session: login admin and user
Posted: Wed Dec 14, 2011 8:08 am
Hi!
I am trying to make a login script for admins and users and I don't want users to be able to access any of the admin pages and at the moment I don't want admins to be able to access users pages either. I have tried to figure out a way, since I haven't found any good explations on the internet that I can understand, since english isn't my native language.
I have done a script that is close to what I want, but there are some issues. I also think that there is a much better way than mine, because I have only used logic (well, my logic anyway
)with the knowledge I have and I really don't know how to do this right.
Here is what I have done:
Mysql
A database "dbdatabase" and a table "users" with these fields: id, username, password och usertype. In the field usertype I put in either "admin" or "user" without the quotes.
index.php
A loginform that calls for login.php in the action-attribute.
[inline]
<form method="post" action="login.php">
<h4>Logga in</h4>
Användarnamn:<br> <input type="text" name="username"><br>
Lösenord: <br><input type="password" name="password"><br>
<input type="submit" name="submit" value="Logga in!"><br>
</form>
[/inline]
login.php
admin.php
user.php
When I use this script, logged in users arrive to user/index.php and can't access admin/index.php and admin arrive to admin/index.php and can't access user/index.php. This is exactly what I want to accomplish, but I also want to block access for users to all the pages in the folder admin and that doesn't work now.
In admin/index.php I have a couple of div tags, "header", "leftmenu" with links and "content" where the links will be shown. I don't know if this is necessary, but here is the code that resides in the content box:
admin/profil.php is the main file that show up in the content box as you can see above and I tried to put the same code in profil.php as I did in admin/index.php, but I think it should be a simpler way to accomplis this, like a simple code that says: This page can't be shown, without admin/index.php and then put this little code-snippet in all other pages in admin/index.php. How can I do that?
There is another thing that confuses me and is the main reason why I don't understand my own code. This part in admin/index.php:
confuses me, because when I figure out this part, I thought like this: else if user isn't = admin, then "die" and a login link. I wrote the code with != and not == at first because that felt right. The above code tells me that if it is true that the user is admin, then don't let the user in and that seem strange. Can anyone explain it to me?
Finally when I press logout when I am logged in as admin I won't be logged out. I have to press the link twice in a sequence. The issue only happens when I am logged in as admin and not for users. I only use session_start(); and session_destroy(); in logout.php.
I know there are a lot of questions here and maybe I can't get an answer to them all, but thanks in advance!
Suzanne
I am trying to make a login script for admins and users and I don't want users to be able to access any of the admin pages and at the moment I don't want admins to be able to access users pages either. I have tried to figure out a way, since I haven't found any good explations on the internet that I can understand, since english isn't my native language.
I have done a script that is close to what I want, but there are some issues. I also think that there is a much better way than mine, because I have only used logic (well, my logic anyway
Here is what I have done:
Mysql
A database "dbdatabase" and a table "users" with these fields: id, username, password och usertype. In the field usertype I put in either "admin" or "user" without the quotes.
index.php
A loginform that calls for login.php in the action-attribute.
[inline]
<form method="post" action="login.php">
<h4>Logga in</h4>
Användarnamn:<br> <input type="text" name="username"><br>
Lösenord: <br><input type="password" name="password"><br>
<input type="submit" name="submit" value="Logga in!"><br>
</form>
[/inline]
login.php
Code: Select all
<?php
if (isset($_POST['submit'])){
mysql_connect('dbhost', 'dbuser', 'dbpass') or die(mysql_error());
mysql_select_db('dbdatabase') or die(mysql_error());
$username = $_POST['username'];
$password = $_POST['password'];
$password = md5($password);
$isAdmin = mysql_query("SELECT username FROM users WHERE username='$username' AND password='$password' AND usertype = 'admin'");
$loginAdmin = mysql_num_rows($isAdmin);
$isUser = mysql_query("SELECT username FROM users WHERE username='$username' AND password='$password' AND usertype = 'user'");
$loginUser = mysql_num_rows($isUser);
if($loginAdmin == 1){
session_start();
$_SESSION['username'] = $username;
header("Location: admin/index.php");
}
else if($loginUser == 1){
session_start();
$_SESSION['username'] = $username;
header("Location: user/index.php");
}
else if($login == 0){
header("Location: index.php"); //How can I write an error message at the top of the form?
}
}
?>
Code: Select all
<?php
session_start();
$lia = $_SESSION['username'];
mysql_connect('dbhost', 'dbuser', 'dbpass') or die(mysql_error());
mysql_select_db('dbdatabase') or die(mysql_error());
$checkAdmin = mysql_query("SELECT username FROM users WHERE username='$lia' AND usertype = 'admin'");
$sessionAdmin = mysql_num_rows($checkAdmin);
if($_SESSION['username'] == ''){
die("<a href='../?p=index'>Logga in först</a>");
}
else if($sessionAdmin == 'admin'){
die("<a href='../?p=index'>Logga in som admin först</a>");
}
?>
Code: Select all
<?php
session_start();
$lia = $_SESSION['username'];
mysql_connect('dbhost', 'dbuser', 'dbpass') or die(mysql_error());
mysql_select_db('dbdatabase') or die(mysql_error());
$checkUser = mysql_query("SELECT username FROM users WHERE username='$lia' AND usertype = user'");
$sessionUser = mysql_num_rows($checkUser);
if($_SESSION['username'] == ''){
die("<a href='../?p=index'>Logga in först</a>");
}
else if($sessionUser == 'user'){
die("<a href='../?p=index'>Logga in först</a>");
}
?>
In admin/index.php I have a couple of div tags, "header", "leftmenu" with links and "content" where the links will be shown. I don't know if this is necessary, but here is the code that resides in the content box:
Code: Select all
<?php
if(file_exists($_GET['p'].".php")){
include($_GET['p'].".php");
}
else{
if(empty($_GET['p']) OR $_GET['p'] == ""){
include("profil.php");
}
else{
include("404.php");
}
}
?>
There is another thing that confuses me and is the main reason why I don't understand my own code. This part in admin/index.php:
Code: Select all
else if($sessionAdmin == 'admin'){
die("<a href='../?p=index'>Logga in som admin först</a>");
}
Finally when I press logout when I am logged in as admin I won't be logged out. I have to press the link twice in a sequence. The issue only happens when I am logged in as admin and not for users. I only use session_start(); and session_destroy(); in logout.php.
I know there are a lot of questions here and maybe I can't get an answer to them all, but thanks in advance!
Suzanne