Page 1 of 1

$_SESSION Authentication

Posted: Sun Jan 02, 2011 11:41 am
by lewisp.cox
I'm currently creating a CMS for the first time, as a project and then hopefully use for actually deploying my own site.

It's also my first time using sessions, although it's easy enough to understand.
What I've got is a login.php page, which when logged in redirects to staffindex.php, where they can choose what they want to do.
What I'm trying to do is stop people jumping straight to staffindex.php, but I'm having difficulty.

What I've tried:

Code: Select all

<?php 
    session_start();
    if(!isset($_SESSION['username']) || $_SESSION !== true){
        header('location:login.php');
        exit();
    }

?>
This was inputted before the <HTML> tag.
This doesn't work....well it does...ish
When I try go straight to that page it does redirect me....but when I log on, it just keeps jumping straight to login.php again.

I hope this makes sense.

Re: $_SESSION Authentication

Posted: Sun Jan 02, 2011 11:52 am
by social_experiment
It's probably because you are seeing if $_SESSION is TRUE, which happens when you set $_SESSION['username']. Try something like this

Code: Select all

<?php 
    session_start();
    if( !isset($_SESSION['username']) || !isset($_SESSION['other_variable']) ){
        header('location:login.php');
        exit();
    }
?>

Re: $_SESSION Authentication

Posted: Sun Jan 02, 2011 1:18 pm
by lewisp.cox
That didn't work either, is there any other way of doing it rather than using sessions? Or an easier way of doing it with sessions, here's me thinking it was staright forward, but I'm probably making a meal out of it.

Re: $_SESSION Authentication

Posted: Sun Jan 02, 2011 3:44 pm
by social_experiment
What happens if you change the code to this?

Code: Select all

<?php
session_start();
    if(!isset($_SESSION['username']) ){
        header('location:login.php');
        exit();
    }
?>

Re: $_SESSION Authentication

Posted: Sun Jan 02, 2011 4:28 pm
by lewisp.cox
That's what I orginally tried using, but it wouldn't let me log in, just kept going back to login.php

Apart from that I can't really think of much to do, I've tried google but with no hope, can't see cookies being much different but I don't really want to use them.

Re: $_SESSION Authentication

Posted: Sun Jan 02, 2011 4:38 pm
by lewisp.cox
social_experiment wrote:What happens if you change the code to this?

Code: Select all

<?php
session_start();
    if(!isset($_SESSION['username']) ){
        header('location:login.php');
        exit();
    }
?>
This lets me logon now, which is a start, but I have the logout to destroy the session, so that should kill everything.
However, it now lets me bypass the login by typing the url for staffindex which I don't want it to be able to do, which was the whole point in the first place, I'm a little bit confused now.

Re: $_SESSION Authentication

Posted: Sun Jan 02, 2011 6:02 pm
by prefer32bits
Try including a "blocker" in the staff index using the die(string custerr); function.

Re: $_SESSION Authentication

Posted: Mon Jan 03, 2011 12:46 am
by social_experiment
lewisp.cox wrote:However, it now lets me bypass the login by typing the url for staffindex which I don't want it to be able to do, which was the whole point in the first place, I'm a little bit confused now.
If $_SESSION['username'] is set on login it wouldn't be possible to bypass the login. That's exactly what !isset() is supposed to stop. Do you have this 'auth checking code' at the top of each of the pages that can only be accessed by login?