Pls I need help on this validation script. Even after logout and without login, I can access the assigned webpage. What might be wrong??

<?php
	//Start session
	session_start();
	
	//Check whether the session variable SESS_MEMBER_ID is present or not
	if(!isset($_SESSION['login']) xor (trim($_SESSION['login']) == '')) {
		header("location: login.php");
		exit();
	}
?>

Have you dumped the session variable to the screen to see if it really does contain a value? Maybe it is there from a previous signon.

Instead of comparing the session variable to '' try the empty() function.

Can you please help rewrite the correct code cos i don't know wat else to do cos all variable i use seems nt to work out.

Member Avatar for diafol
if(!isset($_SESSION['login']) || trim($_SESSION['login']) == '') {
		header("location: login.php");
		exit();
	}

?

Although I couln't see anything wrong with your code. :(

commented: Nice One! Will redirect the User when the Session is null! +3

Make sure you are either destroying or unsetting your session variable on user logout. If not, they will still be able to access that page after they have logged in once.

<?
//In your logout.php script
session_start();
unset($_SESSION['login']);
header("location: login.php");
?>

Or you can destroy the current session:

<?php
session_start();
session_destroy();
header( "location: login.php" ) ;
?>

@Ardav..

It didn't work out inside it toke me back to login.php. OMG I really need to get this done.

@ctaylo21...

Here is my logout script...and they can still view the page even without login...

<?php
//Start session
session_start();

//Unset the variables stored in session
unset($_SESSION['login']);
unset($_SESSION['login']);
unset($_SESSION['login']);


?>

@ctaylo21...

Here is my logout script...and they can still view the page even without login...

<?php
//Start session
session_start();

//Unset the variables stored in session
unset($_SESSION);
unset($_SESSION);
unset($_SESSION);


?>

Why are you unsetting the session variable three times? Try adding the re-direct to login.php after you unset the session variable. If you don't, they might still be able to hit back on the browser menu and see the page.

@ctaylo21...

Even after login out...wen i click the back button, you can still access the page. So in that case, can you help me look into the page user validation??/

@ctaylo21...

Even after login out...wen i click the back button, you can still access the page. So in that case, can you help me look into the page user validation??/

That may be the problem. Like I said before, if you haven't already, change your logout.php to this:

<?php
//Start session
session_start();

//Unset the variables stored in session
unset($_SESSION['login']);

//Redirect use to login page
header("location: login.php");

?>

This should fix the problem of being able to hit back on the browser and see a page you shouldn't be able to see after logging out. If the user validation code you are referring to is the code you first posted, I don't see anything wrong with that particular section. So try the code above and let me know if that helps or not.

I did but it can still view the page without login with the

<php
if(!isset($_SESSION['login']) || trim($_SESSION['login']) == '') {
		header("location: login.php");
		exit();
?>

on the page....

Even with the logout out script, wen i hit the back button, I can still view the page without login. What might be the problem? Is the user validation on the page wrong?

if(!isset($_SESSION['login']) || trim($_SESSION['login']) == '') {
		header("location: login.php");
		exit();
	}

Or wat do u suggest?

Dear octaylo...

I still can hit the back button and gain access to the webpage. Just so stressed out and confused. It didn't work.

I dont' see anything wrong with your validation so you will need to post more code for me to try find the problem. Can you post your complete login/logout code and the page you are trying to keep login protected?

knottykings,

Please post your: Login, Logout, 1 "user only" page codes

try my code..its working..

<?php

session_start();

$con = mysql_connect("localhost:3306","user","password");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
//echo'Connected Successfully';

mysql_select_db("userdetails", $con);


$userid=$_POST['username'];
$password=$_POST['password'];

$userid=mysql_real_escape_string($userid);
$password=mysql_real_escape_string($password);

if($rec=mysql_fetch_array(mysql_query("SELECT * FROM userdetails.data WHERE userid='$userid' AND password = '$password'"))){
	
if(($rec['userid']==$userid)&&($rec['password']==$password)){
	 
	echo "Login Successful..!!";
}
}	
else if(($rec['userid']!=$userid)||($rec['password']!=$password)){

	echo "UserID or Password incorrect.Try again..!!";
	session_unset();
}

?>
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.