3

Some other info from the phpinfo():

System Windows NT COMPAQ2000 5.0 build 2195

Server API Apache 2.0 Handler

Virtual Directory Support enabled

PHP API 20020918

PHP Extension 20020429

Zend Extension 20021010

Debug Build no

Thread Safety enabled

Registered PHP Streams php, http, ftp, compress.zlib

And I was just thinking, I'm behind a router, could that affect anything? The apache and everything is installed on this PC ofcourse.

tsinka

Ok,

maybe a problem with the session save path.
Make sure to set the session.save_path variable in php.ini to an existing directory, like c:/temp.

But I wonder if that is the problem because you should get an error message if this parameter is set to an invalid directory.

Thomas

fristi

Originally posted by tsinka
Ok,

maybe a problem with the session save path.
Make sure to set the session.save_path variable in php.ini to an existing directory, like c:/temp.

But I wonder if that is the problem because you should get an error message if this parameter is set to an invalid directory.

Thomas

Doesn't have any effect either.

Have these sessions anything to do with the headers? because I know that the headers are stripped on my PC because of the firewall in the router.

Just guessing here.

tsinka

That could be the problem because cookies are set by sending a header.

Thomas

fristi

Originally posted by tsinka
That could be the problem because cookies are set by sending a header.

Thomas

When I'm able to I'll try to disconnect my router then.

Thanks for all of your help 🙂

fristi

I was thinking. If that would be the problem. How would I solve it? because every time if I would like to acces the admin section, I would have to disconnect my router and stuff. It's not very convienent. Maybe there are other ways to make an admin area?

thanks

tsinka

Hi,

alter the configuration of PHP. Set use_cookies to off and either enable the use of trans sid or add <?=SID?> to your links like

<a href="page.php?<?=SID?>">click</a>

or use session_name() and session_id() to add the session info to the links.

Thomas

fristi

I have set the use of cookies to off and added <?=SID?> to my links. I still can't acces the page but the array on the second page gives this:

Array ( [permission] => [username] => )

What does it mean?

tsinka

Hi,

the variables are registered with the session but they are empty.

Try to change the session_register lines to e.g.

$_SESSION['username'] = $_POST['username'];

You can access the value on the other script with e.g.

$user = $_SESSION['username'];

There are some other points (a matter of security) like using different names for the input fields and the variable names stored in the session, like

and

$inpUser = $POST['user'];
...
$SESSION['username'] = $inpUser;

Post the code (if it differs from the code above) and I'll modify it a bit.

Thomas

fristi

This is what I have, it is working for the moment, but when I changed some things like you said for security it didn't work anymore so I changed everything back. I'm also thiking about using MD5() but I still need to figure that out. When I tried to pass the $permission in the session it wouldn't work either, that's why I'm passing the username and password and comparing again.

index.php


<?php

ini_set("error_reporting",E_ALL);
if ($HTTP_POST_VARS["username"]=="") { ?>
<html>
<title>Our private pages</title>
<body>
In order to access this pages fill the form below:<BR>
<form method="post" action="index.php">
Username: <input type="text" name="username" size="20"><BR>
Password: <input type="password" name="password" size="15"><BR>
<input type="Submit" value="Submit">
</form>
</body>
</html>

<?php }else{
$username=$HTTP_POST_VARS["username"];
$password=$HTTP_POST_VARS["password"];

session_start();
$_SESSION['password'] = $_POST['password'];
$_SESSION['username'] = $_POST['username'];


if ($username=="Joe" AND $password=="hi"){ $permission="yes";}
if ($username=="Peter" AND $password=="hello"){ $permission="yes";}







if ($permission=="yes"){
?>
<html>
<title>Our private pages</title>
<body>

Hi, you are allow to see these pages: <BR>
<A HREF="page1.php?<?=SID?>">Page 1</A><BR>
<A HREF="page2.php?<?=SID?>">Page 2</A>

</body>
</html>

<?php }else{ ?>

Error in username or password

<?php } ?>
<?php } ?>

page1.php

<?php
ini_set("error_reporting",E_ALL);
session_start();

$username= $_SESSION['username'];
$password= $_SESSION['password'];


if ($username=="Joe" AND $password=="hi"){ $permission="yes";}
if ($username=="Peter" AND $password=="hello"){ $permission="yes";}

if ($permission=="yes") {
?>
<html>
<title>Page 1</title>
<body>

Hi, welcome to Page 1 <BR>
This page is empty at the moment, but it will be very interesting in the next future

</body>
</html>

<?php }else{ ?>
You are not allowed to access this page
<?php } ?>

tsinka

index.php:

<?PHP
session_start(); 

if (!isset($_POST['submitform'])) { 
  session_unset();
?> 
<html> 
<title>Our private pages</title> 
<body> 
In order to access this pages fill the form below:<BR> 
<form method="post" action="index.php">
<input type="hidden" name="<?=session_name()?>" value="<?=session_id()?>">
Username: <input type="text" name="user" size="20"><BR> 
Password: <input type="password" name="pass" size="15"><BR> 
<input type="Submit" name="submitform" value="Submit"> 
</form> 
</body> 
</html> 
<?PHP
}else{ 
  $perm       = false;
  $inpUser    = isset($_POST['user']) ? $_POST['user'] : ''; 
  $inpPass    = isset($_POST['pass']) ? $_POST['pass'] : ''; 

  if (($inpUser == 'Joe' && $inpPass == 'hi') ||
      ($inpUser == 'Peter' && $inpPass == 'hello')) {
    $perm = true;
    $_SESSION['username']   = $inpUser;
    $_SESSION['permission'] = true;
  } else {
    $_SESSION['permission'] = false;
  }

  if ($perm == true) { 
?> 
<html> 
<title>Our private pages</title> 
<body> 

Hi, you are allow to see these pages: <BR> 
<A HREF="page1.php?<?=SID?>">Page 1</A><BR> 
<A HREF="page2.php?<?=SID?>">Page 2</A> 

</body> 
</html> 
<?PHP
  } else { 
?> 
Error in username or password 
<?PHP
  } 
}
?>

page1.php:

<?PHP 
session_start(); 
if (isset($_SESSION['permission']) && $_SESSION['permission'] == true) {
 $strUsername = isset($_SESSION['username']) ? $_SESSION['username'] : '';
?> 
<html> 
<title>Page 1</title> 
<body> 

Hi <?=$strUsername?>,
welcome to Page 1 <BR> 
This page is empty at the moment, but it will be very interesting in the next future 

</body> 
</html> 
<?PHP
} else {
?> 
You are not allowed to access this page 
<?PHP
}
?>

I have difficulties accessing my web server, so I couldn't test it now. I hope there is no error in the scripts.

Thomas