Page 1 of 1

Tweaking authorization script for three private page area

Posted: Fri Feb 22, 2008 8:19 am
by willj1234
Hello,

I have an issue with an if statement that needs correcting. I can't quite figure it out.

I have a registration page where users can choose between three options. These three options take the users to a different "private" page. This is the relevant login code:

Code: Select all

 
$qry="SELECT member_id, location FROM members WHERE login='$login' AND passwd='".md5($_POST['password'])."'";
    $result=mysql_query($qry);
    //Check whether the query was successful or not 
    if($result) {
        if(mysql_num_rows($result)>0) {
            //Login Successful
            session_regenerate_id();
            $member=mysql_fetch_assoc($result);
            $_SESSION['SESS_MEMBER_ID']=$member['member_id'];
            session_write_close();
            switch ($member['location']) 
            {
                case "private1":
                    header("location: private1.php");
                    break;
                case "private2":
                    header("location: private2.php");
                    break;
                case "private3":
                    header("location: private3.php");
                    break;  
                case default:
                    //ERROR
                    break;
                    
            }
            //end new code
            exit();
            
        }else {
            //Login failed
            header("location: failed.php");
            exit();
        }
    }else {
        die("Query failed");
    }
 
As is, this code works.

The way it works is such that the case system decides which "location" the user picked when they registered, and takes them there after they login.

On each of the private pages, there is a require once function:

Code: Select all

<?php
    require_once('authorization.php');
?>
and that script does:

Code: Select all

<?php
 
//Starts session for private page browsing
 
    session_start();
       
//Check if the session variable (called SESS_MEMBER_ID is there)
 
    if(!isset($_SESSION['SESS_MEMBER_ID']) || (trim($_SESSION['SESS_MEMBER_ID'])=='')) {
        header("location: denied.php");
        exit();
    }
?>
The only problem I'm having is that even if somebody logs in as private1, they can still see the other two private areas (by typing them in the URL bar). Thus making each of the private areas NOT really private.

Back to the case statement, I have since added this

Code: Select all

<?php
switch ($member['location']) 
            {
                case "private1":
                    header("location: private1.php");
                    $_SESSION['page_allowed']="private1.php";
                    break;
                case "private2":
                    header("location: private2.php");
                    $_SESSION['page_allowed']="private2.php";
                    break;
                case "private3":
                    header("location: private3.php");
                    $_SESSION['page_allowed']="private3.php";
                    break;  
                default:
                    //ERROR
                    break;
                    
            }
?>
 
Note the added $_SESSION['page_allowed']="private1.php";

And then consequently added the $_SESSION['page_allowed']!="private2.php"; string to the authorization.php script (changing the private'n' number for the corresponding pages).

Code: Select all

 
if(!isset($_SESSION['SESS_MEMBER_ID']) || (trim($_SESSION['SESS_MEMBER_ID'])=='')) || $_SESSION['page_allowed']!="private1.php";{
        header("location: denied.php");
        exit();
    }
 
This means I have used a different authorization script for each of the three private pages (because I have to explicitly specify whether their allowed page is private1,2 or 3).

But it doesn't work. What happens is the user goes straight to the denied.php page. Have I defined my [page_allowed] variable incorrectly in my case statement?

Althought the authorization script seems to work (and redirect) properly before I added this new [page_allowed] variable, how can I add that 'or' clause to the authorization script so only those users can see their respective allowed areas. I have a feeling I'm missing something basic and I have a feeling it is the $_SESSION['page_allowed'] definition in the case statement.

I would be very grateful if somebody could help tweak this for me!

Thank you,
W

Re: Tweaking authorization script for three private page area

Posted: Fri Feb 22, 2008 12:11 pm
by Christopher
You need to check whether $_SESSION['page_allowed'] is equal to the current page name and redirect if it is not.

Re: Tweaking authorization script for three private page area

Posted: Fri Feb 22, 2008 5:21 pm
by willj1234
You need to check whether $_SESSION['page_allowed'] is equal to the current page name and redirect if it is not.
Can you be a bit more specific? I understand that the $_SESSION needs to be checked, but I'm not sure if it was set correctly in the case statement. Is this correct?

if(!isset($_SESSION['SESS_MEMBER_ID']) || (trim($_SESSION['SESS_MEMBER_ID'])=='')) || $_SESSION['page_allowed']!="private1.php";{
header("location: denied.php");
exit();
}

Because right now it only redirects to denied.php even if the user's allowed page does in fact equal private1.php.


I'm a bit new to PHP so if you could help any further I would be most appreciative.

Re: Tweaking authorization script for three private page area

Posted: Wed Feb 27, 2008 10:17 am
by willj1234
Can anyone suggest how I can "check whether $_SESSION['page_allowed'] is equal to the current page name and redirect if it is not." ? I'm still a bit lost and would appreciate any ideas. Thank you!

Re: Tweaking authorization script for three private page area

Posted: Wed Mar 05, 2008 2:01 pm
by jtsandlund
Are you messing up your parenthesis? I've had trouble with authentication before, and I'm quite the newbie, but maybe you should try this:

Code: Select all

if( !isset( $_SESSION['SESS_MEMBER_ID'] ) || trim( $_SESSION['SESS_MEMBER_ID'] ) == '' || $_SESSION['page_allowed'] != "private1.php" ) {
header("location: denied.php");
exit();
}
I'm not sure if your 'page_allowed' variable got set either. Can you put that before the header, or does the header always come first? Read the tutorial viewtopic.php?f=28&t=1157 -- that has some information about headers. I think, if the header is the problem, then you may need an ob_start();

Hope that helps...

By the way, the trim($_SESSION['SESS_MEMBER_ID'])=='' , I never had in my authentication. What is that for? Shouldn't !isset($_SESSION['SESS_MEMBER_ID']) do the trick?

Re: Tweaking authorization script for three private page area

Posted: Wed Mar 05, 2008 3:12 pm
by John Cartwright
A quick optimization here,

Code: Select all

if( !isset( $_SESSION['SESS_MEMBER_ID'] ) || trim( $_SESSION['SESS_MEMBER_ID'] ) == '' || $_SESSION['page_allowed'] != "private1.php" ) {
with

Code: Select all

if(empty($_SESSION['SESS_MEMBER_ID']) || $_SESSION['SESS_MEMBER_ID'] != "private1.php" ) {