Results 1 to 4 of 4
-
04-10-2011, 06:07 PM #1Web Hosting Master
- Join Date
- May 2005
- Location
- United Kingdom / England
- Posts
- 569
'Member Access Only' Session issue
Hi guys i've spent 3 whole days trying to get this to work but it dosent. I have done most of the work just stuck with session issues i think.
Basically i have custom member pages. member1.php member2.php the design and content will be custom to each member, they also have their own login page.
Each member should be able to access their page and simply view their secure area. They should not be able to log into another users area if they dont have the username or password for it.
Now the problem is, i have this entire script setup and it works, however i fear there is something wrong with the sessions which allows other members to access other members pages with their own passwords and usernames because they share the same database. So the script executes thinking its a valid user and lets them in.
Here is my login checker once the user is validated they are sent to their own folder header("Location: ../{$loginusername}/index.php"); and are able to view the page.
PHP Code:<?php
require_once('../config.php');
// Connect to the server and select the database.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db")or die("Unable to select database");
// The username and password sent from login.php
$loginusername=$_POST['username'];
$loginpassword=$_POST['password'];
//The following bit of coding protects from MySQL injection attacks
$loginusername = stripslashes($loginusername);
$loginpassword = stripslashes($loginpassword);
$loginusername = mysql_real_escape_string($loginusername);
$loginpassword = mysql_real_escape_string($loginpassword);
$sql="SELECT * FROM $tbl WHERE username='$loginusername' and password='$loginpassword'";
//$sql="SELECT * FROM $tbl WHERE userName='"test"' and password='".$loginpassword."'";
$result=mysql_query($sql);
// Count how many results were pulled from the table
$count=mysql_num_rows($result);
// If the result equals 1, continue
if($count==1){
session_start();
$_SESSION["loginusername"] = $loginusername;
$_SESSION['user1'] = $username; // store session data
//echo "User: = ". $_SESSION['loginusername']; //retrieve data
header("Location: ../{$loginusername}/index.php");
}
// If not successful, inform the user of error
else {
echo "Wrong Username or Password";
}
?>
Now here is the secure page sample:
PHP Code:<?php
session_start();
if (!$_SESSION['user1']){ //if not present assuming this is not the setting page
header("Location: login.php"); //redirect to login page
}else{
print "its working test 1";
}
?>
<html>
<body>
Login Successful for
</body>
</html>
Im pretty sure im missing something really small any help would be appreciated.Kayz
-
04-10-2011, 06:13 PM #2Rebooting is a hack, not a fix
- Join Date
- May 2008
- Location
- Citrus Heights, CA
- Posts
- 1,887
"user1 logs in and simply changes the url to user2 and enters his user2"
so user1 has user2 password? so, User1 could of logged into User2 from the start.....iWebFusion.Net - Shared / Reseller / VPS / Bare Metal / Colocation / IP Transit / Networking
*Simply Hosting - Wholly owned networks, in-house staff, legions of fans!
-
04-10-2011, 07:34 PM #3Web Hosting Master
- Join Date
- May 2005
- Location
- United Kingdom / England
- Posts
- 569
Almost, not his user2 id. He can access other pages with his username and password as they are in the same db.
No.
Yes.
The users are in one database but they are allocated different pages just for themselves. Their usernames and passwords are checked via the same database thus giving them access to all pages.
You will see i've almost got it to work by the use of sessions. It 'technically' works, but not really... if a tech savvy person comes along then they can easily gain access to other pages with their 'own username and password'.Kayz
-
04-11-2011, 12:50 AM #4Web Hosting Guru
- Join Date
- May 2009
- Location
- Tennessee
- Posts
- 305
I'm not sure I completely understand what you're trying to do here, but here's my attempt at making your code make sense.
PHP Code:<?php
require_once('../config.php');
// Connect to the server and select the database.
mysql_connect("$host", "$username", "$password") or die("cannot connect");
mysql_select_db("$db") or die("Unable to select database");
// The username and password sent from login.php
$loginusername=trim($_POST['username']);
$loginpassword=trim($_POST['password']);
//The following bit of coding protects from MySQL injection attacks
$loginusername_clean=mysql_real_escape_string($loginusername);
$loginpassword_clean=mysql_real_escape_string($loginpassword);
$sql="SELECT * FROM $tbl WHERE username='$loginusername_clean' and password='$loginpassword_clean'";
$result=mysql_query($sql);
// If the result equals 1, continue
if(mysql_num_rows($result)==1)
{
session_start();
$_SESSION["loginusername"] = $loginusername;
header("Location: ../{$loginusername}/index.php");
}
// If not successful, inform the user of error
else
{
echo "Wrong Username or Password";
}
?>PHP Code:<?php
session_start();
$allowed_users=array("user1"); //using an array here just in case you ever decide to allow more than one user to access the page
if(in_array($_SESSION['loginusername'], $allowed_users))
{
//if not present assuming this is not the setting page
echo "You do not have permission to view this page!";
exit;
}
elseif(!$_SESSION['loginusername'])
{
header("Location: login.php"); //redirect to login page
exit;
}
?>
<html>
<body>
Login Successful for <?=$_SESSION['loginusername']?>
</body>
</html>█ AudioProbe.net - Playing the best music from the 70s, 80s, 90s, 00s, and more...
█ Commercial free, high quality 192kb/s, and firewall friendly port 80!
█ Look for us in the iTunes Radio directory under Adult Contemporary
Similar Threads
-
Invalidate session - session timeout or setMaxInactiveInterval() ???
By JavaDziner in forum Programming DiscussionReplies: 0Last Post: 03-01-2010, 01:50 PM -
Character encoding issue on member profiles?
By Daniel15 in forum WHT Announcements, Feedback and QuestionsReplies: 1Last Post: 06-17-2009, 11:37 AM -
Please help - PHP session variable INSERT INTO issue?
By kayz in forum Programming DiscussionReplies: 7Last Post: 02-19-2008, 08:39 AM -
session issue
By ~guest in forum Hosting Security and TechnologyReplies: 1Last Post: 02-07-2007, 06:33 AM -
FTP idle session timeout issue.
By TLGuy in forum Dedicated ServerReplies: 6Last Post: 03-09-2006, 10:23 AM