hello,

On the adm_login.php file, admin can login by entering his/her username and password. Username and password is checked against the one in db and if it is correct, a cookie is set using this method:
setcookie("logged_in", 'yes', time()+3600);

then the admin is redirected to admin.php file by this method:
header("Location: /admin.php");

no problem so far. Now, back to admin.php file

on this file, i do a little check like this:

<?php
include("inc/header.php");
$check = $_COOKIE['logged_in'];
if(($check) !== "yes"){
include("adm_login.php");
}else{
?>
<html>
<body>
<p>Welcome Admin</p>
</body>
<html>
<?php } include("footer.php"); ?>

what the above check should do is, see if there is a cookie called "logged_in" with the value "yes" on the client's machine. If there isnt a cookie like that, include the adm_login.php file otherwise show the admin page

seems right yea? well, almost. I get this error message when i enter admin.php page without loggin in with correct details:

Warning: Cannot modify header information - headers already sent by (output started at root\mysite.com\inc\header.php:3) in root\mysite.com\adm_login.php on line 11

Warning: Cannot modify header information - headers already sent by (output started at root\mysite.com\inc\header.php:3) in root\mysite.com\adm_login.php on line 12

on the other hand, if i visit adm_login.php and enter correct admin username and password, i get redirected to admin.php file and the page displays without any errors.

Why is this error message showing and how do you fix it?

Post the first 5 lines of header.php

This is a common error if you are sending any data to the web browser before your headers. In other words, you probably have some html that is being sent first. Nothing can be sent to the browser before headers are called... or you get this error.

Whats on line 3 of header.php....

as fyrestrtr said, we need the first lines to know what you are doing wrong..

Peace,

This is a common error if you are sending any data to the web browser before your headers. In other words, you probably have some html that is being sent first. Nothing can be sent to the browser before headers are called... or you get this error.

This includes spaces or return characters, so make sure you start your page with <?php with NOTHING infront in both your pages and header.php.

<html>
<head>
<?php include("meta.php"); ?>
</head>
//some html tables here

as for the meta.php


<?php
include("connect.php");
$query1 = "SELECT * FROM meta";
$result1 = mysql_query($query1);
$arr = mysql_fetch_array($result1);
$description = $arr['description'];
$keywords = $arr['keywords'];
$copyright = $arr['copyright'];
$title = $arr['title'];
echo "<meta http-equiv=\"Content-Language\" content=\"en-gb\">
<META HTTP-EQUIV=\"CACHE-CONTROL\" CONTENT=\"PUBLIC\">
<meta name=\"description\" content=\"$description\">
<meta name=\"keywords\" content=\"$keywords\">
<meta name=\"robots\" content=\"index,follow\">
<meta name=\"copyright\" content=\"$copyright\">
<meta name=\"author\" content=\"Latheesan\">
<meta name=\"language\" content=\"en\">
<meta name=\"revisit-after\" content=\"5\">
<title>$title</title>
<link rel=\"stylesheet\" type=\"text/css\" href=\"images/style.css\">";
?>

i read somewhere that i can use

ob_start(callback);

and ob_end_flush();

to over come the problem im having now.

"header allready sent" error throws up when you output and then try to do another function, e.g. $cookie = $_COOKIE['val'];

what ob_start(); does apparently if im not mistaken, it wait until all the output is done and then create the function and output again OR it might do the callback function along with all the other functions and outputs altogether as one.. or something like that

so if thats tru, i should create a function called callback in meta.php which checks for a cookie and simply use ob_start($callback); in the admin.php file

will this work? i mean, to begin with, does this even make sense?

Going through some tutorials on the function ob_start(); gave me this idea and it worked:


<?php
$check = $_COOKIE['logged_in'];
if(($check) !== "yes"){
include($_SERVER['DOCUMENT_ROOT'].'/admin/login.php');
exit();
}
else{
include($_SERVER['DOCUMENT_ROOT'].'/inc/header.php');
?>
// html table and other contents here

Good thing you fixed it here is why it was broken:

You have to create all cookies and send them before you send any output to the browser this includes <HTML> tags. You included the header.php before the file that sets up your cookies which put some output so the server sent the HTTP headers with that output. All the sudden you wanted to put something in those headers, but the client had already received the headers that were sent with your first output.

source: http://www.php.net/manual/en/features.cookies.php (http://www.php.net/manual/en/features.cookies.php)
PHP transparently supports HTTP cookies. Cookies are a mechanism for storing data in the remote browser and thus tracking or identifying return users. You can set cookies using the setcookie() (http://www.php.net/manual/en/function.setcookie.php) or setrawcookie() (http://www.php.net/manual/en/function.setrawcookie.php) function. Cookies are part of the HTTP header, so setcookie() (http://www.php.net/manual/en/function.setcookie.php) must be called before any output is sent to the browser. This is the same limitation that header() (http://www.php.net/manual/en/function.header.php) has. You can use the output buffering functions (http://www.php.net/manual/en/ref.outcontrol.php) to delay the script output until you have decided whether or not to set any cookies or send any headers.



Now that you have that fixed, time to fix your security problem by depending on a value for a clients browser to determine if someone is logged in. VERIFY all data coming from the client period. Simply setting a logged_in cookie will make your website very vunerable, and can lead to people you dont want gaining access. It is much better to use the session object and verify the Session ID every time the user accesses a page.

Hey korvan,

Thanks for your help. I actually throught of the security holes and changed the login system to use php sessions instead. Now, in order to login to admin section, admin has to login everytime he/she opens the browser and enters http://mysite.com/admin