user authentication not working on protected page

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
aubrey5
Forum Newbie
Posts: 6
Joined: Tue Feb 01, 2011 3:05 pm

user authentication not working on protected page

Post by aubrey5 »

Hello, I am new here! I am new to php too. Thanks to some awesome online tutorials I have been able to make a login script that stores username, password and other info in mysql database ...Everything works but the actual page protection. I have been playing with the code and have tried many different combinations I have found googling and on forums. Below is my most recent code attempt to protect my page. Did I use the posting tags right?

My current code is:

Code: Select all

<?php      
session_start();
//The users login details should be stored either in the post array or session array, if coming from login_form.php page
$username = isset($_POST['username']) ? $_POST['username'] : $_SESSION['username'];    
$password = isset($_POST['password']) ? $_POST['password'] : $_SESSION['password'];
//This is if username & pw were not entered during this visit, like if someone typed the address in directly
if(!isset($username)) {    
 ?>

<html>
<body>
<p> This is the members area </p>
</body>
</html>
My result is:

Code: Select all

My protected web page is displaed
I also tried this code:

Code: Select all

<?php
session_start();
if(!isset($_POST['username']) or !isset($_SESSION['username']) {       
	header("Location: login_form.php");
}
else { 
 ?>

<html>
<body>
<p> This is the members area </p>
</body>
</html>
[/sytnax]

my result with this code is the same as above, my protected webpage is displayed

Any help is appreciated!  I am not good at debugging yet.  I keep thinking there are session variable stuck in there, but my logout seems to work, and I am checking on different days with browsers shut down ...
litebearer
Forum Contributor
Posts: 194
Joined: Sat Mar 27, 2004 5:54 am

Re: user authentication not working on protected page

Post by litebearer »

Perhaps some 'logic - psudeo code'

login.php
(posts to login_process.php)

login_process.php
(if no post values OR post values are bad, redirect to login.php)
else
(values are good, set session variable then redirect to member_area.php)

member_area.php
(if no session variable OR session variable bad; redirect to login)
else
(display memeber content)
aubrey5
Forum Newbie
Posts: 6
Joined: Tue Feb 01, 2011 3:05 pm

Re: user authentication not working on protected page

Post by aubrey5 »

That is basically what I have going on. The part I haven't been able to get to work is the members_area.php you mention. I can't get it to redirect when session varibable is bad or missing. That is what my little bit of code above is trying to do. Do you see a problem with it?
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: user authentication not working on protected page

Post by social_experiment »

You shouldn't check if $_POST['username'] is set.

Code: Select all

<?php
session_start();
// change the $_POST['username']
if(!isset($_POST['username']) or !isset($_SESSION['username']) { 
header("Location: login_form.php");
}
?>
Stop after the 'if', don't go for an else statement. If the conditions of the statement are met, the page will display as usual. If not (no pun) the user will be directed.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
aubrey5
Forum Newbie
Posts: 6
Joined: Tue Feb 01, 2011 3:05 pm

Re: user authentication not working on protected page

Post by aubrey5 »

Thanks for the post, I tried what you said (I think anyway) and my protected page still posts.

My code is

Code: Select all

<?php
session_start();
if(!isset($_SESSION['username'])) { 
header("Location: login_form.php");
}
?>

<html>
<body>
<p> This is the members area</p>
</body>
</html>
My result is:

Code: Select all

This is the members area
Did I take out the correct $_POST you were speaking of?
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Re: user authentication not working on protected page

Post by s.dot »

Put exit; or die(); directly after your header('Location: ...');
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
aubrey5
Forum Newbie
Posts: 6
Joined: Tue Feb 01, 2011 3:05 pm

Re: user authentication not working on protected page

Post by aubrey5 »

Thank you for the suggestion. I tried both the exit; and die(); after header like this

my code:

Code: Select all

<?php
session_start();
if(!isset($_SESSION['username'])) { 
header("Location: login_form.php");
exit;
}
?>
my result:

Code: Select all

Totally blank white page
When I pull the exit; line out, my result is :

Code: Select all

Welcome to the members area
Any other suggestion?
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: user authentication not working on protected page

Post by social_experiment »

How do you set the session variables? (Normally it's done after authentication has been successful). Can you paste that code?
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
aubrey5
Forum Newbie
Posts: 6
Joined: Tue Feb 01, 2011 3:05 pm

Re: user authentication not working on protected page

Post by aubrey5 »

Thanks for looking! No problem ...

Here is my checkuser.php code. This runs when the submit button on my login page is clicked.

Code: Select all

<?
/* Check User Script */
session_start();  // Start Session

include 'db.php';
// Convert to simple variables
$username = $_POST['username'];
$password = $_POST['password'];

if((!$username) || (!$password)){
	$enter_all = "Please enter ALL of the information.";
	echo "Please enter ALL of the information! <br />";
	include 'login_form.php';
	exit();
}

// Convert password to md5 hash, don't forget to change $password to $encrypt_password in the sql query below
//$encrypt_password = md5($password);

// check if the user info validates the db
$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password' AND activated='1'");
$login_check = mysql_num_rows($sql);

if($login_check > 0){
	while($row = mysql_fetch_array($sql)){
	foreach( $row AS $key => $val ){
		$$key = stripslashes( $val );
	}
		// Register some session variables!
		session_register('first_name');
		$_SESSION['first_name'] = $first_name;
		session_register('last_name');
		$_SESSION['last_name'] = $last_name;
		session_register('email_address');
		$_SESSION['email_address'] = $email_address;
		session_register('special_user');
		$_SESSION['user_level'] = $user_level;

	
		mysql_query("UPDATE users SET last_login=now() WHERE userid='$userid'");
		
		//redirect to file login_success.php
		header("Location: login_success.php");
	}
} else {
	$not_loggedin = "You could not be logged in!  Either the username and password do not match or you have not validated your account!";
	echo "You could not be logged in! Either the username and password do not match or you have not validated your account!<br />
	Please try again!<br />";
	include 'login_form.php';
}
?>

Code: Select all

Everything works.  It authenticates user and brings up login page, you login  and see the members area.
and this is my code for my register as a new user page:

Code: Select all

<?

include 'db.php';

// Define post fields into simple variables
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$email_address = $_POST['email_address'];
$business_name = $_POST['business_name'];
$phone = $_POST['phone'];
$tax_id = $_POST['tax_id'];
$username = $_POST['username'];
$password = $_POST['password'];
$info = $_POST['info'];

/* Let's strip some slashes in case the user entered
any escaped characters. */

$first_name = stripslashes($first_name);
$last_name = stripslashes($last_name);
$email_address = stripslashes($email_address);
$business_name = stripslashes($business_name);
$phone = stripslashes($phone);
$tax_id = stripslashes($tax_id);
$username = stripslashes($username);
$password = stripslashes($password);
$info = stripslashes($info);


/* Do some error checking on the form posted fields */

if((!$first_name) || (!$last_name) || (!$email_address) || (!$business_name) || (!$phone) || (!$tax_id) || (!$username) || (!$password)){
	$required_info = "You did not submit the following required information!";
	echo 'You did not submit the following required information! <br />';
	if(!$first_name){
		$required_name = "First Name is a required field.  Please enter it below.";
		echo "First Name is a required field. Please enter it below.<br />";
	}
	if(!$last_name){
		$required_lname = "Last Name is a required field. Please enter it below.";
		echo "Last Name is a required field. Please enter it below.<br />";
	}
	if(!$email_address){
		$required_email = "Email Address is a required field. Please enter it below.";
		echo "Email Address is a required field. Please enter it below.<br />";
	}
	if(!$business_name){
		$required_business = "Business Name is a required field. Please enter it below.";
		echo "Business Name is a required field. Please enter it below.<br />";
	}
	if(!$phone){
		$required_phone = "Phone is a required field. Please enter it below.";
		echo "Phone is a required field. Please enter it below.<br />";
	}
	if(!$tax_id){
		$required_tax_id = "Resale # is a required field. Please enter it below.";
		echo "Resale # is a required field. Please enter it below.<br />";
	}
	if(!$username){
		$required_username = "Desired Username is a required field. Please enter it below.";
		echo "Desired Username is a required field. Please enter it below.<br />";
	}
	if(!$password){
		$required_password = "Desired Password is a required field. Please enter it below.";
		echo "Desired Password is a required field. Please enter it below.<br />";
	}
	include 'join.php'; // Show the form again!
	/* End the error checking and if everything is ok, we'll move on to
	 creating the user account */
	exit(); // if the error checking has failed, we'll exit the script!
}
	
/* Let's do some checking and ensure that the user's email address or username
 does not exist in the database */
 
 $sql_email_check = mysql_query("SELECT email_address FROM users WHERE email_address='$email_address'");
 $sql_username_check = mysql_query("SELECT username FROM users WHERE username='$username'");
 $sql_password_check = mysql_query("SELECT password FROM users WHERE password='$password'");
 
 $email_check = mysql_num_rows($sql_email_check);
 $username_check = mysql_num_rows($sql_username_check);
 $password_check = mysql_num_rows($sql_password_check);
 
 if(($email_check > 0) || ($username_check > 0) || ($password_check > 0)){
 	$please_fix = "Please fix the following errors:";
	echo "Please fix the following errors: <br />";
 	if($email_check > 0){
 		$email_used = "Your email address has already been used by another member in our database. Please submit a different Email address!";
		echo "<strong>Your email address has already been used by another member in our database. Please submit a different Email address!<br />";
 		unset($email_address);
 	}
 	if($username_check > 0){
 		$username_used = "The username you have selected has already been used by another member in our database. Please choose a different Username!";
		echo "The username you have selected has already been used by another member in our database. Please choose a different Username!<br />";
 		unset($username);
 	}
	if($password_check > 0){
 		$password_used = "The password you have selected has already been used by another member in our database. Please choose a different Password!";
		echo "The password you have selected has already been used by another member in our database. Please choose a different Password!<br />";
 		unset($password);
 	} 	
	include 'join.php'; // Show the form again!
 	exit();  // exit the script so that we do not create this account!
 }
 
/* Everything has passed both error checks that we have done.
It's time to create the account! */

// Encrypt the password, dont forget to change $password to $encrypt_password in the sql query below
//$encrypt_password = md5($password);

// Enter info into the Database.
$info2 = htmlspecialchars($info);
$sql = mysql_query("INSERT INTO users (first_name, last_name, email_address, business_name, phone, tax_id, username, password, info, signup_date)
		VALUES('$first_name', '$last_name', '$email_address', '$business_name', '$phone', '$tax_id', '$username', '$password', '$info2', now())") or die (mysql_error());

if(!$sql){
	$error = "There has been an error creating your account. Please contact the webmaster.";
	echo 'There has been an error creating your account. Please contact the webmaster.';
} else {
	$userid = mysql_insert_id();

	// Let's mail the user!
	$subject = "Account at My Website!";
	$message = "Dear $first_name $last_name,
	Thank you for registering at our website, http://www.abc.com!
	
	You will recieve an email once your account is approved or declined.  
	
	Upon approval, you will be able to login with the following information:
	
	Username: $username
	Password: $password
	
	Thanks!
	John Doe
	
	This is an automated response, please do not reply!";

	// Let's mail ourselves!
	$subject2 = "Account request at My Website!";
	$message2 = "Hey me,

	You have a wholesale account request to approve.

	Name: $first_name $last_name 
	Email: $email_address
	Business: $business_name
	Phone: $phone
	Tax Id: $tax_id
	Desired username: $username
	Desired password: $password

	To activate their account, click here: http://www.primitive-beginnings.com/members/activate.php?id=$userid&code=$password

	Remember to send them an email letting them know they have been approved.

	Thanks,
	Me :)";

	mail($email_address, $subject, $message, "From: Webmaster<myemail@mywebsite.com>\nX-Mailer: PHP/" . phpversion());
	mail("myemail@mywebsite.com", $subject2, $message2, "From: Webmaster<myemail@mywebsite.com>\nX-Mailer: PHP/" . phpversion());

	echo 'Your account information has been mailed to your email address! Please check it and follow the directions!';
}

?>

Code: Select all

Everything works here too.  The account is entered into database, the emails go out, I activate account, they can login.
That is a lot of code to look at!
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: user authentication not working on protected page

Post by social_experiment »

Code: Select all

!isset($_SESSION['username'])
You check for the existence of this variable but you never set it.

Code: Select all

session_register('first_name');
$_SESSION['first_name'] = $first_name;
session_register('last_name');
$_SESSION['last_name'] = $last_name;
session_register('email_address');
$_SESSION['email_address'] = $email_address;
session_register('special_user');
$_SESSION['user_level'] = $user_level;
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
aubrey5
Forum Newbie
Posts: 6
Joined: Tue Feb 01, 2011 3:05 pm

Re: user authentication not working on protected page

Post by aubrey5 »

Okay, so should I set the session variable in the same spot as other like this?

checkuser.php

Code: Select all

<?
/* Check User Script */
session_start();  // Start Session

include 'db.php';
// Convert to simple variables
$username = $_POST['username'];
$password = $_POST['password'];

if((!$username) || (!$password)){
	$enter_all = "Please enter ALL of the information.";
	echo "Please enter ALL of the information! <br />";
	include 'login_form.php';
	exit();
}

// Convert password to md5 hash, don't forget to change $password to $encrypt_password in the sql query below
//$encrypt_password = md5($password);

// check if the user info validates the db
$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password' AND activated='1'");
$login_check = mysql_num_rows($sql);

if($login_check > 0){
	while($row = mysql_fetch_array($sql)){
	foreach( $row AS $key => $val ){
		$$key = stripslashes( $val );
	}
		// Register some session variables!
		session_register('first_name');
		$_SESSION['first_name'] = $first_name;
		session_register('last_name');
		$_SESSION['last_name'] = $last_name;
		session_register('email_address');
		$_SESSION['email_address'] = $email_address;
		session_register('special_user');
		$_SESSION['user_level'] = $user_level;

		session_register('username');
		$_SESSION['username'] = $username;
		session_register('password');
		$_SESSION['password'] = $password;

		mysql_query("UPDATE users SET last_login=now() WHERE userid='$userid'");
		
		//redirect to file login_success.php
		header("Location: login_success.php");
	}
} else {
	$not_loggedin = "You could not be logged in!  Either the username and password do not match or you have not validated your account!";
	echo "You could not be logged in! Either the username and password do not match or you have not validated your account!<br />
	Please try again!<br />";
	include 'login_form.php';
}
?>
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: user authentication not working on protected page

Post by social_experiment »

aubrey5 wrote:Okay, so should I set the session variable in the same spot as other like this?
Yes. At the moment your script is looking for $_SESSION['username'] which is not set so the script does the logical thing which is to redirect the user if that specific variable is not set.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Post Reply