After Login, Continue Session Errors

Oni

Heyas,

I'm kinda new to this session concept btw--
after I login the script forwards me to the members' area

So, I have

validation.php:

<?php
/* get the incoming ID and password hash */
$user = $_POST["userid"];
$pass = sha1($_POST["password"]);

/* establish a connection with the database */
$server = mysql_connect("localhost", "sirius",
          "--");
if (!$server) die(mysql_error());
mysql_select_db(" sirius_ictpassword");

/* SQL statement to query the database */
$query = "SELECT * FROM users WHERE User = '$user'
         AND Password = '$pass'";

/* query the database */
$result = mysql_query($query);

/* Allow access if a matching record was found, else deny access. */
if (mysql_fetch_row($result))
  echo "Access Granted: Welcome, $user!";
else
  echo "<font color = /"red/"><h1>Access Denied: Invalid Credentials.</h1>";

mysql_close($server);  

?>

And the code that it forwards to if login successful:


<?php
session_start();
header("Cache-control: private");
if ($_SESSION["access"] == "granted")
  header("Location: ./secure/index.php");
else
  header("Location: ./index.html");
?> 
<HTML>
<HEAD>
<TITLE>Alper's Bookstore - <?php $_SESSION["userid"] ?>Logged In</TITLE>
<style type="text/css">


.....

But when I put in the correct login information I get:

Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /home/sirius/public_html/ict/secure/index.php:2) in /home/sirius/public_html/ict/secure/index.php on line 3

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/sirius/public_html/ict/secure/index.php:2) in /home/sirius/public_html/ict/secure/index.php on line 3

Warning: Cannot modify header information - headers already sent by (output started at /home/sirius/public_html/ict/secure/index.php:2) in /home/sirius/public_html/ict/secure/index.php on line 4

Warning: Cannot modify header information - headers already sent by (output started at /home/sirius/public_html/ict/secure/index.php:2) in /home/sirius/public_html/ict/secure/index.php on line 8

If you want to see the dir's you can login 😉

http://www.sirius-surf.be/ict/

(Yea, it's my ICT project--)

thorpe

for starters, you'll want to set the session variable on the validation.php page, straight after youve checked there credentials. second, session_start() must be called before any output is sent to the browser. this meens any html, whitespace, or any echo calls. same applies to the header() function. no output can go before it is called.

Weedpacket

Second, you never appear to set $SESSION['access'] in the first page. Also, in the second page, all that HTML is redundant, since the user is immediately redirected to a third page whether they're logged in or not. If that's the secure page then the redirection would be better as:

if ($_SESSION["access"] != "granted")
{
header("Location: ./index.html");
exit;
}

[man]exit[/man] because all the stuff following the header is still evaluated, and you don't want to be sending "secured" content to people who aren't logged in!