[RESOLVED] ISSET instruction braking my head

phprooky

Hy everyone,
I've been searching for help with a code that I have, but nobody seems to use it or know about it. I have 2 PHP pages, the first one is to verify the user and after that it takes you to another page.
The first one is called checklogin.php and the second is login_success.php
I was using an instrucction that is no longer used by the new PHP versions so someone told me to use ISSET, but I still can't understand how that really works.
The problems is that when you login my login_success.php page send me back to the page where I type the users credentials and that's not what I want the page to do.

This is checklogin.php

$host=""; // Host name 
$username=""; // Mysql username 
$password=""; // Mysql password 
$db_name=""; // Database name 
$tbl_name=""; // Table name 
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
$_SESSION['myusername'] = TRUE;
header("location:login_success.php");
exit();
}
else
{
	if(isset($_SESSION['myusername'])){
		unset($_SESSION['myusername']);
	}
	echo "Wrong username or password";
}

This is login_success.php

session_start();
if (isset($_SESSION['myusername']))
{
		echo 'Login correcto, '.$_SESSION['myusername'].', usuario es: '. $_SESSION['myusername'];
	} else {
	header("location:main_login.php");
	}

PLEASE HELP ME. I'M NEW IN THE PHP WORLD

halojoy

you can put in some exit();
especially important after any header("location:......

I am not sure this I tell now will help.
But you can try a change.

session_start();
if (isset($_SESSION['myusername']))
{
        echo 'Login correcto, '.$_SESSION['myusername'].', usuario es: '. $_SESSION['myusername'];
    exit();
} else {
     header("location:main_login.php");
     exit();
}

You can also use '$myusername' as value, instead of =TRUE;

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
    $_SESSION['myusername'] = $myusername;
    header("location:login_success.php");
    exit();
}
else
{
    if(isset($_SESSION['myusername'])){
        unset($_SESSION['myusername']);
    }
    echo "Wrong username or password";
    exit('<br /> Try again!');
}

phprooky

Hi halojoy and thanks for following my case.
My worry is that my login_success.php page can be access it anytime by just typing the complete address in the browser without typing the username and password, so how can I block that using ISSET

anakadote

You're not starting a session in checklogin.php, so it isn't set (isset) in login_success.php.

Put session_start(); at the top of checklogin.php.

phprooky

Hi anakadote,
Thanks for following my case. I already put the sessio_start(); on checklogin.php, but it still doing the same thing. Everytime I write in my browser the complete address like: http://mywebsite/folder1/forder2/login_success.php it takes me directly to that page without sending me to my login page which in main_login.php

anakadote

I'm confused; is the problem that it's sending you back when it shouldn't, or it's not sending you back when it should?

Also, make sure that session_start(); is at the top of every page that requires the use of sessions.

Pikachu2000

It looks as though it should work as you have it, but I don't see session_start() in checklogin.php . . . Is it in there somewhere?

If someone accesses the script directly and is not logged in, the header() should redirect the person back to main_login.php. If you want to prevent someone who is already logged in from getting there, you can add another check to the script with another $SESSION var.

session_start();
if(isset($_SESSION['is_logged_in']) && isset($_SESSION['myusername'])) {
     header("Location: " . $_SERVER['HTTP_REFERER']);
     exit(); // if user is logged in already, send them back to where they came from.
}
if (isset($_SESSION['myusername'])) 
{
     $_SESSION['is_logged_in'] = 1; // set $_SESSION['is_logged_in'] value if login was successful
        echo 'Login correcto, '.$_SESSION['myusername'].', usuario es: '. $_SESSION['myusername']; // $_SESSION['myusername'] is not set to a string here. No point echo'ing it.
    } else { 
    header("location:main_login.php"); 
    }

Pikachu2000

phprooky;10946343 wrote:
Hi anakadote,
Thanks for following my case. I already put the sessio_start(); on checklogin.php, but it still doing the same thing. Everytime I write in my browser the complete address like: http://mywebsite/folder1/forder2/login_success.php it takes me directly to that page without sending me to my login page which in main_login.php

Have you set up (and used) a logout script to clear $_SESSION?

phprooky

Hi Pikachu2000,
When I use the logout script to clear the session works pretty well, but how can I forse the user to logout if they forget to do so?

anakadote

You could set the session.gc_maxlifetime php configuration value to something lower if you're concerned. Not sure how you would "force" the user to logout though.

phprooky

Ok, I'll try that.
Thanks a lot every one for helping me with this issue.
I really appreciate your help!!