Page 1 of 1

user authentication not working on protected page

Posted: Fri Feb 04, 2011 11:58 am
by aubrey5
Hello, I am new here! I am new to php too. Thanks to some awesome online tutorials I have been able to make a login script that stores username, password and other info in mysql database ...Everything works but the actual page protection. I have been playing with the code and have tried many different combinations I have found googling and on forums. Below is my most recent code attempt to protect my page. Did I use the posting tags right?

My current code is:

Code: Select all

<?php      
session_start();
//The users login details should be stored either in the post array or session array, if coming from login_form.php page
$username = isset($_POST['username']) ? $_POST['username'] : $_SESSION['username'];    
$password = isset($_POST['password']) ? $_POST['password'] : $_SESSION['password'];
//This is if username & pw were not entered during this visit, like if someone typed the address in directly
if(!isset($username)) {    
 ?>

<html>
<body>
<p> This is the members area </p>
</body>
</html>
My result is:

Code: Select all

My protected web page is displaed
I also tried this code:

Code: Select all

<?php
session_start();
if(!isset($_POST['username']) or !isset($_SESSION['username']) {       
	header("Location: login_form.php");
}
else { 
 ?>

<html>
<body>
<p> This is the members area </p>
</body>
</html>
[/sytnax]

my result with this code is the same as above, my protected webpage is displayed

Any help is appreciated!  I am not good at debugging yet.  I keep thinking there are session variable stuck in there, but my logout seems to work, and I am checking on different days with browsers shut down ...

Re: user authentication not working on protected page

Posted: Fri Feb 04, 2011 1:47 pm
by litebearer
Perhaps some 'logic - psudeo code'

login.php
(posts to login_process.php)

login_process.php
(if no post values OR post values are bad, redirect to login.php)
else
(values are good, set session variable then redirect to member_area.php)

member_area.php
(if no session variable OR session variable bad; redirect to login)
else
(display memeber content)

Re: user authentication not working on protected page

Posted: Sat Feb 05, 2011 9:39 am
by aubrey5
That is basically what I have going on. The part I haven't been able to get to work is the members_area.php you mention. I can't get it to redirect when session varibable is bad or missing. That is what my little bit of code above is trying to do. Do you see a problem with it?

Re: user authentication not working on protected page

Posted: Sat Feb 05, 2011 12:07 pm
by social_experiment
You shouldn't check if $_POST['username'] is set.

Code: Select all

<?php
session_start();
// change the $_POST['username']
if(!isset($_POST['username']) or !isset($_SESSION['username']) { 
header("Location: login_form.php");
}
?>
Stop after the 'if', don't go for an else statement. If the conditions of the statement are met, the page will display as usual. If not (no pun) the user will be directed.

Re: user authentication not working on protected page

Posted: Sat Feb 05, 2011 9:32 pm
by aubrey5
Thanks for the post, I tried what you said (I think anyway) and my protected page still posts.

My code is

Code: Select all

<?php
session_start();
if(!isset($_SESSION['username'])) { 
header("Location: login_form.php");
}
?>

<html>
<body>
<p> This is the members area</p>
</body>
</html>
My result is:

Code: Select all

This is the members area
Did I take out the correct $_POST you were speaking of?

Re: user authentication not working on protected page

Posted: Sun Feb 06, 2011 12:28 am
by s.dot
Put exit; or die(); directly after your header('Location: ...');

Re: user authentication not working on protected page

Posted: Sun Feb 06, 2011 9:01 pm
by aubrey5
Thank you for the suggestion. I tried both the exit; and die(); after header like this

my code:

Code: Select all

<?php
session_start();
if(!isset($_SESSION['username'])) { 
header("Location: login_form.php");
exit;
}
?>
my result:

Code: Select all

Totally blank white page
When I pull the exit; line out, my result is :

Code: Select all

Welcome to the members area
Any other suggestion?

Re: user authentication not working on protected page

Posted: Mon Feb 07, 2011 10:15 am
by social_experiment
How do you set the session variables? (Normally it's done after authentication has been successful). Can you paste that code?

Re: user authentication not working on protected page

Posted: Mon Feb 07, 2011 12:18 pm
by aubrey5
Thanks for looking! No problem ...

Here is my checkuser.php code. This runs when the submit button on my login page is clicked.

Code: Select all

<?
/* Check User Script */
session_start();  // Start Session

include 'db.php';
// Convert to simple variables
$username = $_POST['username'];
$password = $_POST['password'];

if((!$username) || (!$password)){
	$enter_all = "Please enter ALL of the information.";
	echo "Please enter ALL of the information! <br />";
	include 'login_form.php';
	exit();
}

// Convert password to md5 hash, don't forget to change $password to $encrypt_password in the sql query below
//$encrypt_password = md5($password);

// check if the user info validates the db
$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password' AND activated='1'");
$login_check = mysql_num_rows($sql);

if($login_check > 0){
	while($row = mysql_fetch_array($sql)){
	foreach( $row AS $key => $val ){
		$$key = stripslashes( $val );
	}
		// Register some session variables!
		session_register('first_name');
		$_SESSION['first_name'] = $first_name;
		session_register('last_name');
		$_SESSION['last_name'] = $last_name;
		session_register('email_address');
		$_SESSION['email_address'] = $email_address;
		session_register('special_user');
		$_SESSION['user_level'] = $user_level;

	
		mysql_query("UPDATE users SET last_login=now() WHERE userid='$userid'");
		
		//redirect to file login_success.php
		header("Location: login_success.php");
	}
} else {
	$not_loggedin = "You could not be logged in!  Either the username and password do not match or you have not validated your account!";
	echo "You could not be logged in! Either the username and password do not match or you have not validated your account!<br />
	Please try again!<br />";
	include 'login_form.php';
}
?>

Code: Select all

Everything works.  It authenticates user and brings up login page, you login  and see the members area.
and this is my code for my register as a new user page:

Code: Select all

<?

include 'db.php';

// Define post fields into simple variables
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$email_address = $_POST['email_address'];
$business_name = $_POST['business_name'];
$phone = $_POST['phone'];
$tax_id = $_POST['tax_id'];
$username = $_POST['username'];
$password = $_POST['password'];
$info = $_POST['info'];

/* Let's strip some slashes in case the user entered
any escaped characters. */

$first_name = stripslashes($first_name);
$last_name = stripslashes($last_name);
$email_address = stripslashes($email_address);
$business_name = stripslashes($business_name);
$phone = stripslashes($phone);
$tax_id = stripslashes($tax_id);
$username = stripslashes($username);
$password = stripslashes($password);
$info = stripslashes($info);


/* Do some error checking on the form posted fields */

if((!$first_name) || (!$last_name) || (!$email_address) || (!$business_name) || (!$phone) || (!$tax_id) || (!$username) || (!$password)){
	$required_info = "You did not submit the following required information!";
	echo 'You did not submit the following required information! <br />';
	if(!$first_name){
		$required_name = "First Name is a required field.  Please enter it below.";
		echo "First Name is a required field. Please enter it below.<br />";
	}
	if(!$last_name){
		$required_lname = "Last Name is a required field. Please enter it below.";
		echo "Last Name is a required field. Please enter it below.<br />";
	}
	if(!$email_address){
		$required_email = "Email Address is a required field. Please enter it below.";
		echo "Email Address is a required field. Please enter it below.<br />";
	}
	if(!$business_name){
		$required_business = "Business Name is a required field. Please enter it below.";
		echo "Business Name is a required field. Please enter it below.<br />";
	}
	if(!$phone){
		$required_phone = "Phone is a required field. Please enter it below.";
		echo "Phone is a required field. Please enter it below.<br />";
	}
	if(!$tax_id){
		$required_tax_id = "Resale # is a required field. Please enter it below.";
		echo "Resale # is a required field. Please enter it below.<br />";
	}
	if(!$username){
		$required_username = "Desired Username is a required field. Please enter it below.";
		echo "Desired Username is a required field. Please enter it below.<br />";
	}
	if(!$password){
		$required_password = "Desired Password is a required field. Please enter it below.";
		echo "Desired Password is a required field. Please enter it below.<br />";
	}
	include 'join.php'; // Show the form again!
	/* End the error checking and if everything is ok, we'll move on to
	 creating the user account */
	exit(); // if the error checking has failed, we'll exit the script!
}
	
/* Let's do some checking and ensure that the user's email address or username
 does not exist in the database */
 
 $sql_email_check = mysql_query("SELECT email_address FROM users WHERE email_address='$email_address'");
 $sql_username_check = mysql_query("SELECT username FROM users WHERE username='$username'");
 $sql_password_check = mysql_query("SELECT password FROM users WHERE password='$password'");
 
 $email_check = mysql_num_rows($sql_email_check);
 $username_check = mysql_num_rows($sql_username_check);
 $password_check = mysql_num_rows($sql_password_check);
 
 if(($email_check > 0) || ($username_check > 0) || ($password_check > 0)){
 	$please_fix = "Please fix the following errors:";
	echo "Please fix the following errors: <br />";
 	if($email_check > 0){
 		$email_used = "Your email address has already been used by another member in our database. Please submit a different Email address!";
		echo "<strong>Your email address has already been used by another member in our database. Please submit a different Email address!<br />";
 		unset($email_address);
 	}
 	if($username_check > 0){
 		$username_used = "The username you have selected has already been used by another member in our database. Please choose a different Username!";
		echo "The username you have selected has already been used by another member in our database. Please choose a different Username!<br />";
 		unset($username);
 	}
	if($password_check > 0){
 		$password_used = "The password you have selected has already been used by another member in our database. Please choose a different Password!";
		echo "The password you have selected has already been used by another member in our database. Please choose a different Password!<br />";
 		unset($password);
 	} 	
	include 'join.php'; // Show the form again!
 	exit();  // exit the script so that we do not create this account!
 }
 
/* Everything has passed both error checks that we have done.
It's time to create the account! */

// Encrypt the password, dont forget to change $password to $encrypt_password in the sql query below
//$encrypt_password = md5($password);

// Enter info into the Database.
$info2 = htmlspecialchars($info);
$sql = mysql_query("INSERT INTO users (first_name, last_name, email_address, business_name, phone, tax_id, username, password, info, signup_date)
		VALUES('$first_name', '$last_name', '$email_address', '$business_name', '$phone', '$tax_id', '$username', '$password', '$info2', now())") or die (mysql_error());

if(!$sql){
	$error = "There has been an error creating your account. Please contact the webmaster.";
	echo 'There has been an error creating your account. Please contact the webmaster.';
} else {
	$userid = mysql_insert_id();

	// Let's mail the user!
	$subject = "Account at My Website!";
	$message = "Dear $first_name $last_name,
	Thank you for registering at our website, http://www.abc.com!
	
	You will recieve an email once your account is approved or declined.  
	
	Upon approval, you will be able to login with the following information:
	
	Username: $username
	Password: $password
	
	Thanks!
	John Doe
	
	This is an automated response, please do not reply!";

	// Let's mail ourselves!
	$subject2 = "Account request at My Website!";
	$message2 = "Hey me,

	You have a wholesale account request to approve.

	Name: $first_name $last_name 
	Email: $email_address
	Business: $business_name
	Phone: $phone
	Tax Id: $tax_id
	Desired username: $username
	Desired password: $password

	To activate their account, click here: http://www.primitive-beginnings.com/members/activate.php?id=$userid&code=$password

	Remember to send them an email letting them know they have been approved.

	Thanks,
	Me :)";

	mail($email_address, $subject, $message, "From: Webmaster<myemail@mywebsite.com>\nX-Mailer: PHP/" . phpversion());
	mail("myemail@mywebsite.com", $subject2, $message2, "From: Webmaster<myemail@mywebsite.com>\nX-Mailer: PHP/" . phpversion());

	echo 'Your account information has been mailed to your email address! Please check it and follow the directions!';
}

?>

Code: Select all

Everything works here too.  The account is entered into database, the emails go out, I activate account, they can login.
That is a lot of code to look at!

Re: user authentication not working on protected page

Posted: Mon Feb 07, 2011 3:52 pm
by social_experiment

Code: Select all

!isset($_SESSION['username'])
You check for the existence of this variable but you never set it.

Code: Select all

session_register('first_name');
$_SESSION['first_name'] = $first_name;
session_register('last_name');
$_SESSION['last_name'] = $last_name;
session_register('email_address');
$_SESSION['email_address'] = $email_address;
session_register('special_user');
$_SESSION['user_level'] = $user_level;

Re: user authentication not working on protected page

Posted: Tue Feb 08, 2011 12:07 pm
by aubrey5
Okay, so should I set the session variable in the same spot as other like this?

checkuser.php

Code: Select all

<?
/* Check User Script */
session_start();  // Start Session

include 'db.php';
// Convert to simple variables
$username = $_POST['username'];
$password = $_POST['password'];

if((!$username) || (!$password)){
	$enter_all = "Please enter ALL of the information.";
	echo "Please enter ALL of the information! <br />";
	include 'login_form.php';
	exit();
}

// Convert password to md5 hash, don't forget to change $password to $encrypt_password in the sql query below
//$encrypt_password = md5($password);

// check if the user info validates the db
$sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password' AND activated='1'");
$login_check = mysql_num_rows($sql);

if($login_check > 0){
	while($row = mysql_fetch_array($sql)){
	foreach( $row AS $key => $val ){
		$$key = stripslashes( $val );
	}
		// Register some session variables!
		session_register('first_name');
		$_SESSION['first_name'] = $first_name;
		session_register('last_name');
		$_SESSION['last_name'] = $last_name;
		session_register('email_address');
		$_SESSION['email_address'] = $email_address;
		session_register('special_user');
		$_SESSION['user_level'] = $user_level;

		session_register('username');
		$_SESSION['username'] = $username;
		session_register('password');
		$_SESSION['password'] = $password;

		mysql_query("UPDATE users SET last_login=now() WHERE userid='$userid'");
		
		//redirect to file login_success.php
		header("Location: login_success.php");
	}
} else {
	$not_loggedin = "You could not be logged in!  Either the username and password do not match or you have not validated your account!";
	echo "You could not be logged in! Either the username and password do not match or you have not validated your account!<br />
	Please try again!<br />";
	include 'login_form.php';
}
?>

Re: user authentication not working on protected page

Posted: Tue Feb 08, 2011 4:28 pm
by social_experiment
aubrey5 wrote:Okay, so should I set the session variable in the same spot as other like this?
Yes. At the moment your script is looking for $_SESSION['username'] which is not set so the script does the logical thing which is to redirect the user if that specific variable is not set.