$_SESSION Authentication

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
lewisp.cox
Forum Newbie
Posts: 10
Joined: Sun Jan 02, 2011 11:29 am

$_SESSION Authentication

Post by lewisp.cox »

I'm currently creating a CMS for the first time, as a project and then hopefully use for actually deploying my own site.

It's also my first time using sessions, although it's easy enough to understand.
What I've got is a login.php page, which when logged in redirects to staffindex.php, where they can choose what they want to do.
What I'm trying to do is stop people jumping straight to staffindex.php, but I'm having difficulty.

What I've tried:

Code: Select all

<?php 
    session_start();
    if(!isset($_SESSION['username']) || $_SESSION !== true){
        header('location:login.php');
        exit();
    }

?>
This was inputted before the <HTML> tag.
This doesn't work....well it does...ish
When I try go straight to that page it does redirect me....but when I log on, it just keeps jumping straight to login.php again.

I hope this makes sense.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: $_SESSION Authentication

Post by social_experiment »

It's probably because you are seeing if $_SESSION is TRUE, which happens when you set $_SESSION['username']. Try something like this

Code: Select all

<?php 
    session_start();
    if( !isset($_SESSION['username']) || !isset($_SESSION['other_variable']) ){
        header('location:login.php');
        exit();
    }
?>
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
lewisp.cox
Forum Newbie
Posts: 10
Joined: Sun Jan 02, 2011 11:29 am

Re: $_SESSION Authentication

Post by lewisp.cox »

That didn't work either, is there any other way of doing it rather than using sessions? Or an easier way of doing it with sessions, here's me thinking it was staright forward, but I'm probably making a meal out of it.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: $_SESSION Authentication

Post by social_experiment »

What happens if you change the code to this?

Code: Select all

<?php
session_start();
    if(!isset($_SESSION['username']) ){
        header('location:login.php');
        exit();
    }
?>
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
lewisp.cox
Forum Newbie
Posts: 10
Joined: Sun Jan 02, 2011 11:29 am

Re: $_SESSION Authentication

Post by lewisp.cox »

That's what I orginally tried using, but it wouldn't let me log in, just kept going back to login.php

Apart from that I can't really think of much to do, I've tried google but with no hope, can't see cookies being much different but I don't really want to use them.
lewisp.cox
Forum Newbie
Posts: 10
Joined: Sun Jan 02, 2011 11:29 am

Re: $_SESSION Authentication

Post by lewisp.cox »

social_experiment wrote:What happens if you change the code to this?

Code: Select all

<?php
session_start();
    if(!isset($_SESSION['username']) ){
        header('location:login.php');
        exit();
    }
?>
This lets me logon now, which is a start, but I have the logout to destroy the session, so that should kill everything.
However, it now lets me bypass the login by typing the url for staffindex which I don't want it to be able to do, which was the whole point in the first place, I'm a little bit confused now.
User avatar
prefer32bits
Forum Newbie
Posts: 10
Joined: Sat Jan 01, 2011 11:55 pm
Location: San Jose, CA

Re: $_SESSION Authentication

Post by prefer32bits »

Try including a "blocker" in the staff index using the die(string custerr); function.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: $_SESSION Authentication

Post by social_experiment »

lewisp.cox wrote:However, it now lets me bypass the login by typing the url for staffindex which I don't want it to be able to do, which was the whole point in the first place, I'm a little bit confused now.
If $_SESSION['username'] is set on login it wouldn't be possible to bypass the login. That's exactly what !isset() is supposed to stop. Do you have this 'auth checking code' at the top of each of the pages that can only be accessed by login?
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Post Reply