[RESOLVED] Session Login problems

conjurer

I have a site where I am using a name and password to login.

If logged in it sets a $_Session['valid_user'] variable to their username.

What I want to do is on pages that are member only I want to test to see if they are in a logged in state and the session variable for valid_user is set. If they aren't logged in then I want to redirect them back to a page where they have to login.

I thought the way to do it would be this:

<?php
session_start();
require_once('includes/member_fns.php'); 

if (!$_SESSION['valid_user'])
  	{
		 // they are not logged in send them to the login
  		header("Location: login.php?form_failed=1");
  		exit;
  	} 

  else
  	{
    echo "<div id='valid_user'><p>Logged in as: " .$_SESSION['valid_user'] ."</p>;
  	}

?>

However, navigating directly to the page bypassing the login process tosses the following two errors:

Encountered error: 8 in /home/consult/public_html/OMGMA_Testing/OMGMA_1_0/member_community/authenticate/mc_directory.php, line 5: Undefined index: valid_user

Encountered error: 2 in /home/consult/public_html/OMGMA_Testing/OMGMA_1_0/member_community/authenticate/mc_directory.php, line 8: Cannot modify header information - headers already sent by (output started at /home/consult/public_html/OMGMA_Testing/OMGMA_1_0/member_community/authenticate/includes/error_fns.php:4)

It appears the session variable is undefined.

What am I doing wrong? Is there a more practical way to handle this?

Basically I am just looking for a solid way to allow members to login and access each of the member pages without having to login again. So if they login and then they can access any of the pages that are member only, but if they aren't logged in they fail and are sent away or to my login page.

dalecosp

Hmm. One error may have caused the other? Are there any output statements or stray blank spaces in the 'includes/member_fns.php' file?

Does changing the if to this:

if (@$_SESSION['valid_user']=='')

make any difference?

Res

The first error we can run a check on to prevent the warning.

if(!isset($_SESSION['valid_user'] || empty($_SESSION['valid_user']) ){
//logic 
}else{
//logic
}

Now the redirect is the second problem, why you get the 'headers already sent'. Basically if you echo anything out to the browser, you can't modify the headers without using some sort of output buffering to clean the buffer. An easy way to side step this issue is to use javascript to redirect. You'll have to google this as i'm not sure i'm getting it right, but something like

window.location = 'login.php?form_failed=1';

You may need the full url in there or something, sorry to be so vague on that one.

-- Edit --
looking back on your code, you can still get away with using PHPs header() if you move the include requirement into the block that processes the valid user, as the error is indicating headers are sent by that file, making your location redirect fail.

dalecosp

Incidentally, do you have your own error handling routines? I don't ever remember seeing PHP say, "Encountered error:" ....

dalecosp

Well, Res, I'd clean up the definition issue first, and see if that did away with the "headers already sent". And it looks a little like custom error handling, in which case it may very well be that the definition error created the 2nd error.

Res

Good catch, I didn't notice the custom errors and that the include is probably the file responsible for generating those custom errors. In which case it's outputting the check on the array as an error, which is causing the header() call to fail.

Good eye dalecosp.

conjurer

I will try those out...

why the @ in

if (@$_SESSION['valid_user']=='')

dalecosp

That's an older hack; error suppression. To actually handle the situation properly, you really should use isset() and is_empty() like Res described. But the "@" should suppress the error in order to see if there is another issue causing the headers already sent error.

conjurer

I do have some error handling but didn't think it was in play here. I will check that.

conjurer

This seems to get me some mileage. The isset is apparently what I needed. Now it redirects them if not logged in or renders the page if they are logged in. And that clears the other message problem.

Thanks!! 🙂

<?php
session_start();
require_once('includes/member_fns.php'); 
if(isset($_SESSION['valid_user']))
	{
		echo "<div id='valid_user'><p>Logged in as: " .$_SESSION['valid_user'] ."</p></div>";

}
else
{
	// they are not logged in send them to the login
	header("Location: login.php?form_failed=1");
} 
?>