I have a login page that is not working properly. I will try to explain the problem as best I can. and paste the scripts at the end.
I enter index.php or other pages that do not require logging in to view the content. If I go to a page that requires logging in, I return to index.php. I know the reason for that. It is because I have set a redirect to index.php if you are not logged in. If I log in from one of the pages that do not require logging in first, the page is displayed as it should without admin rights. I have another page that should not show any content except that you are logged in. I will explain this in more detail.
This used to work as it should, but it's been a while and I've tried to change it, without taking a backup, and now I can't find it back because I don't remember how I actually did it, and the more I try, the more I mess up.

So.... one of the pages that requires login should only show partial info if you are not logged in, and show a complete overview of the information on the page, but not be able to edit or delete that information. To do that, you need admin rights. All this is clearly in the DB.

As explained, there are different rights on the pages. There are also member pages that are reserved for members only. That is, there are pages that are only accessible by logging in. So there are 2 levels (actualy 3, read on and I hope you will understand the last level) of what is available to the logged in users, as well as that there is an admin user right that gives full access. This is controlled by session at the top of each page which defines the security level.

I'm hoping to get help with this here on their forum as I can't figure it out myself. I simply don't remember, and a "internet friend" from great britain has helped med put this together. It's imposible to come in contact with him. He is starting to get old. So I dont know he is alive anymore or not. At least he has been away from the internet as I know him for a very long time, and others who know or knew who he is don't know anything either. I am pasting what I find of code that can/could be useful to you below. If there is something you are missing, please ask.
Just remember that there may be small mistakes and misunderstandings since this has been a project over a long time, and I don't remember everything 100%, but I try and collect the pieces and put them together as completely as possible. I think thats it. If you wonder about some more, just ask. I hope somebody understand how this was ment to be and can put it together for me, please?

I post a part of the MySQL DB/table below as well.

There are 3 levels of user rights

  • 0 These sites is for everyone. Visitors have rights to view and read chosen pages, but not have access to restricted member areas with a requirement to be logged in.

  • 1 Admin who can do everything. When loggin in i want the person who is loggin in to be sent to members.php .

  • 2 Supporting member that is registered for selected pages ment for registered members only. Logging in will me sent to members.php As a supporting member the user will be able to edit and change his/her saved data on selected pages in addition to gaining access to the member pages.

session_start();
include $ROOT.'db_inc.php';
$pdo = pdoConnect();
$ROOT = str_replace('\\', '/', $_SERVER['DOCUMENT_ROOT']) . '/';
$HOST = 'http://' . $_SERVER['HTTP_HOST'] . '/';

$loggedin =  $_SESSION['member_id'] ?? 0;

unset( $_SESSION['member_id'], $_SESSION['isadmin']);

if ($loggedin)  {
    header("Location: {$HOST}members.php");
    exit;
}
?>

<?php
session_start();
$ROOT = str_replace('\\', '/', $_SERVER['DOCUMENT_ROOT']) . '/';
$HOST = 'http://' . $_SERVER['HTTP_HOST'] . '/';
$disabl1 = isset($_SESSION['member_id']) ? '' : 'w3-disabled'; 
$disabl2 = isset($_SESSION['member_id']) && isset($_SESSION['isadmin']) ? '' : 'w3-disabled';  

$log_btn = isset($_SESSION['member_id']) ?  'Log out' : 'Log in';
const SYSNAME = 'Management System';
const PAGETITLE = 'Welcome';
const HELPBUTTON = "";
?>

This is from the login page. As far I can see this is working as it should.

<?php
session_start();
include $ROOT.'db_inc.php';
$pdo = pdoConnect();
$ROOT = str_replace('\\', '/', $_SERVER['DOCUMENT_ROOT']) . '/';
$HOST = 'http://' . $_SERVER['HTTP_HOST'] . '/';

$loggedin =  $_SESSION['member_id'] ?? 0;

unset( $_SESSION['member_id'], $_SESSION['isadmin']);

if ($loggedin)  {
    header("Location: {$HOST}members.php");
    exit;
}
?>

<?php
session_start();
$ROOT = str_replace('\\', '/', $_SERVER['DOCUMENT_ROOT']) . '/';
$HOST = 'http://' . $_SERVER['HTTP_HOST'] . '/';
$disabl1 = isset($_SESSION['member_id']) ? '' : 'w3-disabled'; 
$disabl2 = isset($_SESSION['member_id']) && isset($_SESSION['isadmin']) ? '' : 'w3-disabled';  

$log_btn = isset($_SESSION['member_id']) ?  'Logg ut' : 'Logg inn';
const SYSNAME = 'Management System';
const PAGETITLE = 'Welcome';
const HELPBUTTON = "";
?>

This is from index.php

<?php
session_start();
$ROOT = str_replace('\\', '/', $_SERVER['DOCUMENT_ROOT']) . '/';
$HOST = 'http://' . $_SERVER['HTTP_HOST'] . '/';
$disabl1 = isset($_SESSION['member_id']) ? '' : 'w3-disabled'; 
$disabl2 = isset($_SESSION['member_id']) && isset($_SESSION['isadmin']) ? '' : 'w3-disabled';  

$log_btn = isset($_SESSION['member_id']) ?  'Logg ut' : 'Logg inn';
const SYSNAME = 'Management System';
const PAGETITLE = 'Welcome';
const HELPBUTTON = "<span id='info_btn' class='w3-badge w3-small w3-white w3-border w3-border-white w3-right' title='Hjelp'>?</span>";
?>

-- ----------------------------
-- Table structure for member
-- ----------------------------
CREATE TABLE `member`  (
  `member_id` int(11) NOT NULL AUTO_INCREMENT,
  `fname` varchar(45) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
  `lname` varchar(45) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
  `member_class` int(11) NULL DEFAULT NULL COMMENT '1 boating , 2- supporting',
  `address` varchar(100) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
  `town` varchar(45) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
  `county` varchar(45) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
  `postcode` varchar(10) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
  `email` varchar(45) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
  `mobile` varchar(15) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
  `extra` tinyint(4) NULL DEFAULT NULL,
  `comments` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
  `date_join` date NULL DEFAULT NULL,
  `date_leave` date NULL DEFAULT NULL,
  `password` varchar(100) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
  `admin` tinyint(4) NULL DEFAULT NULL COMMENT '1 = admin\n0 = ordinary member',
  PRIMARY KEY (`member_id`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 50 CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = Dynamic;

-- ----------------------------
-- Records of member
-- ----------------------------
INSERT INTO `member` VALUES (12, 'Scott', 'Chegg', 1, NULL, NULL, NULL, NULL, 'Scott.Chegg@gmail.com', '07259049068', NULL, NULL, '2019-01-01', NULL, '$2y$10$KBlMC5wCL.K6EHvxSTIejOBBSRFesGhDfK.iNb7v.uexVwmQOhCPG', 1);
INSERT INTO `member` VALUES (13, 'Laura', 'Norder', 0, NULL, NULL, NULL, NULL, 'Laura.Norder@gmail.com', '07403996096', NULL, NULL, '2020-06-01', NULL, '$2y$10$KBlMC5wCL.K6EHvxSTIejOBBSRFesGhDfK.iNb7v.uexVwmQOhCPG', 0);
INSERT INTO `member` VALUES (14, 'Peter', 'Dowt', 2, '', '', '', '', 'Peter.Dowt@gmail.com', '07242833304', NULL, NULL, '2020-01-01', NULL, '$2y$10$KBlMC5wCL.K6EHvxSTIejOBBSRFesGhDfK.iNb7v.uexVwmQOhCPG', 0);

-- ----------------------------
-- Table structure for member_number
-- ----------------------------
DROP TABLE IF EXISTS `member_number`;
CREATE TABLE `member_number`  (
  `member_no` int(11) NOT NULL,
  `member_id` int(11) NULL DEFAULT NULL,
  PRIMARY KEY (`member_no`) USING BTREE
) ENGINE = InnoDB CHARACTER SET = latin1 COLLATE = latin1_swedish_ci ROW_FORMAT = Dynamic;

-- ----------------------------
-- Records of member_number
-- ----------------------------

SET FOREIGN_KEY_CHECKS = 1;

Since you haven't posted any functional code, all I can comment on is what the posted code shows us.

If you have multiple pages that need a login and user permission system, you should simply integrate the login/user permission code into any page that needs it.

The only value you should store in a session variable is the logged in user id. You should then simply query on each page request to get any other user data, such as the username or user permissions. These other values are not stored in session variables.

You would then simply display and enable the processing of whatever is appropriate on each page for the current user's state/permission level. This is all just conditional logic, that can be simplified by writing 'helper' functions.

The only redirect you should have in your code is upon successful completion of post method form processing code and it should be to the exact same url of the current page to cause a get request for that page. To allow users to go to other pages, provide navigation links.

In the posted code, you are using $ROOT before it has been assigned a value. This would be producing php errors. Do you have php's error_reporting set to E_ALL and display_errors set to ON, preferably in the php.ini on your system, so that php would help you by reporting and displaying all the errors it detects?

You should use require for things your code must have for it to work.

It is not necessary to convert \ to / in $_SERVER['DOCUMENT_ROOT'] on windows.

You can use relative urls. All the use of $HOST is unnecessary.

    Leon There are 3 levels of user rights

    You also have some unclear information, which would make it impossible to write code that does what you want.

    The member_class is apparently the user levels, with 0, 1, 2 values. You have stated the 1 value is for an admin who can do everything, but isn't this actually for a member who is not a supporting member? Why is there an admin column in the table with 0, 1 values then?

        I'm also not sure what the alleged problem is; it hasn't been described.

        The only thing I notice, without any idea what's going on is:

        $loggedin =  $_SESSION['member_id'] ?? 0;

unset( $_SESSION['member_id'], $_SESSION['isadmin']);

if ($loggedin)  {
    header("Location: {$HOST}members.php");
    exit;
}

        On this page (is that from the login page? Or index.php? None of the pieces of code are identified.) a session variable is checked to see if the user is logged in. (Also missing from what is posted: anything that sets these session variables). Once that is decided, the user is redirected to the members page, after unsetting those session variables. So by the time they land on the members page, there's nothing to show they're logged in any more.

          I am working on with this to make the login part of the site work again. That is the problem. This was a full working site til I tried to make some adjustments. I forgot to take a backup, so I cant get it back the way it was. I dont know if i mentioned it, but this was something a internet friend did for me. I am not able to contact him any more. He is in the mid of the age of 70 years old. And now no one know where he is or what happen to him. Some say they have seen him online, and some sy they haven't. So, for all I know he could be dead., and not only disappeared. Thats why I contact you guys. One thing is that I have been away from programming for more than a decade, and for the second, the more I study what he has done, or the way he has done it, it's so far from what I understand. I should also tell you when I came to him, I was like a newbie after12 -13 years away from programming. So very much was and is forgotten. But I was able to read to some code. But in this case, i am not. So, I hopesombody could be helpful if they understand. Enough of that.

          If you understand his way of programming, I would appreciate it Wery much. What is happening isn't good to say. What ever I do it won't log in, and i have admin right on every page. Or, in some way it works. When i Log in with username and password it logs in, so there is a connection with MySQL, but both usernames that is in the DB , one with admin rights, and one with support user rights ment to be read andpost comments etc. in the member area + change registered data to logged in user. So, I understand what's wrong, but I am not able to correct this myself. So, I ask you guys to point me in the right direction. If I try to log in with the wrong password i get a error message. So, in a way It works. So, what I am missing is the two code block parts that makes the sites valid for admin or regular/supporting member. I know that it should be in the code blocks I pasted, but I dont know witch, but it should be this since this is the one thats works best (at all):

          session_start();
include $ROOT.'db_inc.php';
$pdo = pdoConnect();
$ROOT = str_replace('\\', '/', $_SERVER['DOCUMENT_ROOT']) . '/';
$HOST = 'http://' . $_SERVER['HTTP_HOST'] . '/';

$loggedin =  $_SESSION['member_id'] ?? 0;

unset( $_SESSION['member_id'], $_SESSION['isadmin']);

if ($loggedin)  {
    header("Location: {$HOST}members.php");
    exit;
}

          There are some other things not working to, but the most important is the problem(s) described abow and below. To differentiate between normal user and admin and no access until one is a registered user. There is a page with partial admin rights. That will say, the logged-in user can click on different belongings to others and read the saved info in the DB about them, but not delete the info. Only the admin can do that. On other sites that are listing all the members and their info, the logged-in user can read the info about them, but only change his/her own info, he/her can only edit their own info. So it's like I tried to tell over these two/three blocks of code that I need to insert on differentiate/each page.

            The only thing I notice, is:

            $loggedin =  $_SESSION['member_id'] ?? 0;

unset( $_SESSION['member_id'], $_SESSION['isadmin']);

if ($loggedin)  {
    header("Location: {$HOST}members.php");
    exit;
}

            In this block of code a session variable is checked to see if the user is logged in. (Also missing from what is posted: anything that sets these session variables). Once that is decided, the user is redirected to the members page, after unsetting those session variables. So by the time they land on the members page, there's nothing to show they're logged in any more. So how does the members page determine if a user is logged in?

            • Leon replied to this.

              Weedpacket

              That's exactly what I was on about. There is something missing to set which permissions apply to each individual member page. Since there are (so far) 3 different permissions, I'm already stuck. I have no references on how to do this. As previously explained, the permissions are:

              • Must be logged in to see member list. There is a page where visitors can bring up the entire member list with all members and the information by each name, there is a button that allows you to edit user data, but only your own button is active. All other buttons for editing are inactive.

              • A page that is open to everyone who is logged in. It is a page that shows what the members have as assets, and what space the various members have. At the bottom of the page there is a button that is only active for administrators. There is a button that deletes the asset located on the marked/clicked asset.

              • A normal page with articles that gives rights only for reading the articles on the page. At the bottom of these pages there will be a comment field, so everyone who is logged in is also allowed to post comments.

              So as I've mentioned before, it's what sets the user rights on each individual page that I'm missing, and unable to figure out. I've had this before and I'm trying to find it again, because I've had this distributed in several places, but I'm not able to find it again. There is an incredible amount of material to go through. I search up and down, but unfortunately it's probably lost 😭

                  .... but, after a while searching thru old mails i found some lost files. Its not of the last versions of the system, but wery close. I look thru them and come back.

                    I've done this many times. PBS is on the correct path. The most you'd need is two variables and a couple checks at the top of each page, which could/should be in common code (e.g. a header file).

                    One would be the session_id and the the other called something like is_admin. If session_id is zero you redirect to login (index.php if I read your post right). If is_admin is true, show administrative stuff.

                    Last time I did this, IIRC, we had "normal user" IDs start at 100, and anything less than that was an admin account. Kept the DB logic minimal that way. HTH,

                      Write a Reply...