The correct use of sessions.

Awestruck

I am using XAMPP to develop a database (let’s say mydbd).

To access the edit_your_account.php page, the user must login from the home page using an email address and a password.
A page named members-page.php opens. A link within the header of that page will then take him to the edit_your_account.php page.
The edit_your_account.php page opens, but it shows an error message:

This page has been accessed in error.

The address field of the browser shows the URL: http://localhost/mydb/edit_your_account.php

If I use hard coding to amend that URL by addng the user's id suffix as follows:
localhost/mydb/edit_your_account.php?id=14
The edit_your_account.php page appears with its table of user's details correctly displayed and populated.
I can then edit some of the user's details, click the 'Edit' button and the details are correctly edited.

From this I am assuming that I am not using SESSIONS correctly on the members.php page, or on the edit_your_account.php page, or both. Please would you let me know where I am going wrong?

The same session is used on both the members-page.php and the edit_your_account.php page, this is listed in the code below.

<?php

session_start();
if (!isset($SESSION['user_level']) or ($SESSION['user_level'] != 0))
{ header("Location:login.php");
exit();
}
if (isset($SESSION['user_id'])){
$POST['id'] = ($_SESSION['user_id']);
}
?>

There are two blocks of code on that page that will produce the error message.
The first one is listed in the code box below.

<?php
// After clicking the Your Account link within the header of the members page, this editing interface appears
// Look for a valid user ID, either through GET or POST:
if ( (isset($GET['id'])) && (is_numeric($GET['id'])) ) { // From members page
$id = $GET['id'];
} elseif ( (isset($POST['id'])) && (is_numeric($POST['id'])) ) { // From members page. Prepare to display the Form
$id = $POST['id'];
} else { // No valid ID, so kill the script.
echo '<p class="error">This page has been accessed in error.</p>';
include ('includes/footer.php');
exit();
}
require ('mysqli_connect.php');
// Has the form been submitted?
if ($_SERVER['REQUEST_METHOD'] == 'POST') {

Weedpacket

A link within the header of that page will then take him to the edit_your_account.php page.
The edit_your_account.php page opens

The address field of the browser shows the URL: http://localhost/mydb/edit_your_account.php

So during all that, where does the "id" get passed? Because if it isn't:

if ( (isset($_GET['id'])) && (is_numeric($_GET['id'])) ) { // From members page
$id = $_GET['id'];
} elseif ( (isset($_POST['id'])) && (is_numeric($_POST['id'])) ) { // From members page. Prepare to display the Form
$id = $_POST['id'];
} else { // No valid ID, so kill the script.

Awestruck

Yes that is the key to solving the problem. I wondered if the id could be passed earlier in the chain of events. The chain is: First the Login page, this directs to the members page, in which a menu button takes the user to the edit_your_account page.
I tried adding a session to the login page.

In the login page I tried this without success:
<?php
session_start();
if (!isset($SESSION['user_level']) or ($SESSION['user_level'] !=0))
{
header("Location:login.php");
exit();
}
if (isset($SESSION['user_id'])){
$POST['id'] = ($_SESSION['user_id']);
}
?>

Then I tried this in the login page without success:

<?php
session_start();
if (isset($SESSION['user_id'])){
$POST['id'] = ($_SESSION['user_id']);
}
?>
I can't think what to try next, would you suggest a next move please.
Best wishes
Awestruck

dalecosp

$_SESSION['user_id'] doesn't get set automatically by the session. You need to set it.

//Login.php

//start the session
session_start();

if (!$_POST) {

   show_the_form();

} else {  //form was POSTed

$success = login_check($_POST['user'], $_POST['password']); //assume return of user id, '0' if failure

if ($success) {
   $_SESSION['user_id'] = $success;
   header("Location: member.php");
}
}

Then, on any page that needs to know the user's ID:

//MyExamplePage.php

//start session
session_start();

//are we logged in?
if (!$_SESSION['user_id']) {  //no?  Go and login please!

header("Location: login.php");
exit;
}

//show member stuff here.

Note that this is example code to give you an idea how to proceed. I should add that you should do a LOT of study about this; for example, placing $_POSTed variables into a function is probably OK ... UNLESS that function then proceeds to put them directly into a database query; that's a huge potential security hole. You should learn more about PHP's sessions and how to keep them secure.

I also assumed you could write a login_check() function ... that can also be complex; for one thing, passwords MUST be hashed these days. It's totally irresponsible of ANYone running a website in 2018 to use a password-in-the-clear in their database. Why? Because Fred in Accounting uses the same d@3n password on your site that he uses to access his bank account and his social media profile and his work-based email. If he puts it into your system, it's stored in clear-text and someone gets ahold of your DB backup file, "poof!" ... Fred's life is a hellacious thing for months or even years.

Best of luck ...

pbismad

Starting with the session data, you should only store the user's id in a session variable. You should not store any user permissions in session variables. Doing so will prevent the user permissions from being changed, until the next time the user logs in. If you have a system where the user can perform an action, such as making posts, chat, shout-box, pm'img members, emailing members, ... you would want any change in permissions to take effect on the next page request, so that a moderator/administrator will have the ability to stop someone who is abusing the system or to have the ability to add permissions without having to tell the user to log out and log back in again for them to take effect. You should query on each page request to get the current user's permissions.

The user permissions should determine what the current visitor can see or what action they can perform on any page. The logic on any page should test if the current visitor is logged in, retrieve their permissions if they are, and then decide what to display or what action to allow on that page.

On the member(profile) page, it should use a get parameter in the url to determine who's information to display. If there is not an id in the url, you need to decide what to do. Should this display an error message? Should you redirect to another page? Should you display the current user's data using the user_id from the session variable, if any? This forum software displays "This user has not registered and therefore does not have a profile to view.", which is probably the same message/logic for when there is an id in the url, but that user doesn't exist.

If there is an id in the url, you also need to decide what to do. If the id in the url is not the same as the current visitor's or the current visitor is not logged in, what should happen? If the id in the url is the same as the current visitor's (viewing your own profile page), what should happen? In addition to displaying the profile information, you would display the link to the edit page in this case.

Repeat this defining process for the edit page. If the current visitor is not logged in and they browse to the edit page, what should happen? This forum software displays - "You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:...". If they are logged in and they have permission to edit their profile, you would retrieve the profile information using the user id from the session variable and populate the edit form with it. When the edit form is submitted, you would repeat these checks (if not submitting to the same page), so that only a logged in user, with permission to edit their profile, can cause the data to be changed.

dalecosp

pbismad;11065385 wrote:
Starting with the session data, you should only store the user's id in a session variable. You should not store any user permissions in session variables. Doing so will prevent the user permissions from being changed, until the next time the user logs in.

News to me.

//1.php

session_start();

$_SESSION['permission'] = 1;

echo "Your permission level is " . $_SESSION['permission'];

//2.php

session_start();

$_SESSION['permission'] = 2;

echo "Your permission level is " . $_SESSION['permission'];

It appears as though you think the session can only be modified once? While it might be onerous (or perhaps even poor design) to adjust $_SESSION multiple times during a, well, session, it's certainly possible to do so.

pbismad

News to me.

My statement is about being able to change user permissions and have them take effect.

The session that's started is the visitor's session, using the session id from the http(s) request, or if you know what the session id is, by setting the id using session_id() first. For a moderator/admin to be able to modify someone else's session data would require first knowing the visitor's current session id, which can be easily changed, simply by logging out and back in, resulting in the possibility that abandoned session data is what is actually being modified by the mod/admin.

The straight-forward fool-proof way of being able to change user permissions, is to change the source data (wherever the OP is defining a user's 'user_level' at now), and retrieve and use that source data on each page request, rather than to try and change a copy of that data being held in a session variable.