I've created a basic login script using sessions. However I've come up against a few obstacles. What happens is when the username is displayed a number comes up and if one user is logged on they can navigate to another users page. I've been thinking for a while now of how to stop this flaw but I've got nowhere. Here's the code:
Code at the top of the user's page to start the session or if not logged in to relocate:
Code: Select all
<?php
session_start();
if (!isset($_SESSION[username]))
{
header("location: login.html");
}
else
{
if($username = $_SESSION[username] && $password = $_SESSION[password])
{
echo "Hi ".$username;
}
}
?>
The php for logging on:
Code: Select all
<?php
if($_POST['submit'])
{
$username = $_POST['u'];
$password = $_POST['p'];
$connect=mysql_connect("server","user","pass");
$db=mysql_select_db("db");
if(!username || !$password)
{
header("location: relogin.html");
}
else
{
$check= "SELECT * FROM table WHERE u ='".$username."' AND p = '".$password."'";
$result = mysql_query($check) or die ("error: ".mysql_error());
if(mysql_num_rows($result) == 0)
{
echo "The Username and the Password do not match";
}
else
{
$row=mysql_fetch_row($result);
if ($password == $row[3])
{
session_start();
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
header("location: $username.php") or die(mysql_error());
}
}
}
}
?>
Thanks
stow