Page 1 of 1
user authentication not working on protected page
Posted: Fri Feb 04, 2011 11:58 am
by aubrey5
Hello, I am new here! I am new to php too. Thanks to some awesome online tutorials I have been able to make a login script that stores username, password and other info in mysql database ...Everything works but the actual page protection. I have been playing with the code and have tried many different combinations I have found googling and on forums. Below is my most recent code attempt to protect my page. Did I use the posting tags right?
My current code is:
Code: Select all
<?php
session_start();
//The users login details should be stored either in the post array or session array, if coming from login_form.php page
$username = isset($_POST['username']) ? $_POST['username'] : $_SESSION['username'];
$password = isset($_POST['password']) ? $_POST['password'] : $_SESSION['password'];
//This is if username & pw were not entered during this visit, like if someone typed the address in directly
if(!isset($username)) {
?>
<html>
<body>
<p> This is the members area </p>
</body>
</html>
My result is:
I also tried this code:
Code: Select all
<?php
session_start();
if(!isset($_POST['username']) or !isset($_SESSION['username']) {
header("Location: login_form.php");
}
else {
?>
<html>
<body>
<p> This is the members area </p>
</body>
</html>
[/sytnax]
my result with this code is the same as above, my protected webpage is displayed
Any help is appreciated! I am not good at debugging yet. I keep thinking there are session variable stuck in there, but my logout seems to work, and I am checking on different days with browsers shut down ...
Re: user authentication not working on protected page
Posted: Fri Feb 04, 2011 1:47 pm
by litebearer
Perhaps some 'logic - psudeo code'
login.php
(posts to login_process.php)
login_process.php
(if no post values OR post values are bad, redirect to login.php)
else
(values are good, set session variable then redirect to member_area.php)
member_area.php
(if no session variable OR session variable bad; redirect to login)
else
(display memeber content)
Re: user authentication not working on protected page
Posted: Sat Feb 05, 2011 9:39 am
by aubrey5
That is basically what I have going on. The part I haven't been able to get to work is the members_area.php you mention. I can't get it to redirect when session varibable is bad or missing. That is what my little bit of code above is trying to do. Do you see a problem with it?
Re: user authentication not working on protected page
Posted: Sat Feb 05, 2011 12:07 pm
by social_experiment
You shouldn't check if $_POST['username'] is set.
Code: Select all
<?php
session_start();
// change the $_POST['username']
if(!isset($_POST['username']) or !isset($_SESSION['username']) {
header("Location: login_form.php");
}
?>
Stop after the 'if', don't go for an else statement. If the conditions of the statement are met, the page will display as usual. If not (no pun) the user will be directed.
Re: user authentication not working on protected page
Posted: Sat Feb 05, 2011 9:32 pm
by aubrey5
Thanks for the post, I tried what you said (I think anyway) and my protected page still posts.
My code is
Code: Select all
<?php
session_start();
if(!isset($_SESSION['username'])) {
header("Location: login_form.php");
}
?>
<html>
<body>
<p> This is the members area</p>
</body>
</html>
My result is:
Did I take out the correct $_POST you were speaking of?
Re: user authentication not working on protected page
Posted: Sun Feb 06, 2011 12:28 am
by s.dot
Put exit; or die(); directly after your header('Location: ...');
Re: user authentication not working on protected page
Posted: Sun Feb 06, 2011 9:01 pm
by aubrey5
Thank you for the suggestion. I tried both the exit; and die(); after header like this
my code:
Code: Select all
<?php
session_start();
if(!isset($_SESSION['username'])) {
header("Location: login_form.php");
exit;
}
?>
my result:
When I pull the exit; line out, my result is :
Any other suggestion?
Re: user authentication not working on protected page
Posted: Mon Feb 07, 2011 10:15 am
by social_experiment
How do you set the session variables? (Normally it's done after authentication has been successful). Can you paste that code?
Re: user authentication not working on protected page
Posted: Mon Feb 07, 2011 12:18 pm
by aubrey5
Thanks for looking! No problem ...
Here is my checkuser.php code. This runs when the submit button on my login page is clicked.
Code: Select all
<?
/* Check User Script */
session_start(); // Start Session
include 'db.php';
// Convert to simple variables
$username = $_POST['username'];
$password = $_POST['password'];
if((!$username) || (!$password)){
$enter_all = "Please enter ALL of the information.";
echo "Please enter ALL of the information! <br />";
include 'login_form.php';
exit();
}
// Convert password to md5 hash, don't forget to change $password to $encrypt_password in the sql query below
//$encrypt_password = md5($password);
// check if the user info validates the db
$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password' AND activated='1'");
$login_check = mysql_num_rows($sql);
if($login_check > 0){
while($row = mysql_fetch_array($sql)){
foreach( $row AS $key => $val ){
$$key = stripslashes( $val );
}
// Register some session variables!
session_register('first_name');
$_SESSION['first_name'] = $first_name;
session_register('last_name');
$_SESSION['last_name'] = $last_name;
session_register('email_address');
$_SESSION['email_address'] = $email_address;
session_register('special_user');
$_SESSION['user_level'] = $user_level;
mysql_query("UPDATE users SET last_login=now() WHERE userid='$userid'");
//redirect to file login_success.php
header("Location: login_success.php");
}
} else {
$not_loggedin = "You could not be logged in! Either the username and password do not match or you have not validated your account!";
echo "You could not be logged in! Either the username and password do not match or you have not validated your account!<br />
Please try again!<br />";
include 'login_form.php';
}
?>
Code: Select all
Everything works. It authenticates user and brings up login page, you login and see the members area.
and this is my code for my register as a new user page:
Code: Select all
<?
include 'db.php';
// Define post fields into simple variables
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$email_address = $_POST['email_address'];
$business_name = $_POST['business_name'];
$phone = $_POST['phone'];
$tax_id = $_POST['tax_id'];
$username = $_POST['username'];
$password = $_POST['password'];
$info = $_POST['info'];
/* Let's strip some slashes in case the user entered
any escaped characters. */
$first_name = stripslashes($first_name);
$last_name = stripslashes($last_name);
$email_address = stripslashes($email_address);
$business_name = stripslashes($business_name);
$phone = stripslashes($phone);
$tax_id = stripslashes($tax_id);
$username = stripslashes($username);
$password = stripslashes($password);
$info = stripslashes($info);
/* Do some error checking on the form posted fields */
if((!$first_name) || (!$last_name) || (!$email_address) || (!$business_name) || (!$phone) || (!$tax_id) || (!$username) || (!$password)){
$required_info = "You did not submit the following required information!";
echo 'You did not submit the following required information! <br />';
if(!$first_name){
$required_name = "First Name is a required field. Please enter it below.";
echo "First Name is a required field. Please enter it below.<br />";
}
if(!$last_name){
$required_lname = "Last Name is a required field. Please enter it below.";
echo "Last Name is a required field. Please enter it below.<br />";
}
if(!$email_address){
$required_email = "Email Address is a required field. Please enter it below.";
echo "Email Address is a required field. Please enter it below.<br />";
}
if(!$business_name){
$required_business = "Business Name is a required field. Please enter it below.";
echo "Business Name is a required field. Please enter it below.<br />";
}
if(!$phone){
$required_phone = "Phone is a required field. Please enter it below.";
echo "Phone is a required field. Please enter it below.<br />";
}
if(!$tax_id){
$required_tax_id = "Resale # is a required field. Please enter it below.";
echo "Resale # is a required field. Please enter it below.<br />";
}
if(!$username){
$required_username = "Desired Username is a required field. Please enter it below.";
echo "Desired Username is a required field. Please enter it below.<br />";
}
if(!$password){
$required_password = "Desired Password is a required field. Please enter it below.";
echo "Desired Password is a required field. Please enter it below.<br />";
}
include 'join.php'; // Show the form again!
/* End the error checking and if everything is ok, we'll move on to
creating the user account */
exit(); // if the error checking has failed, we'll exit the script!
}
/* Let's do some checking and ensure that the user's email address or username
does not exist in the database */
$sql_email_check = mysql_query("SELECT email_address FROM users WHERE email_address='$email_address'");
$sql_username_check = mysql_query("SELECT username FROM users WHERE username='$username'");
$sql_password_check = mysql_query("SELECT password FROM users WHERE password='$password'");
$email_check = mysql_num_rows($sql_email_check);
$username_check = mysql_num_rows($sql_username_check);
$password_check = mysql_num_rows($sql_password_check);
if(($email_check > 0) || ($username_check > 0) || ($password_check > 0)){
$please_fix = "Please fix the following errors:";
echo "Please fix the following errors: <br />";
if($email_check > 0){
$email_used = "Your email address has already been used by another member in our database. Please submit a different Email address!";
echo "<strong>Your email address has already been used by another member in our database. Please submit a different Email address!<br />";
unset($email_address);
}
if($username_check > 0){
$username_used = "The username you have selected has already been used by another member in our database. Please choose a different Username!";
echo "The username you have selected has already been used by another member in our database. Please choose a different Username!<br />";
unset($username);
}
if($password_check > 0){
$password_used = "The password you have selected has already been used by another member in our database. Please choose a different Password!";
echo "The password you have selected has already been used by another member in our database. Please choose a different Password!<br />";
unset($password);
}
include 'join.php'; // Show the form again!
exit(); // exit the script so that we do not create this account!
}
/* Everything has passed both error checks that we have done.
It's time to create the account! */
// Encrypt the password, dont forget to change $password to $encrypt_password in the sql query below
//$encrypt_password = md5($password);
// Enter info into the Database.
$info2 = htmlspecialchars($info);
$sql = mysql_query("INSERT INTO users (first_name, last_name, email_address, business_name, phone, tax_id, username, password, info, signup_date)
VALUES('$first_name', '$last_name', '$email_address', '$business_name', '$phone', '$tax_id', '$username', '$password', '$info2', now())") or die (mysql_error());
if(!$sql){
$error = "There has been an error creating your account. Please contact the webmaster.";
echo 'There has been an error creating your account. Please contact the webmaster.';
} else {
$userid = mysql_insert_id();
// Let's mail the user!
$subject = "Account at My Website!";
$message = "Dear $first_name $last_name,
Thank you for registering at our website, http://www.abc.com!
You will recieve an email once your account is approved or declined.
Upon approval, you will be able to login with the following information:
Username: $username
Password: $password
Thanks!
John Doe
This is an automated response, please do not reply!";
// Let's mail ourselves!
$subject2 = "Account request at My Website!";
$message2 = "Hey me,
You have a wholesale account request to approve.
Name: $first_name $last_name
Email: $email_address
Business: $business_name
Phone: $phone
Tax Id: $tax_id
Desired username: $username
Desired password: $password
To activate their account, click here: http://www.primitive-beginnings.com/members/activate.php?id=$userid&code=$password
Remember to send them an email letting them know they have been approved.
Thanks,
Me :)";
mail($email_address, $subject, $message, "From: Webmaster<myemail@mywebsite.com>\nX-Mailer: PHP/" . phpversion());
mail("myemail@mywebsite.com", $subject2, $message2, "From: Webmaster<myemail@mywebsite.com>\nX-Mailer: PHP/" . phpversion());
echo 'Your account information has been mailed to your email address! Please check it and follow the directions!';
}
?>
Code: Select all
Everything works here too. The account is entered into database, the emails go out, I activate account, they can login.
That is a lot of code to look at!
Re: user authentication not working on protected page
Posted: Mon Feb 07, 2011 3:52 pm
by social_experiment
You check for the existence of this variable but you never set it.
Code: Select all
session_register('first_name');
$_SESSION['first_name'] = $first_name;
session_register('last_name');
$_SESSION['last_name'] = $last_name;
session_register('email_address');
$_SESSION['email_address'] = $email_address;
session_register('special_user');
$_SESSION['user_level'] = $user_level;
Re: user authentication not working on protected page
Posted: Tue Feb 08, 2011 12:07 pm
by aubrey5
Okay, so should I set the session variable in the same spot as other like this?
checkuser.php
Code: Select all
<?
/* Check User Script */
session_start(); // Start Session
include 'db.php';
// Convert to simple variables
$username = $_POST['username'];
$password = $_POST['password'];
if((!$username) || (!$password)){
$enter_all = "Please enter ALL of the information.";
echo "Please enter ALL of the information! <br />";
include 'login_form.php';
exit();
}
// Convert password to md5 hash, don't forget to change $password to $encrypt_password in the sql query below
//$encrypt_password = md5($password);
// check if the user info validates the db
$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password' AND activated='1'");
$login_check = mysql_num_rows($sql);
if($login_check > 0){
while($row = mysql_fetch_array($sql)){
foreach( $row AS $key => $val ){
$$key = stripslashes( $val );
}
// Register some session variables!
session_register('first_name');
$_SESSION['first_name'] = $first_name;
session_register('last_name');
$_SESSION['last_name'] = $last_name;
session_register('email_address');
$_SESSION['email_address'] = $email_address;
session_register('special_user');
$_SESSION['user_level'] = $user_level;
session_register('username');
$_SESSION['username'] = $username;
session_register('password');
$_SESSION['password'] = $password;
mysql_query("UPDATE users SET last_login=now() WHERE userid='$userid'");
//redirect to file login_success.php
header("Location: login_success.php");
}
} else {
$not_loggedin = "You could not be logged in! Either the username and password do not match or you have not validated your account!";
echo "You could not be logged in! Either the username and password do not match or you have not validated your account!<br />
Please try again!<br />";
include 'login_form.php';
}
?>
Re: user authentication not working on protected page
Posted: Tue Feb 08, 2011 4:28 pm
by social_experiment
aubrey5 wrote:Okay, so should I set the session variable in the same spot as other like this?
Yes. At the moment your script is looking for $_SESSION['username'] which is not set so the script does the logical thing which is to redirect the user if that specific variable is not set.