sessions and member page access

caseygee

Hi,

I'm creating a member area on a website using php and mysql, i've pretty much got it fiqured out besides one detail. What script do i need to put on the actual member page to make sure the user is logged in (so as it can't be accessed by typing the address in), and doing this with sessions. The script from the login page if everything else is successful is:

$username = $_POST['user'];
$password = $_POST['pass'];
$query = "SELECT * FROM login where user = '$username' or pass = password('$password')";
$execute = mysql_query($query);
$countrow = mysql_num_rows($execute);
if ($countrow == 1){
//
$_SESSION['user'] = $username;
$sid = session_id();
//
// Redirect 
$url = "members.php?sid=$sid";
//
echo "<meta http-equiv=\"refresh\" content=\"5;URL=$url\">";
echo "You will be redirected to the members section in 5 sections";

And the script that i've got so far on the members page is:

<?php
session_start();
if(!empty($_SESSION['user'])){
$username = $_SESSION['user'];
echo "You are logged in, welcome $username";
};
?>

But even if i log in with the correct username and password nothing displays still. I'm just stuck on this last bit of code so if anyone could help me out it'd be greatly appreciated.

Many Thanks

Casey

rincewind456

What I would do is change you authentication page by adding

$_SESSION['logged_in'] = true;

after you query has been executed and then add at the top of each page

if (!isset($_SESSION['logged_in']) || $_SESSION['logged_in'] !== true)  {
    // not logged in, move to login page
    header('Location: login.php');
    exit;
}

I would also suggest you look at the manual for mysql_real_escape_string to beef up your protection against injection attacks.

caseygee

thanks i tried it and it worked for the user trying to access the page directly but when i try to login with correct login info it still redirects me to the login page? It's like the session variable isn't getting passed over, i've got session_start at the top of the members page aswell. Any thoughts

Many thanks

msk_1980

Other thing u can check for will be :

if( !isset( $_SESSION['user'] ) )
{
header('Location:login.php'); //direct him to login page as he is not logged in
exit;
}

if u r using the latest version of php, u might try this:

session_register('user') = $username;

in your login page.

hope it helps.

caseygee

when i put

session_register('user') = $username;

in the login page, it doesn't get past that script, like it stuck on it or doesn't understand it?

msk_1980

there is also a prob with u r query. u need to be using an "and" instead of "or" in the query.

rincewind456

caseygee wrote:
when i put
session_register('user') = $username;
in the login page, it doesn't get past that script, like it stuck on it or doesn't understand it?

That's because using session_register() only works if you have register_globals turned on

If you want your script to work regardless of register_globals, you need to instead use the $SESSION array as $SESSION entries are automatically registered. If your script uses session_register(), it will not work in environments where the PHP directive register_globals is disabled.

caseygee

ok then so what do i need to do so that the login page passes the member page the session variebles? Cause at the moment i don't think it is, thats why i would be able to get the script on the members page to work then, is that roughly right?

Cheers

rincewind456

First check that the variables are being passed by echoing them out. There's no point looking for anything else until you know whether they are.

Aslo as msk_1980 said your query should check for both username and password not just one of them.

caseygee

Thanks guys i eventually figured out.

On the login page with the original session where i was setting up the session variables had been named and on the member pages i wasn't naming the session name with the same as on the login page before i started the session.

Thnaks for your help 🙂

caseygee

Oh and i also changed the script so it looks for both username and password, don't know what i was thinking there??