Security script on a loop

meigwil

Hi,

I use the following script as an include for security in an admin only area.

session_start();
if ((isset($HTTP_SESSION_VARS['user_logged']) && $HTTP_SESSION_VARS['user_logged'] != "") || 
					(isset($HTTP_SESSION_VARS['user_password']) &&
					$HTTP_SESSION_VARS['user_password'] != "")) {
  //do nothing
}else{	
  $redirect = $HTTP_SERVER_VARS['PHP_SELF'];
	header("Refresh: 5; URL=login.php?redirect=$redirect");
	echo "You are not logged in, sending you back.";
	echo "If this does not work, ".
			 "<a href=\"login.php?redirect=$redirect\">Click here.</a>.";
  die();
}

After I log in, I'm sent to the first page which then sends me back to the log in page, and so on.

Can anyone see the problem? Are sessions dissallowed perhaps?

Thanks,

Mei

PHP v4.0.6
login script:

session_start();
include '../connect.php';
if (isset($HTTP_POST_VARS['submit'])){
  $query = "SELECT name, pass FROM users ".
				 	 "WHERE name = '".$HTTP_POST_VARS['user']."' ".
					 "AND pass = '".$HTTP_POST_VARS['pass']."';";
	$result = mysql_query($query) or die(mysql_error());	
  	if (mysql_num_rows($result) == 1){
  	  $HTTP_SESSION_VARS['user_logged'] = $HTTP_POST_VARS['user'];
  		$HTTP_SESSION_VARS['user_password'] = $HTTP_POST_VARS['pass'];
  		header("Refresh: 2; URL=".$HTTP_POST_VARS['redirect']."");
  		echo "You are being sent back<br />";
  		echo "If this does not work, ".
  				 "<a href=\"".$HTTP_POST_VARS['redirect']."\">clicik here</a>.";
	}else{ 
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
etc etc...

fire_cracker

Why don't you modify your script to echo the session vars. I think that it looks okay (despite the old HTTP vars lol), so check to see if you are even getting your session vars passed

meigwil

Thanks, I'll try that and update.

Mei