Sessions

Code Snippets
#1

Hi Guys,

I’m experimenting with creating a back office side of my website.

There are a few thinks Im aiming to achieve. I want to use a session so that once I’m logged in if I go away from the page but then go back to it I don’t have to relog back in.

I want to protect the content page so that it can only be accessed if the login form has been submitted and the detains match.

I want to be able to log out.

I have come up with this. My problems at the moment are that even though I am logged in if I go off and then come back to the page backoffice.html it doesn’t notice I have a session started and therefore doesn’t redirect me to backofficehome.php. My other problem is that at the moment you can just bypass the login and go straight to backofficehome.php - basically it doesn’t check to see if you are logged in before displaying the data.

Here are the 4 small bits of code.

Backoffice.html
[php]

<? session_start(); if($_SESSION["screen_name"]) { header("location:backofficelogin.php"); } ?>

Member Login:

<p><label for="screen_name">Screen Name:</label>
<input name="screen_name" type="text" /></p>

<p><label for="pass">Password:</label>
<input name="pass" type="password" /></p>

<input type="submit" name="Submit" value="Login"/>
[/php]

backoffice.php:
[php]<?
// username and password sent from form
$result = mysql_query(“SELECT * FROM login WHERE screen_name=’$_POST[screen_name]donkey’ LIMIT 0,1”);

// Check to see if it actually got something, if so, continue on:
if(mysql_num_rows($result) != 0) {

// Fetch the row and drop it into an array:
$row = mysql_fetch_array($result);

// Assuming that the password is entered in the database already, and is encrypted using sha1() :

if (sha1($_POST[‘pass’]) == $row[‘pass’]){

		session_register("screen_name");
		header("location:backofficehome.php");
	}
	else {
		header("location:backoffice.html");
	}

}
mysql_close($con);
?>[/php]

backofficehome.php
[php]

<? session_start(); if(!session_is_registered("screen_name")){ header("backoffice.html"); } ?> 
<input type="submit" name="Logout" value="Logout"/>
[/php]

backofficelogout.php
[php]<?php
session_start(); //Start the current session
session_destroy(); //Destroy it! So we are logged out now
header(“location:index.php”); // Move back to login.php with a logout message
?>[/php]

The logout seems to be working fine. My main worry is making sure people can’t access the backofficehome.php unless they are logged in

Where am I going wrong!

Many thanks,

Sam

#2

I realise

header(“location:backofficelogin.php”);

is meant to be this

header(“location:backofficehome.php”);

on the first section of code. However this still does not work

Sam

#3

Hi again,

A simple IF statement should be enough:

[php]if(!isset($_SESSION[‘member’]))
{
header(“Location: login.php”);
}[/php]

This should prevent unauthorized users from accessing your backend. Put this on top of you main backend page under the session_start() declaration. Hope this helps.

#4

That works perfectly! So well in fact that I’m now having trouble accessing the page even after I log in…

I’m using this on my main backend page

[php]<?
session_start();
if(!isset($_SESSION[‘screen_name’]))
{
header(“Location: backoffice.html”);
}
?>[/php]

and this is the php script my login form calls

It appears as if the session create hear does not match the session the back end main page looks for? And thus I login successfully, get redirected to backofficehome.php, it checks for the session, rejects it and sends me back to the login page…

[php]<?
// username and password sent from form
$result = mysql_query(“SELECT * FROM login WHERE screen_name=’$_POST[screen_name]donkey’ LIMIT 0,1”);

// Check to see if it actually got something, if so, continue on:
if(mysql_num_rows($result) != 0) {

// Fetch the row and drop it into an array:
$row = mysql_fetch_array($result);

// Assuming that the password is entered in the database already, and is encrypted using sha1() :

if (sha1($_POST[‘pass’]) == $row[‘pass’]){

		session_register('screen_name');
		header("location:backofficehome.php");
	}
	else {
		header("location:backoffice.html");
	}

}
mysql_close($con);
?>[/php]

Many Thanks,

Sam

#5

Hi again,

Try this code for your login’s handler script:

[php]<?php

$user = $_POST[‘screen_name’];
$pass = $_POST[‘pass’];

$result = mysql_query(“SELECT * FROM login WHERE screen_name=’$user’ AND pass=’$pass’”);

if(mysql_num_rows($result) > 0)
{
$_SESSION[‘screen_name’] = $user;
header(“Location: backofficehome.php”);
}
else
{
header(“Location: backoffice.html”);
}

?>[/php]

Try this and see if it works.

Sponsor our Newsletter | Privacy Policy | Terms of Service