Hey Guys, I spent a lot of yesterday designing a php application. Part of it is a protected ACP. I have it generating an MD5 Hash then checking it against the database. That all works fine, it redirects fine ect. but in PHP I am new to the art of sessions, if you could help I would be grateful. So here is the basic order: logon.php (The form) ---> authenticate.php ---> index.php (login good) OR logon.php (login bad). So thats the order; here is the relevant code: authenticate.php /* WISH UPON A STAR VERSION 0.8 BETA ©2007 RORY MERCER ALL RIGHTS RESERVED INTITAL: 23/10/07 LMODIFY: 23/10/07 admin/authenticate.php NO EDITING */ //Includes / Requirements require_once('../variables.php'); include_once('../errors.php'); //DB CONNECT $con= mysql_connect("$host","$user","$pass"); if (!$con) { die('Could not connect: ' . mysql_error()); } //Obtain Variables from form. $adminusergiven = $_POST['username']; $adminpassgiven = $_POST['pass']; //Encrypt $md5result = md5($adminpassgiven); //Choose which DB mysql_selectdb($name); //Access Database Value $result = mysql_query("SELECT * FROM admin_details WHERE Username='$adminusergiven'"); if(!$result) { die('SQL Error:' . ' ' . mysql_error()); } while($row = mysql_fetch_array($result)) { //Process and confirm/deny if($row['Password'] === $md5result) { $finalresult = '1'; } else { echo($denied_page); } } if($finalresult='1') { //Start An ADMIN SESSION session_start(); $_SESSION['admin']= '1'; $_SESSION['user'] = $adminusergiven; //Redirect header( "Location: $path/admin/index.php" ) ; } ?> PHP: If you could look at everything in the last 'if' box (commented: Start an ADMIN SESSION. As I understand it that little bit sets information about the browser? So then I use it in the index script: index.php <?php /* WISH UPON A STAR VERSION 0.8 BETA ©2007 RORY MERCER ALL RIGHTS RESERVED INTITAL: 23/10/07 LMODIFY: 23/10/07 admin/index.php NO EDITING */ //Includes / Requirements require_once('../variables.php'); include_once('../errors.php'); session_start(); //Before we start, let's check that we do have a logged in administrator at the helm. if($_SESSION['admin'] = '0') { header( "Location: $path/admin/logon.php" ) ; } ?> <html> <head> <title>Wish Upon A Star: Admin Interface</title> <body> <h1>Admin Interface</h1> <p>Welcome to the admin interface <?php $_SESSION['User']?> This is the central control page where you can run many aspects of your wishlist. Please remember to log off securely when you are done. </p> </body> </html> PHP: After the includes/requirements there is what I think should check the session info. So why isn't it doing? What have I done wrong? What I think that should do is bounce you from the page if you are not a logged in admin? NOTES: A few variables are defined in the scripts that are included/required in the first pages. Like the Database Variables, error message ect. All for clarity and security. Help! Thanks,
I just flew quick over the code, but I saw twice that you're trying to compare two values with a single equal sign, when you have to use two.
if($_SESSION['admin'] = '0') PHP: This will always be true, since you're effectively setting $_SESSION['admin'] to the value of 0
Actually, this will always be false, as "0" (string 0) is considered false. But this will always be true. if($finalresult='1') PHP: EDIT; And on another important note. This piece: if($_SESSION['admin'] = '0') { header( "Location: $path/admin/logon.php" ) ; } PHP: Would not prevent access to the admin area even if you used two equal signs. The reason for this is, that the header redirects are handled by the browser, and they can be disabled. So you might be sending the header, but the browser would not react to it and the rest of the code would continue executing. To prevent this, simply add exit(); after the header() line.
Okay, so I need to add an exit() and add another equals sign, anything else? EDIT: Thanks guys, it's working great now. I thought because it was in an if statement It would just see it as me asking what the variable was rather than setting it. Thanks!
Also, everyone failed to tell them they should put the session_start() before any output. I would put it above the variables page. <?php //Includes / Requirements session_start(); require_once('../variables.php'); ?> PHP: Instead of where it currently is. The way you have it is fine as long as you do not output anything before it is called, but if something goes bad then you will get that stupid header already sent error. .
Thanks for the tip, I will move it now! I do have one question though: I think that I have done something else wrong, as the index script of the acp does not say 'Welcome to the Admin Interface: Username'. So why isn't it showing the username? I guess it's the way I have set it in the script somewhere. Help is very much appreciated! EDIT: Oh wait, Think I got it *tries out*
You forgot the echo. PHP won't output the value of the variable just because it's between <?php tags.
Yeah, I caught that one just after I posted, I must have been half asleep when I wrote that piece of code. Thanks for all your help: you've been great nico_swd
(Double Post for Clarity) I have some more problems now (lucky me ) I have enabled warnings and errors to be shown in the browser on my test server - now it doesn't work. Now I understand that error (not why it isn't letting my script continue as it doesn't appear to be fatal but hey). Does anyone have any suggestions on a better way of redirecting?