Page 1 of 1

Session problem

Posted: Tue Jun 05, 2007 1:34 am
by m2babaey
Hi
I use this code for my accesscontrol file:
accesscontrol.php:

Code: Select all

<?php
session_start();
include_once 'db.php';
include_once 'common.php';
if(isset($_POST['username']))
{
    $username = $_POST['username'];
}
else if(isset($_SESSION['username']))
{
    $username = $_SESSION['username'];
    }
if(isset($_POST['pass']))
{
    $pass = $_POST['pass'];
}
else if(isset($_SESSION['pass']))
{
    $pass = $_SESSION['pass'];
}

if(!isset($username)) {
  ?>
  <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title> Please Log In for Access </title>
    <meta http-equiv="Content-Type"
      content="text/html; charset=utf-8" />
  </head>
  <body>
  <h1> Login Required </h1>
  <p>You must log in to access this area of the site. If you are
     not a registered user, <a href="signup.php">click here</a>
     to sign up for instant access!</p>
  <p><form method="post" action="<?=$_SERVER['PHP_SELF']?>">
    User ID: <input type="text" name="username" size="8" /><br />
    Password: <input type="password" name="pass" SIZE="8" /><br />
    <input type="submit" value="Log in" />
  </form></p>
  </body>
  </html>
  <?php
  exit;
}

$_SESSION['username'] = $_POST['username'];
$_SESSION['pass'] = $_POST['pass'];

$username = $_POST['username'];
$pass = $_POST['pass'];
dbConnect("articles");
$sql = "SELECT * FROM user WHERE username = '$username' AND pass ='$pass'";
$result = mysql_query($sql);
if (!$result) {
  error('A database error occurred while checking your '.
        'login details.\\nIf this error persists, please '.
        'contact you@example.com.');
}

if (mysql_num_rows($result) == 0) {
  unset($_SESSION['username']);
  unset($_SESSION['pass']);
  ?>
  <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title> Access Denied </title>
    <meta http-equiv="Content-Type"
      content="text/html; charset=utf-8" />
  </head>
  <body>
  <h1> Access Denied </h1>
  <p>Your user ID or password is incorrect, or you are not a
     registered user on this site. To try logging in again, click
     <a href="<?=$_SERVER['PHP_SELF']?>">here</a>. To register for instant
     access, click <a href="signup.php">here</a>.</p>
  </body>
  </html>
  <?php
  exit;
}
$username = mysql_result($result,0,'username');
?>
Then I wanted to test the session I had set up. I coded these 4 simple pages:
pro1.php:

Code: Select all

<?php
include('accesscontrol.php');
?>
this is pro1<br>
<a href=pro2.php>pro2</a>
pro2.php:

Code: Select all

<?php
include('accesscontrol.php');
?>
this is pro2<br>
<a href=prono.php>prono</a>
prono.php:

Code: Select all

this is prono<br>
<a href=pro3.php>pro3</a>
pro3.php

Code: Select all

<?php
include('accesscontrol.php');
?>
pro3
pro means a protected page and prono mean available to everyone. I expected users to be logged in after filling 1 login form, and remain logged in after they visit pro2, prono, and want to view pro3 ( a protected page again) but i was not successful. Please help me where I'm wrong?

the current result of the code is:
pro1:
first it is the login form, then the page is shown upon login
After I click on the "pro2" link in pro1.php, this error occures:

Notice: Undefined index: username in g:\programs(2)\easyphp1-8\www\ha\accesscontrol.php on line 48

Notice: Undefined index: pass in g:\programs(2)\easyphp1-8\www\ha\accesscontrol.php on line 49

Notice: Undefined index: username in g:\programs(2)\easyphp1-8\www\ha\accesscontrol.php on line 51

Notice: Undefined index: pass in g:\programs(2)\easyphp1-8\www\ha\accesscontrol.php on line 52
this is pro2

prono
then, I click on prono and it's ok, ofcourse:
this is prono
pro3

Then I click on the pro3 link and I'm redirected to the login form. how do i fix it?
thanks

Posted: Tue Jun 05, 2007 5:14 am
by volka
Only when the form is submitted the request will contain the post parameters username and pass - only this request.
But you're using them unconditionally, not checking wether the script shoule process a form submission request or not, here:
$_SESSION['username'] = $_POST['username'];
$_SESSION['pass'] = $_POST['pass'];

$username = $_POST['username'];
$pass = $_POST['pass'];

Posted: Tue Jun 05, 2007 11:15 am
by RobertGonzalez
That means you may want to look at isset() or empty() to handle checking of those vars.

Posted: Tue Jun 05, 2007 1:59 pm
by m2babaey
Ok. why i'm not logged in when i want to visit pro3? whereas i've submitted the form for visiting pro1 :roll: :?

Posted: Tue Jun 05, 2007 2:01 pm
by RobertGonzalez
volka already told you:
$_SESSION['username'] = $_POST['username'];
$_SESSION['pass'] = $_POST['pass'];

$username = $_POST['username'];
$pass = $_POST['pass'];

Posted: Tue Jun 05, 2007 8:05 pm
by m2babaey
I changed the code to this:
but the user is still asked for loging for pro3

Code: Select all

<?php
session_start();

error_reporting(E_ALL ^ E_NOTICE);
include_once 'db.php';
include_once 'common.php';
if(isset($_POST['username']))
{
    $username = $_POST['username'];
}
else if(isset($_SESSION['username']))
{
    $username = $_SESSION['username'];
    }
if(isset($_POST['pass']))
{
    $pass = $_POST['pass'];
}
else if(isset($_SESSION['pass']))
{
    $pass = $_SESSION['pass'];
}
if(!isset($username)) {

dbConnect("articles");
$sql = "SELECT * FROM user WHERE username = '$username' AND pass ='$pass'";
$result = mysql_query($sql);
if (!$result) {
  error('A database error occurred while checking your '.
        'login details.\\nIf this error persists, please '.
        'contact you@example.com.');
}

if (mysql_num_rows($result) == 0) {
  unset($_SESSION['username']);
  unset($_SESSION['pass']);
  ?>
  <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title> Access Denied </title>
    <meta http-equiv="Content-Type"
      content="text/html; charset=utf-8" />
  </head>
  <body>
  <h1> Access Denied </h1>
  <p>Your user ID or password is incorrect, or you are not a
     registered user on this site. To try logging in again, click
     <a href="<?=$_SERVER['PHP_SELF']?>">here</a>. To register for instant
     access, click <a href="signup.php">here</a>.</p>
  </body>
  </html>
<?php
  exit;
}

}
if(!isset($username)) {
  ?>
  <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title> Please Log In for Access </title>
    <meta http-equiv="Content-Type"
      content="text/html; charset=utf-8" />
  </head>
  <body>
  <h1> Login Required </h1>
  <p>You must log in to access this area of the site. If you are
     not a registered user, <a href="signup.php">click here</a>
     to sign up for instant access!</p>
  <p><form method="post" action="<?=$_SERVER['PHP_SELF']?>">
    User ID: <input type="text" name="username" size="8" /><br />
    Password: <input type="password" name="pass" SIZE="8" /><br />
    <input type="submit" value="Log in" />
  </form></p>
  </body>
  </html>
  <?php
  exit;
}

$_SESSION['username'] = $_POST['username'];
$_SESSION['pass'] = $_POST['pass'];

$username = $_POST['username'];
$pass = $_POST['pass'];

dbConnect("articles");
$sql = "SELECT * FROM user WHERE username = '$username' AND pass ='$pass'";
$result = mysql_query($sql);
if (!$result) {
  error('A database error occurred while checking your '.
        'login details.\\nIf this error persists, please '.
        'contact you@example.com.');
}

if (mysql_num_rows($result) == 0) {
  unset($_SESSION['username']);
  unset($_SESSION['pass']);
  ?>
  <!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title> Access Denied </title>
    <meta http-equiv="Content-Type"
      content="text/html; charset=utf-8" />
  </head>
  <body>
  <h1> Access Denied </h1>
  <p>Your user ID or password is incorrect, or you are not a
     registered user on this site. To try logging in again, click
     <a href="<?=$_SERVER['PHP_SELF']?>">here</a>. To register for instant
     access, click <a href="signup.php">here</a>.</p>
  </body>
  </html>
  <?php
  exit;
}
$username = mysql_result($result,0,'username');
?>

Posted: Wed Jun 06, 2007 4:54 am
by volka
The code in question is still in there without any change.

Please think about what you've changed.
if(!isset($username)) {

dbConnect("articles");
$sql = "SELECT * FROM user WHERE username = '$username' AND pass ='$pass'";
$result = mysql_query($sql)
If there is no variable $username ask the database for records having the value of $username in one of the fields. Doesn't make much sense, does it? ;)

Posted: Wed Jun 06, 2007 7:17 am
by m2babaey
oops!
There are 2 if( !isset($username)) in the code above. the first one should have been if(isset($username))
Then if there is either a form submition or session variable, it will be checked and if not, login form will be presented.
But the problem is something else.
pro1.php & pro2.php & pro3.php are 3 protected pages ( they include access.php)
pro1 has a link to pro2 and pro2 has a link to pro3.
when the user wants to visit pro1, he is asked to login. then he accesses the page and clicks pro2 to go to pro2.php. it's ok. he is redirected to pro2.php with no problem.
but pro2.php has a link to pro3.php. user clicks that link but he is asked to login. why?
i don't want my users to login for any single page they want to visit :cry: :cry:

Posted: Wed Jun 06, 2007 10:32 am
by RobertGonzalez
You are still doing this:

Code: Select all

$_SESSION['username'] = $_POST['username']; 
$_SESSION['pass'] = $_POST['pass']; 

$username = $_POST['username']; 
$pass = $_POST['pass'];
Until that is squared with you are going to have the same problem.

Posted: Wed Jun 06, 2007 12:04 pm
by superdezign
This thread is incredibly entertaining. ^_^
m2babaey wrote:But the problem is something else.
Or maybe, just maybe, you're using undefined values. :wink:

Posted: Wed Jun 06, 2007 1:39 pm
by m2babaey
You are still doing this:

Code: Select all

$_SESSION['username'] = $_POST['username'];
$_SESSION['pass'] = $_POST['pass'];

$username = $_POST['username'];
$pass = $_POST['pass'];
Until that is squared with you are going to have the same problem.
How do I fix it?
Thanks for your help

Posted: Wed Jun 06, 2007 3:04 pm
by RobertGonzalez
Comment it out and try it. ;)