I am working on login form where multiple users can sign in using their username and password. Depending on who it is, it will take them to certain file or link depending on how we set it for that user (john.doe goes to test1.php and jane.doe goes to test2.php).
When I try to login with username and password, it won't take me to the page. It keep saying the page has a redirect loop and it timed out. Also, how do I secure a page where once I logout, I can't go back to it by using the back button or type in the url directly? Please help. Thank you in advance. Here is what I have so far:
SQL has 4 fields
Field Type Collation Null Extra
id int10 No auto_increment
username varchar20 latin1_swedish_ci No
password varchar20 latin1_swedish_ci No
redirect varchar250 latin1_swedish_ci No
I have 4 php files I work with. workspace.php, workspace_login.php, workspace_logout.php, workspace_files.php.
workspace.php - login screen
<form name="form" method="post" action="workspace_login.php">
<table>
<tr><td>Login</td></tr>
<tr><td>Username: <input name="username" type="text" style="width:215px" autocomplete="off"></td></tr>
<tr><td>Password: <input name="password" type="password" style="width:215px" autocomplete="off"></td></tr>
<tr><td><input type="submit" name="submit" value="Login"></td></tr>
</table>
</form>
workspace_login.php - login script
workspace_login.php - login script
<?php
$host="localhost"; // Host name
$username="*****"; // Mysql username
$password="******"; // Mysql password
$db_name="*****"; // Database name
$tbl_name="workspace"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form
$username=$_POST['username'];
$password=$_POST['password'];
// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$sql = "SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";
$result = mysql_query($sql);
// Mysql_num_row is counting table row
$count = mysql_num_rows($result);
// If result matched $username and $password, table row must be 1 row
if($count == 1){
// Register $username, $password and redirect to file "workspace_success.php"
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
// get the result set from the query
$result = mysql_fetch_array($result);
// get the redirect column's value
$redirect = trim($result['redirect']);
if ($redirect == '') {
echo "No redirect value was set!";
} else {
header('Location: ' . $redirect);
exit;
}
} else {
echo "Wrong Password!";
}
?>
workspace_logout.php - logout script
<?php
session_start();
$username=$_SESSION['username'];
if (session_destroy()){
unset($username);
}
if($username=="")
{
header("Location: workspace.php");
exit();
}
?>
workspace_files.php
<?php
session_start();
if (!isset($_SESSION['username'])) {
header('Location: workspace_files.php');
}
?>
<html>
<head>
<title>Secured Page</title>
</head>
<body>
<p>Welcome <b><?php echo $_SESSION['username']; ?></b>
Information here.</p>
<p><a href="logout.php">Logout</a></p>
</body>
</html>