Session problem

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
m2babaey
Forum Contributor
Posts: 364
Joined: Sun May 20, 2007 9:26 am

Session problem

Post by m2babaey »

Hi
I use this code for my accesscontrol file:
accesscontrol.php:

Code: Select all

<?php
session_start();
include_once 'db.php';
include_once 'common.php';
if(isset($_POST['username']))
{
    $username = $_POST['username'];
}
else if(isset($_SESSION['username']))
{
    $username = $_SESSION['username'];
    }
if(isset($_POST['pass']))
{
    $pass = $_POST['pass'];
}
else if(isset($_SESSION['pass']))
{
    $pass = $_SESSION['pass'];
}

if(!isset($username)) {
  ?>
  <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title> Please Log In for Access </title>
    <meta http-equiv="Content-Type"
      content="text/html; charset=utf-8" />
  </head>
  <body>
  <h1> Login Required </h1>
  <p>You must log in to access this area of the site. If you are
     not a registered user, <a href="signup.php">click here</a>
     to sign up for instant access!</p>
  <p><form method="post" action="<?=$_SERVER['PHP_SELF']?>">
    User ID: <input type="text" name="username" size="8" /><br />
    Password: <input type="password" name="pass" SIZE="8" /><br />
    <input type="submit" value="Log in" />
  </form></p>
  </body>
  </html>
  <?php
  exit;
}

$_SESSION['username'] = $_POST['username'];
$_SESSION['pass'] = $_POST['pass'];

$username = $_POST['username'];
$pass = $_POST['pass'];
dbConnect("articles");
$sql = "SELECT * FROM user WHERE username = '$username' AND pass ='$pass'";
$result = mysql_query($sql);
if (!$result) {
  error('A database error occurred while checking your '.
        'login details.\\nIf this error persists, please '.
        'contact you@example.com.');
}

if (mysql_num_rows($result) == 0) {
  unset($_SESSION['username']);
  unset($_SESSION['pass']);
  ?>
  <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title> Access Denied </title>
    <meta http-equiv="Content-Type"
      content="text/html; charset=utf-8" />
  </head>
  <body>
  <h1> Access Denied </h1>
  <p>Your user ID or password is incorrect, or you are not a
     registered user on this site. To try logging in again, click
     <a href="<?=$_SERVER['PHP_SELF']?>">here</a>. To register for instant
     access, click <a href="signup.php">here</a>.</p>
  </body>
  </html>
  <?php
  exit;
}
$username = mysql_result($result,0,'username');
?>
Then I wanted to test the session I had set up. I coded these 4 simple pages:
pro1.php:

Code: Select all

<?php
include('accesscontrol.php');
?>
this is pro1<br>
<a href=pro2.php>pro2</a>
pro2.php:

Code: Select all

<?php
include('accesscontrol.php');
?>
this is pro2<br>
<a href=prono.php>prono</a>
prono.php:

Code: Select all

this is prono<br>
<a href=pro3.php>pro3</a>
pro3.php

Code: Select all

<?php
include('accesscontrol.php');
?>
pro3
pro means a protected page and prono mean available to everyone. I expected users to be logged in after filling 1 login form, and remain logged in after they visit pro2, prono, and want to view pro3 ( a protected page again) but i was not successful. Please help me where I'm wrong?

the current result of the code is:
pro1:
first it is the login form, then the page is shown upon login
After I click on the "pro2" link in pro1.php, this error occures:

Notice: Undefined index: username in g:\programs(2)\easyphp1-8\www\ha\accesscontrol.php on line 48

Notice: Undefined index: pass in g:\programs(2)\easyphp1-8\www\ha\accesscontrol.php on line 49

Notice: Undefined index: username in g:\programs(2)\easyphp1-8\www\ha\accesscontrol.php on line 51

Notice: Undefined index: pass in g:\programs(2)\easyphp1-8\www\ha\accesscontrol.php on line 52
this is pro2

prono
then, I click on prono and it's ok, ofcourse:
this is prono
pro3

Then I click on the pro3 link and I'm redirected to the login form. how do i fix it?
thanks
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

Only when the form is submitted the request will contain the post parameters username and pass - only this request.
But you're using them unconditionally, not checking wether the script shoule process a form submission request or not, here:
$_SESSION['username'] = $_POST['username'];
$_SESSION['pass'] = $_POST['pass'];

$username = $_POST['username'];
$pass = $_POST['pass'];
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

That means you may want to look at isset() or empty() to handle checking of those vars.
m2babaey
Forum Contributor
Posts: 364
Joined: Sun May 20, 2007 9:26 am

Post by m2babaey »

Ok. why i'm not logged in when i want to visit pro3? whereas i've submitted the form for visiting pro1 :roll: :?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

volka already told you:
$_SESSION['username'] = $_POST['username'];
$_SESSION['pass'] = $_POST['pass'];

$username = $_POST['username'];
$pass = $_POST['pass'];
m2babaey
Forum Contributor
Posts: 364
Joined: Sun May 20, 2007 9:26 am

Post by m2babaey »

I changed the code to this:
but the user is still asked for loging for pro3

Code: Select all

<?php
session_start();

error_reporting(E_ALL ^ E_NOTICE);
include_once 'db.php';
include_once 'common.php';
if(isset($_POST['username']))
{
    $username = $_POST['username'];
}
else if(isset($_SESSION['username']))
{
    $username = $_SESSION['username'];
    }
if(isset($_POST['pass']))
{
    $pass = $_POST['pass'];
}
else if(isset($_SESSION['pass']))
{
    $pass = $_SESSION['pass'];
}
if(!isset($username)) {

dbConnect("articles");
$sql = "SELECT * FROM user WHERE username = '$username' AND pass ='$pass'";
$result = mysql_query($sql);
if (!$result) {
  error('A database error occurred while checking your '.
        'login details.\\nIf this error persists, please '.
        'contact you@example.com.');
}

if (mysql_num_rows($result) == 0) {
  unset($_SESSION['username']);
  unset($_SESSION['pass']);
  ?>
  <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title> Access Denied </title>
    <meta http-equiv="Content-Type"
      content="text/html; charset=utf-8" />
  </head>
  <body>
  <h1> Access Denied </h1>
  <p>Your user ID or password is incorrect, or you are not a
     registered user on this site. To try logging in again, click
     <a href="<?=$_SERVER['PHP_SELF']?>">here</a>. To register for instant
     access, click <a href="signup.php">here</a>.</p>
  </body>
  </html>
<?php
  exit;
}

}
if(!isset($username)) {
  ?>
  <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title> Please Log In for Access </title>
    <meta http-equiv="Content-Type"
      content="text/html; charset=utf-8" />
  </head>
  <body>
  <h1> Login Required </h1>
  <p>You must log in to access this area of the site. If you are
     not a registered user, <a href="signup.php">click here</a>
     to sign up for instant access!</p>
  <p><form method="post" action="<?=$_SERVER['PHP_SELF']?>">
    User ID: <input type="text" name="username" size="8" /><br />
    Password: <input type="password" name="pass" SIZE="8" /><br />
    <input type="submit" value="Log in" />
  </form></p>
  </body>
  </html>
  <?php
  exit;
}

$_SESSION['username'] = $_POST['username'];
$_SESSION['pass'] = $_POST['pass'];

$username = $_POST['username'];
$pass = $_POST['pass'];

dbConnect("articles");
$sql = "SELECT * FROM user WHERE username = '$username' AND pass ='$pass'";
$result = mysql_query($sql);
if (!$result) {
  error('A database error occurred while checking your '.
        'login details.\\nIf this error persists, please '.
        'contact you@example.com.');
}

if (mysql_num_rows($result) == 0) {
  unset($_SESSION['username']);
  unset($_SESSION['pass']);
  ?>
  <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title> Access Denied </title>
    <meta http-equiv="Content-Type"
      content="text/html; charset=utf-8" />
  </head>
  <body>
  <h1> Access Denied </h1>
  <p>Your user ID or password is incorrect, or you are not a
     registered user on this site. To try logging in again, click
     <a href="<?=$_SERVER['PHP_SELF']?>">here</a>. To register for instant
     access, click <a href="signup.php">here</a>.</p>
  </body>
  </html>
  <?php
  exit;
}
$username = mysql_result($result,0,'username');
?>
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

The code in question is still in there without any change.

Please think about what you've changed.
if(!isset($username)) {

dbConnect("articles");
$sql = "SELECT * FROM user WHERE username = '$username' AND pass ='$pass'";
$result = mysql_query($sql)
If there is no variable $username ask the database for records having the value of $username in one of the fields. Doesn't make much sense, does it? ;)
m2babaey
Forum Contributor
Posts: 364
Joined: Sun May 20, 2007 9:26 am

Post by m2babaey »

oops!
There are 2 if( !isset($username)) in the code above. the first one should have been if(isset($username))
Then if there is either a form submition or session variable, it will be checked and if not, login form will be presented.
But the problem is something else.
pro1.php & pro2.php & pro3.php are 3 protected pages ( they include access.php)
pro1 has a link to pro2 and pro2 has a link to pro3.
when the user wants to visit pro1, he is asked to login. then he accesses the page and clicks pro2 to go to pro2.php. it's ok. he is redirected to pro2.php with no problem.
but pro2.php has a link to pro3.php. user clicks that link but he is asked to login. why?
i don't want my users to login for any single page they want to visit :cry: :cry:
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

You are still doing this:

Code: Select all

$_SESSION['username'] = $_POST['username']; 
$_SESSION['pass'] = $_POST['pass']; 

$username = $_POST['username']; 
$pass = $_POST['pass'];
Until that is squared with you are going to have the same problem.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

This thread is incredibly entertaining. ^_^
m2babaey wrote:But the problem is something else.
Or maybe, just maybe, you're using undefined values. :wink:
m2babaey
Forum Contributor
Posts: 364
Joined: Sun May 20, 2007 9:26 am

Post by m2babaey »

You are still doing this:

Code: Select all

$_SESSION['username'] = $_POST['username'];
$_SESSION['pass'] = $_POST['pass'];

$username = $_POST['username'];
$pass = $_POST['pass'];
Until that is squared with you are going to have the same problem.
How do I fix it?
Thanks for your help
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Comment it out and try it. ;)
Post Reply