Page 1 of 1

Login & session problem

Posted: Mon Sep 01, 2008 1:02 pm
by keisx
Hi! I'm new to the world of PHP, so in the start it's only normal, that I don't understand something :) The problem is, that I'm working on a login page combined with the option to add new messages, but something isn't going right - maybe I'm trying to check the sessions incorrectly. I'd be very thankful if you could help me with this code.

So this is a normal HTML login (the file is called admin.php):

Code: Select all

 
<table border=1 align=middle>
<form method="post" action="news.php"><td>Password:</td><td><input type="password" name="password"><input type="submit" value="Enter"></td></form></table>
 
and this is my news.php file - the file, which checks my password and starts a session - I have a suspicion that it's the session, which I don't understand completely.

Code: Select all

<?
 session_start();
 
if($_POST['password'] == 'pass'){
$_SESSION['loged_in'] = true;
}
else{
include("admin.php");
exit;
} 
?>
 
<form method="post" action="news.php">
<table>
<tr>
<td>
<select name="number">
<option value ="1">1</option>
<option value ="2">2</option>
<option value ="3">3</option>
<option value ="4">4</option>
</select>
 
<textarea name="news" wrap="virtual" rows="10" cols="40" style="color: #800000">New message</textarea></td></tr><tr><td>
<a href="admin.php?logout=1">Iziet</a>
<? if(isset($_REQUEST['logout'])) session_destroy();?>
</td></tr><tr align="right"><td>
<input type="submit" name="submit" value="Add"> 
</form>
</td>
</tr></table>
 
 
<?
@$news=$_POST['news'];
@$number=$_POST['number'];
 
$connection=mysql_connect('127.0.0.1','*','*') or die ("Unable to connect...");
mysql_select_db('*',$connection);
 
if(strlen($news)>0){
$query=mysql_query("INSERT INTO `info`(`message`, `number`) VALUES ('$news', '$number')",$connection);
}
mysql_close($connection);
 
?>
 
Somehow after I press add, it throws me back to the login page, to be exact, it does this:

else{
include("admin.php");
exit;

Does anyone know what the problem is?

Re: Login & session problem

Posted: Mon Sep 01, 2008 1:39 pm
by dude81
Seems to be a problem of editor,all your code works fine on my editor.

Re: Login & session problem

Posted: Mon Sep 01, 2008 1:43 pm
by keisx
Did you try pressing the "Add" button under the textarea, because everything works fine until I want to add my message to the database - if you noticed I post the data from the second form to the same file and as the result it just somehow destroys my session and tells me that my password is incorrect aka sends me to the login page.

Re: Login & session problem

Posted: Mon Sep 01, 2008 2:01 pm
by dude81
the problem seems to be this logic

Code: Select all

 
 if($_POST['password'] == 'pass'){
 $_SESSION['loged_in'] = true;
 }
 else{
 include("admin.php");
 exit;
 } 
 
First time when you post through admin.php, you check for the pass in this logic., this passes successfully and shows the news.php page.
Second time when you post you dont have "pass" being passed from the form to news.php. It fails the

Code: Select all

if($_POST['password'] == 'pass'){
 $_SESSION['loged_in'] = true;
 }
this conditions and goes to else loop, where you include(admin.php) and you exit after it., which is what is happening.
To avoid this, add a thing like this in the news.php form

Code: Select all

<input type='hidden' name='pass' value="<?php echo $_POST['pass'];?>">

Re: Login & session problem

Posted: Mon Sep 01, 2008 2:17 pm
by keisx
Strange - the same moment I read your text above the second piece of code, I suddenly realized that I needed a hidden field - it sounds easy, when someone can explain you the actions of the code in human language - million thanks to dude81 ;)

Re: Login & session problem

Posted: Mon Sep 01, 2008 2:21 pm
by DaiWelsh
Problem is as identified by previous poster, but I (humbly) disagree with the solution. To use sessions as you clearly intend to, you need to change your logic at the top to something like (untested):

if(isset($_POST['password']) and ($_POST['password'] == 'pass')){
$_SESSION['loged_in'] = true;
}
if(!(isset($_SESSION['loged_in']) and $_SESSION['loged_in'])) {
include("admin.php");
exit;
}

Thus, if the password is passed and valid the session variable is set. If the session variable is not set correctly (may be because the password was wrong or just maybe because they have never tried to log in at all) then they are sent to the login.

HTH,

Dai