Member Avatar for knottykings

Pls I need help on this validation script. Even after logout and without login, I can access the assigned webpage. What might be wrong??

<?php
	//Start session
	session_start();
	
	//Check whether the session variable SESS_MEMBER_ID is present or not
	if(!isset($_SESSION['login']) xor (trim($_SESSION['login']) == '')) {
		header("location: login.php");
		exit();
	}
?>
Edited by Narue because: Added code tags
  • 6 Contributors
  • 15 Replies
  • 181 Views
  • 1 Week Discussion Span
  • Latest Post Latest Post by nagarjunrajen
Member Avatar for svilla

Have you dumped the session variable to the screen to see if it really does contain a value? Maybe it is there from a previous signon.

Instead of comparing the session variable to '' try the empty() function.

Member Avatar for knottykings

Can you please help rewrite the correct code cos i don't know wat else to do cos all variable i use seems nt to work out.

Member Avatar for diafol 
if(!isset($_SESSION['login']) || trim($_SESSION['login']) == '') {
		header("location: login.php");
		exit();
	}

?

Although I couln't see anything wrong with your code. :(

Edited by diafol because: n/a
commented: Nice One! Will redirect the User when the Session is null! +3
Member Avatar for ctaylo21

Make sure you are either destroying or unsetting your session variable on user logout. If not, they will still be able to access that page after they have logged in once.

<?
//In your logout.php script
session_start();
unset($_SESSION['login']);
header("location: login.php");
?>

Or you can destroy the current session:

<?php
session_start();
session_destroy();
header( "location: login.php" ) ;
?>
Edited by ctaylo21 because: n/a
Member Avatar for knottykings

@Ardav..

It didn't work out inside it toke me back to login.php. OMG I really need to get this done.

Member Avatar for knottykings

@ctaylo21...

Here is my logout script...and they can still view the page even without login...

<?php
//Start session
session_start();

//Unset the variables stored in session
unset($_SESSION['login']);
unset($_SESSION['login']);
unset($_SESSION['login']);


?>
Edited by peter_budo because: Keep It Clear - Do use code tags when posting any code
Member Avatar for ctaylo21

@ctaylo21...

Here is my logout script...and they can still view the page even without login...

<?php
//Start session
session_start();

//Unset the variables stored in session
unset($_SESSION);
unset($_SESSION);
unset($_SESSION);


?>

Why are you unsetting the session variable three times? Try adding the re-direct to login.php after you unset the session variable. If you don't, they might still be able to hit back on the browser menu and see the page.

Member Avatar for knottykings

@ctaylo21...

Even after login out...wen i click the back button, you can still access the page. So in that case, can you help me look into the page user validation??/

Member Avatar for ctaylo21

@ctaylo21...

Even after login out...wen i click the back button, you can still access the page. So in that case, can you help me look into the page user validation??/

That may be the problem. Like I said before, if you haven't already, change your logout.php to this:

<?php
//Start session
session_start();

//Unset the variables stored in session
unset($_SESSION['login']);

//Redirect use to login page
header("location: login.php");

?>

This should fix the problem of being able to hit back on the browser and see a page you shouldn't be able to see after logging out. If the user validation code you are referring to is the code you first posted, I don't see anything wrong with that particular section. So try the code above and let me know if that helps or not.

Member Avatar for knottykings

I did but it can still view the page without login with the

<php
if(!isset($_SESSION['login']) || trim($_SESSION['login']) == '') {
		header("location: login.php");
		exit();
?>

on the page....

Edited by peter_budo because: Keep It Clear - Do use code tags when posting any code
Member Avatar for knottykings

Even with the logout out script, wen i hit the back button, I can still view the page without login. What might be the problem? Is the user validation on the page wrong?

if(!isset($_SESSION['login']) || trim($_SESSION['login']) == '') {
		header("location: login.php");
		exit();
	}

Or wat do u suggest?

Edited by peter_budo because: Keep It Clear - Do use code tags when posting any code
Member Avatar for knottykings

Dear octaylo...

I still can hit the back button and gain access to the webpage. Just so stressed out and confused. It didn't work.

Member Avatar for ctaylo21

I dont' see anything wrong with your validation so you will need to post more code for me to try find the problem. Can you post your complete login/logout code and the page you are trying to keep login protected?

Member Avatar for stoopkid

knottykings,

Please post your: Login, Logout, 1 "user only" page codes

Member Avatar for nagarjunrajen

try my code..its working..

<?php

session_start();

$con = mysql_connect("localhost:3306","user","password");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
//echo'Connected Successfully';

mysql_select_db("userdetails", $con);


$userid=$_POST['username'];
$password=$_POST['password'];

$userid=mysql_real_escape_string($userid);
$password=mysql_real_escape_string($password);

if($rec=mysql_fetch_array(mysql_query("SELECT * FROM userdetails.data WHERE userid='$userid' AND password = '$password'"))){
	
if(($rec['userid']==$userid)&&($rec['password']==$password)){
	 
	echo "Login Successful..!!";
}
}	
else if(($rec['userid']!=$userid)||($rec['password']!=$password)){

	echo "UserID or Password incorrect.Try again..!!";
	session_unset();
}

?>
Edited by peter_budo because: Keep It Clear - Do use code tags when posting any code
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.