Tweaking authorization script for three private page area
Posted: Fri Feb 22, 2008 8:19 am
Hello,
I have an issue with an if statement that needs correcting. I can't quite figure it out.
I have a registration page where users can choose between three options. These three options take the users to a different "private" page. This is the relevant login code:
As is, this code works.
The way it works is such that the case system decides which "location" the user picked when they registered, and takes them there after they login.
On each of the private pages, there is a require once function:
and that script does:
The only problem I'm having is that even if somebody logs in as private1, they can still see the other two private areas (by typing them in the URL bar). Thus making each of the private areas NOT really private.
Back to the case statement, I have since added this
Note the added $_SESSION['page_allowed']="private1.php";
And then consequently added the $_SESSION['page_allowed']!="private2.php"; string to the authorization.php script (changing the private'n' number for the corresponding pages).
This means I have used a different authorization script for each of the three private pages (because I have to explicitly specify whether their allowed page is private1,2 or 3).
But it doesn't work. What happens is the user goes straight to the denied.php page. Have I defined my [page_allowed] variable incorrectly in my case statement?
Althought the authorization script seems to work (and redirect) properly before I added this new [page_allowed] variable, how can I add that 'or' clause to the authorization script so only those users can see their respective allowed areas. I have a feeling I'm missing something basic and I have a feeling it is the $_SESSION['page_allowed'] definition in the case statement.
I would be very grateful if somebody could help tweak this for me!
Thank you,
W
I have an issue with an if statement that needs correcting. I can't quite figure it out.
I have a registration page where users can choose between three options. These three options take the users to a different "private" page. This is the relevant login code:
Code: Select all
$qry="SELECT member_id, location FROM members WHERE login='$login' AND passwd='".md5($_POST['password'])."'";
$result=mysql_query($qry);
//Check whether the query was successful or not
if($result) {
if(mysql_num_rows($result)>0) {
//Login Successful
session_regenerate_id();
$member=mysql_fetch_assoc($result);
$_SESSION['SESS_MEMBER_ID']=$member['member_id'];
session_write_close();
switch ($member['location'])
{
case "private1":
header("location: private1.php");
break;
case "private2":
header("location: private2.php");
break;
case "private3":
header("location: private3.php");
break;
case default:
//ERROR
break;
}
//end new code
exit();
}else {
//Login failed
header("location: failed.php");
exit();
}
}else {
die("Query failed");
}
The way it works is such that the case system decides which "location" the user picked when they registered, and takes them there after they login.
On each of the private pages, there is a require once function:
Code: Select all
<?php
require_once('authorization.php');
?>Code: Select all
<?php
//Starts session for private page browsing
session_start();
//Check if the session variable (called SESS_MEMBER_ID is there)
if(!isset($_SESSION['SESS_MEMBER_ID']) || (trim($_SESSION['SESS_MEMBER_ID'])=='')) {
header("location: denied.php");
exit();
}
?>Back to the case statement, I have since added this
Code: Select all
<?php
switch ($member['location'])
{
case "private1":
header("location: private1.php");
$_SESSION['page_allowed']="private1.php";
break;
case "private2":
header("location: private2.php");
$_SESSION['page_allowed']="private2.php";
break;
case "private3":
header("location: private3.php");
$_SESSION['page_allowed']="private3.php";
break;
default:
//ERROR
break;
}
?>
And then consequently added the $_SESSION['page_allowed']!="private2.php"; string to the authorization.php script (changing the private'n' number for the corresponding pages).
Code: Select all
if(!isset($_SESSION['SESS_MEMBER_ID']) || (trim($_SESSION['SESS_MEMBER_ID'])=='')) || $_SESSION['page_allowed']!="private1.php";{
header("location: denied.php");
exit();
}
But it doesn't work. What happens is the user goes straight to the denied.php page. Have I defined my [page_allowed] variable incorrectly in my case statement?
Althought the authorization script seems to work (and redirect) properly before I added this new [page_allowed] variable, how can I add that 'or' clause to the authorization script so only those users can see their respective allowed areas. I have a feeling I'm missing something basic and I have a feeling it is the $_SESSION['page_allowed'] definition in the case statement.
I would be very grateful if somebody could help tweak this for me!
Thank you,
W