deny url access using php sessions

[graham]

Hi all,

 

I was hoping that someone could point me in the right direction (i'm new to this so go easy on me).

 

I'm writing a very simple login page. I want to make it impossible to for an unauthorised user to enter the members area simply by entering the correct url.

 

This is the members.php code:

 

<?php

session_start();

 

if (!isset($_SESSION['username']))

{

header ("Location: my_login_main.html");

}

 

?>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">'>http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>

<link rel="stylesheet" type="text/css" href="my_login_style.css" />

<title>Welcome Member</title>

</head>

<body>

<h1>Welcome to the Members Area!</h1>

 

<?php

echo "hello " . $_SESSION['username'] . " you have logged in successfully";

 

?>

 

</body>

</html>

 

and the username and password gets checked with this php code:

 

<?php session_start();

 

if (isset($_POST['submit']))

if($_POST['username'] == '' || $_POST['password'] == '')

{

echo '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>

<link rel="stylesheet" type="text/css" href="my_login_style.css" />

<title>Login Main</title>

</head>

<body>

<h1>Login Main</h1><br />

<div class="error">Please fill in both text fields</div><br />

<form action="check_user.php" method="post">

<strong>Username:</strong><input type="text" name="username" /><br />

<strong>Password: </strong><input type="password" name="password" /><br />

<input type="submit" name="submit" value="Submit" /><br /><br />

<a href="create_new_user.php">Create New User</a>

</form>

</body>

</html>';

}

else

{

 

//connect to database

include ("connect.php");

$_SESSION['username'] = $_POST['username'];

$_SESSION['password'] = $_POST['password'];

//create query

$query = mysql_query("SELECT * FROM users WHERE Username = '$_SESSION[username]' AND Password = '$_SESSION[password]'");

if (mysql_num_rows($query) > 0)

{

header ("Location: members.php");

}

else

{

echo "Username and password not found";

}

}

 

I'm quite sure the solution is obvious but I just can't seem to see it.

[falkencreative]

It looks like you have the correct code in place:

 

if (!isset($_SESSION['username']))

{

header ("Location: my_login_main.html");

}

 

That should check to ensure that the correct $_SESSION variable is set, and if not, redirect the unauthorized user.

 

The issue, however, is how you are handling the login process, specifically this section:

 

//connect to database
include ("connect.php");
$_SESSION['username'] = $_POST['username'];
$_SESSION['password'] = $_POST['password'];
//create query
$query = mysql_query("SELECT * FROM users WHERE Username = '$_SESSION[username]' AND Password = '$_SESSION[password]'");
if (mysql_num_rows($query) > 0)
{
header ("Location: members.php");
}
else
{
echo "Username and password not found";
}

 

rather than setting the session variables immediately, it would be better to set them to be temporary variables, and only set the session variables if the user is successfully logged in. Something like this:

 

//connect to database
include ("connect.php");
$username = $_POST['username'];
$password = $_POST['password'];
//create query
$query = mysql_query("SELECT * FROM users WHERE Username = '$username' AND Password = '$password'");
if (mysql_num_rows($query) > 0)
{
// successful log in
$_SESSION['username'] = $_POST['username'];
header ("Location: members.php");
}
else
{
echo "Username and password not found";
}

I should also point out... you really don't want the give the visitor open access to modify your SQL queries, by simply taking whatever username/password they enter and putting it directly into the MySQL query. Definitely use mysql_real_escape_string() or something similar to prevent SQL injection. http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php

[graham]

Thanks Ben!!