aubrey5 Posted February 2, 2011 Share Posted February 2, 2011 Hello, I just joined today! I am very new to php, I'm sure you'll be able to tell I created a 'members area only' thanks to some awesome online tutorials!! The only part that isn't working is the page protection for the 'members only area'. I am using $_SESSION and ISSET, but wonder why page shows when the address to the protected page is typed directly in, (no session should exist) if I understand correctly ... Any help will be wonderful, I really can't do this on my own yet. I have tried many different combinations, I may have them all mixed together by now. Currently, I have this code to the top of the page I am trying to protect ... <? ob_start(); session_start(); //The users login details should be stored either in the post array or session array so we pull those login credentials $username = isset($_POST['username']) ? $_POST['username'] : $_SESSION['username']; $password = isset($_POST['password']) ? $_POST['password'] : $_SESSION['password']; //if no username session variable exists, redirect user: if(!isset($username)) { header("Location: login_form.php"); } ?> <html> <head> </head> <body> <p> This is the members only area</p> </body> </html> Quote Link to comment Share on other sites More sharing options...
ttocskcaj Posted February 2, 2011 Share Posted February 2, 2011 I would try <?php session_start(); if(!isset($_POST['username']) or !isset($_SESSION['username']) { header("Location: login_form.php"); } else { ?> <html> <body> <p> This is the members only area</p> </body> </html> <?php //ending else } ?> Keep in mind that you need to tell PHP to "session_start()" and that when your testing, sessions can last a few minutes, even after you close the window. You need a logout script to get rid of them. Quote Link to comment Share on other sites More sharing options...
aubrey5 Posted February 2, 2011 Author Share Posted February 2, 2011 I will try this and post back. I do have a logout script, but have to admit I haven't been using it while testing page protection, just closing browser. Thanks for the reply. Quote Link to comment Share on other sites More sharing options...
aubrey5 Posted February 2, 2011 Author Share Posted February 2, 2011 I tried that code, it still loaded the 'protected page' without a login. I then ran the logout code and tried again. It still loaded the 'protected page' without login prompt. What does that mean? My logout code has an error? Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted February 2, 2011 Share Posted February 2, 2011 hard to say without seeing your logout code. Quote Link to comment Share on other sites More sharing options...
aubrey5 Posted February 2, 2011 Author Share Posted February 2, 2011 This is my logout.php <? session_start(); ?> <html> <body> <tr><td colspan="3"><p>Logout</p></td></tr><tr><table> <? if(!isset($_REQUEST['logmeout'])){ echo "<center>Are you sure you want to logout?</center><br />"; echo "<center><a href=logout_yes.php>Yes</a> | <a href=javascript:history.back()>No</a>"; } else { session_destroy(); if(!session_is_registered('first_name')){ echo "<center><font color=red><strong>You are now logged out!</strong></font></center><br />"; echo "<center><strong>Login:</strong></center><br />"; include 'login_form.php'; } } ?> </body> </html> ////////// And this is my logout_yes.php <html> <body> <p class="redtitle" align="center">You are logged out.</p> </body> </html> Quote Link to comment Share on other sites More sharing options...
Maq Posted February 2, 2011 Share Posted February 2, 2011 aubrey5, please use tags next time. Quote Link to comment Share on other sites More sharing options...
aubrey5 Posted February 2, 2011 Author Share Posted February 2, 2011 No problem, what are code tags and how do I use them? Quote Link to comment Share on other sites More sharing options...
Maq Posted February 2, 2011 Share Posted February 2, 2011 No problem, what are code tags and how do I use them? Either use the '#' icon in the reply, or put //code here... around your code. Quote Link to comment Share on other sites More sharing options...
AtomicRax Posted February 2, 2011 Share Posted February 2, 2011 When the user accesses logout.php directly and they click on the "Yes" to logout, they go straight to logout_yes.php never get their session destroyed. Since you're using two files, try something like this: logout.php <? session_start(); ?> <html> <body> <tr><td colspan="3"><p>Logout</p></td></tr><tr><table> <center>Are you sure you want to logout?</center><br /> <center><a href=logout_yes.php>Yes</a> | <a href=javascript:history.back()>No</a> </body> </html> logout_yes.php <html> <body> <? session_destroy(); if(!session_is_registered('first_name')){ echo "<center><font color=red><strong>You are now logged out!</strong></font></center><br />"; echo "<center><strong>Login:</strong></center><br />"; include 'login_form.php'; } ?> </body> </html> Quote Link to comment Share on other sites More sharing options...
aubrey5 Posted February 2, 2011 Author Share Posted February 2, 2011 I changed my logout to your suggestion. My protected page still shows without login prompt. Any suggestions? I was thinking my session variables weren't set right to pass correctly to my protected page session, but even when typing in the address of the page directly, I get in without login prompt. Here is my checkuser.php code (it is the action for my submit button on my login_form.php). My checkuser.php code works great for everything else. <? /* Check User Script */ session_start(); // Start Session include 'db.php'; // Convert to simple variables $username = $_POST['username']; $password = $_POST['password']; //register session variables $_SESSION['username'] = $username; $_SESSION['password'] = $password; if((!$username) || (!$password)){ $enter_all = "Please enter ALL of the information."; echo "Please enter ALL of the information! <br />"; include 'login_form.php'; exit(); } // check if the user info validates the db $sql = mysql_query("SELECT * FROM mytable WHERE username='$username' AND password='$password' AND activated='1'"); $login_check = mysql_num_rows($sql); if($login_check > 0){ while($row = mysql_fetch_array($sql)){ foreach( $row AS $key => $val ){ $$key = stripslashes( $val ); } // Register some session variables! session_register('first_name'); $_SESSION['first_name'] = $first_name; session_register('last_name'); $_SESSION['last_name'] = $last_name; session_register('email_address'); $_SESSION['email_address'] = $email_address; session_register('special_user'); $_SESSION['user_level'] = $user_level; mysql_query("UPDATE mytalbe SET last_login=now() WHERE userid='$userid'"); //redirect to file login_success.php header("Location: login_success.php"); } } else { $not_loggedin = "You could not be logged in! Either the username and password do not match or you have not validated your account!"; echo "You could not be logged in! Either the username and password do not match or you have not validated your account!<br /> Please try again!<br />"; include 'login_form.php'; } ?> Quote Link to comment Share on other sites More sharing options...
AtomicRax Posted February 3, 2011 Share Posted February 3, 2011 While not too helpful, it's not recommended that you use or store passwords unencrypted.. This might be considered a "preference" but it's definitely a more secure way of handling them. Quote Link to comment Share on other sites More sharing options...
aubrey5 Posted February 4, 2011 Author Share Posted February 4, 2011 Hello, I was getting ready to encrypt my passwords like this, when I realized I don't know how to unencrypt them to send to the user when they click on the 'lost password' link. // Encrypt the password $encrypt_password = md5($password); Is their a simple way to decrypt this password ... I can't say I've found one googling it Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted February 4, 2011 Share Posted February 4, 2011 you can't decrypt md5, as it is not encryption. do not send the user password. reset their password for them and send them the new password. long story short: There should be no way for anyone (even you) to tell what a user's password is. Quote Link to comment Share on other sites More sharing options...
aubrey5 Posted February 4, 2011 Author Share Posted February 4, 2011 Okay, I'll work on a page that sends them a new password. Is md5 sufficient for encryption ( I know you said it wasn't 'encrypted')? My original question still remains unanswered: Why does my protected page load when typed directly into address bar? Below is the code I am trying as suggested above. <?php session_start(); if(!isset($_POST['username']) or !isset($_SESSION['username']) { header("Location: login_form.php"); } else { ?> <html> <body> <p> This is the Members only Area</p> </body> </html> Have I reversed the code? Should it be: <?php session_start(); if(!isset($_POST['username']) or !isset($_SESSION['username']) { ?> <html> <body> <p> This is the Members only Area</p> </body> </html> <?php } else { header("Location: login_form.php"); } ?> Quote Link to comment Share on other sites More sharing options...
aubrey5 Posted February 28, 2011 Author Share Posted February 28, 2011 I know this post has been out a while, so I am bumping it up (I hope that is okay). I still haven't got this protected page to work. I was wondering, I don't think my session variable are registering correctly. I tried to make a page that had "Welcome (your name goes here)" when they logged in and it is blank. I used this, is this the right way to do it? <p> Welcome, <?=$first_name?>! </p> Thanks, Aubrey Quote Link to comment Share on other sites More sharing options...
ttocskcaj Posted March 4, 2011 Share Posted March 4, 2011 I don't know anything about the shorthand php.. but are you defining $first_name ? Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted March 4, 2011 Share Posted March 4, 2011 it is blank What is blank, the whole page? The (your name goes here) part? What exactly do you see in front of you and what is the current code that produces the page? Quote Link to comment Share on other sites More sharing options...
aubrey5 Posted March 4, 2011 Author Share Posted March 4, 2011 I can't remeber the correct tag to put around the code, so I apologize now. The page display correctly, only the (your names goes here) is missing. Sequence of pages: 1. User registers for account (register.php) 2. I activate account 3. User logs in (login_form.php, the form action is checkuser.php) 4. Checkuser.php defines $first_name I think and redirects to login_success.php 5. Login_success.php has the Welcome (your names goes here), and the page protect which isn't working either. This is the login_success.php page. It has page protection that isn't working, the php code at the top of the page. I have to pull this part of the code off to check the Welcome (your name goes here). <?php require_once ('verify.php'); $page_title = 'YOUR PAGE TITLE GOES HERE'; // Start output buffering: ob_start(); // Initialize a session: session_start(); // Check for a $page_title value: if (!isset($page_title)) { $page_title = 'User Registration'; } // If no first_name session variable exists, redirect the user: if (!isset($_SESSION['first_name'])) { $url = BASE_URL . ''; // Define the URL. ob_end_clean(); // Delete the buffer. header("Location: $url"); exit(); // Quit the script. } ?> <!-- saved from url=(0022)http://internet.e-mail --> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"> <head> <TITLE>Wholesale Accounts</TITLE> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <META name=“description”, content= “”> <META name=“keywords”, content=“”> <META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW"> <link href="../styleswholesale.css" rel="STYLESHEET" type="text/css"> <style type="text/css">html>body #content{height:750px;}</style> </head> <body> <div id="blanket"> <div id="wrapper"> <div id="header"></div> <div id="content"> <table align="left"> <?include("../includes/topbarw.php");?> <tr> <td> <?include("../includes/menuw.php");?> </td> <td> <table> <tr><td> <div id="centercolumn"> <a name="top"></a> <p class="redtitle" align="center">Wholesale Login Success</p> </div> </td> <td> <div id="rightcolumn"> <?include("../includes/HomeCartBoxw.php");?> </td></tr> <a name="top"></a> <tr><td colspan="2"><p align="center">Welcome, <?=$first_name?>! Wholesale account info goes here.</p></td></tr> </table></tr> </td> </tr> </table> <tr><td colspan="3"><a href="#top">Back to top</a></td></tr></table></tr> </td> </tr> </table> </div> <?include("../includes/Footerw.php");?> </div> </div> <script type="text/javascript"> var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); </script> <script type="text/javascript"> try {var pageTracker = _gat._getTracker("UA-12575357-1"); pageTracker._trackPageview(); } catch(err) {} </script> </body> </html> <?php // Flush the buffered output. ob_end_flush(); ?> This code is my checkuser.php <? /* Check User Script */ session_start(); // Start Session include 'db.php'; // Convert to simple variables $username = $_POST['username']; $password = $_POST['password']; if((!$username) || (!$password)){ $enter_all = "Please enter ALL of the information."; echo "Please enter ALL of the information! <br />"; include 'login_form.php'; exit(); } // Convert password to md5 hash, don't forget to change $password to $encrypt_password in the sql query below //$encrypt_password = md5($password); // check if the user info validates the db $sql = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password' AND activated='1'"); $login_check = mysql_num_rows($sql); if($login_check > 0){ while($row = mysql_fetch_array($sql)){ foreach( $row AS $key => $val ){ $$key = stripslashes( $val ); } // Register some session variables! session_register('first_name'); $_SESSION['first_name'] = $first_name; session_register('last_name'); $_SESSION['last_name'] = $last_name; session_register('email_address'); $_SESSION['email_address'] = $email_address; session_register('special_user'); $_SESSION['user_level'] = $user_level; session_register('username'); $_SESSION['username'] = $username; session_register('password'); $_SESSION['password'] = $password; mysql_query("UPDATE users SET last_login=now() WHERE userid='$userid'"); //redirect to file login_success.php header("Location: login_success.php"); } } else { $not_loggedin = "You could not be logged in! Either the username and password do not match or you have not validated your account!"; echo "You could not be logged in! Either the username and password do not match or you have not validated your account!<br /> Please try again!<br />"; include 'login_form.php'; } ?> THANK YOU FOR ANY HELP! Aubrey I'll be out of town this weekend, so I will miss any quick replies Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.