Results 1 to 4 of 4
  1. #1
    Join Date
    May 2005
    Location
    United Kingdom / England
    Posts
    569

    'Member Access Only' Session issue

    Hi guys i've spent 3 whole days trying to get this to work but it dosent. I have done most of the work just stuck with session issues i think.


    Basically i have custom member pages. member1.php member2.php the design and content will be custom to each member, they also have their own login page.

    Each member should be able to access their page and simply view their secure area. They should not be able to log into another users area if they dont have the username or password for it.

    Now the problem is, i have this entire script setup and it works, however i fear there is something wrong with the sessions which allows other members to access other members pages with their own passwords and usernames because they share the same database. So the script executes thinking its a valid user and lets them in.

    Here is my login checker once the user is validated they are sent to their own folder header("Location: ../{$loginusername}/index.php"); and are able to view the page.

    PHP Code:
    <?php
    require_once('../config.php');

    // Connect to the server and select the database.
    mysql_connect("$host""$username""$password")or die("cannot connect");
    mysql_select_db("$db")or die("Unable to select database");

    // The username and password sent from login.php
    $loginusername=$_POST['username'];
    $loginpassword=$_POST['password'];

    //The following bit of coding protects from MySQL injection attacks
    $loginusername stripslashes($loginusername);
    $loginpassword stripslashes($loginpassword);
    $loginusername mysql_real_escape_string($loginusername);
    $loginpassword mysql_real_escape_string($loginpassword);

    $sql="SELECT * FROM $tbl WHERE username='$loginusername' and password='$loginpassword'";

    //$sql="SELECT * FROM $tbl WHERE userName='"test"' and password='".$loginpassword."'";

    $result=mysql_query($sql);

    // Count how many results were pulled from the table
    $count=mysql_num_rows($result);

    // If the result equals 1, continue
    if($count==1){

    session_start();

    $_SESSION["loginusername"] = $loginusername;
    $_SESSION['user1'] = $username// store session data
    //echo "User: = ". $_SESSION['loginusername']; //retrieve data
    header("Location: ../{$loginusername}/index.php");


    }
    // If not successful, inform the user of error
    else {
    echo 
    "Wrong Username or Password";
    }
    ?>

    Now here is the secure page sample:


    PHP Code:
    <?php
    session_start
    (); 
    if (!
    $_SESSION['user1']){ //if not present assuming this is not the setting page
    header("Location: login.php"); //redirect to login page
    }else{
    print 
    "its working test 1";
    }
    ?>

    <html>
    <body>
    Login Successful for
    </body>
    </html>
    For each login page i have given each user it's own session.. this works, however if user1 logs in and simply changes the url to user2 and enters his user2 password he is granted access giving him new sessions which means he has access to everything.

    Im pretty sure im missing something really small any help would be appreciated.
    Kayz

  2. #2
    Join Date
    May 2008
    Location
    Citrus Heights, CA
    Posts
    1,887
    "user1 logs in and simply changes the url to user2 and enters his user2"

    so user1 has user2 password? so, User1 could of logged into User2 from the start.....
    iWebFusion.Net - Shared / Reseller / VPS / Bare Metal / Colocation / IP Transit / Networking
    *Simply Hosting - Wholly owned networks, in-house staff, legions of fans!

  3. #3
    Join Date
    May 2005
    Location
    United Kingdom / England
    Posts
    569
    Quote Originally Posted by Mark Muyskens View Post
    "user1 logs in and simply changes the url to user2 and enters his user2"
    Almost, not his user2 id. He can access other pages with his username and password as they are in the same db.


    Quote Originally Posted by Mark Muyskens View Post
    so user1 has user2 password?
    No.

    Quote Originally Posted by Mark Muyskens View Post
    so, User1 could of logged into User2 from the start.....
    Yes.



    The users are in one database but they are allocated different pages just for themselves. Their usernames and passwords are checked via the same database thus giving them access to all pages.

    You will see i've almost got it to work by the use of sessions. It 'technically' works, but not really... if a tech savvy person comes along then they can easily gain access to other pages with their 'own username and password'.
    Kayz

  4. #4
    Join Date
    May 2009
    Location
    Tennessee
    Posts
    305
    I'm not sure I completely understand what you're trying to do here, but here's my attempt at making your code make sense.

    PHP Code:
    <?php
    require_once('../config.php');

    // Connect to the server and select the database.
    mysql_connect("$host""$username""$password") or die("cannot connect");
    mysql_select_db("$db") or die("Unable to select database");

    // The username and password sent from login.php
    $loginusername=trim($_POST['username']);
    $loginpassword=trim($_POST['password']);

    //The following bit of coding protects from MySQL injection attacks
    $loginusername_clean=mysql_real_escape_string($loginusername);
    $loginpassword_clean=mysql_real_escape_string($loginpassword);

    $sql="SELECT * FROM $tbl WHERE username='$loginusername_clean' and password='$loginpassword_clean'";

    $result=mysql_query($sql);

    // If the result equals 1, continue
    if(mysql_num_rows($result)==1)
    {
        
    session_start();
        
    $_SESSION["loginusername"] = $loginusername;
        
    header("Location: ../{$loginusername}/index.php");
    }
    // If not successful, inform the user of error
    else
    {
        echo 
    "Wrong Username or Password";
    }
    ?>
    PHP Code:
    <?php
    session_start
    (); 

    $allowed_users=array("user1"); //using an array here just in case you ever decide to allow more than one user to access the page

    if(in_array($_SESSION['loginusername'], $allowed_users))
    {
        
    //if not present assuming this is not the setting page
        
    echo "You do not have permission to view this page!";
        exit;
    }
    elseif(!
    $_SESSION['loginusername'])
    {
        
    header("Location: login.php"); //redirect to login page
        
    exit;
    }
    ?>
    <html>
    <body>
    Login Successful for <?=$_SESSION['loginusername']?>
    </body>
    </html>
    AudioProbe.net - Playing the best music from the 70s, 80s, 90s, 00s, and more...
    Commercial free, high quality 192kb/s, and firewall friendly port 80!
    Look for us in the iTunes Radio directory under Adult Contemporary

Similar Threads

  1. Invalidate session - session timeout or setMaxInactiveInterval() ???
    By JavaDziner in forum Programming Discussion
    Replies: 0
    Last Post: 03-01-2010, 01:50 PM
  2. Character encoding issue on member profiles?
    By Daniel15 in forum WHT Announcements, Feedback and Questions
    Replies: 1
    Last Post: 06-17-2009, 11:37 AM
  3. Please help - PHP session variable INSERT INTO issue?
    By kayz in forum Programming Discussion
    Replies: 7
    Last Post: 02-19-2008, 08:39 AM
  4. session issue
    By ~guest in forum Hosting Security and Technology
    Replies: 1
    Last Post: 02-07-2007, 06:33 AM
  5. FTP idle session timeout issue.
    By TLGuy in forum Dedicated Server
    Replies: 6
    Last Post: 03-09-2006, 10:23 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •