-1

I put a validation check on my page so that it is only accessible via login, but the problem is that after logged in header redirects it to to the log in page meaning it fails the log in check. I am typing the correct credentials and i have started the sessions, but still no idea what is wrong. I really appreciate your help.

login.php

    <?php
session_start();
include("dbConnection.php");
if(isset($_POST['username']) && isset($_POST['pass']))
{
$username = $_POST['username'];
$password = $_POST['pass'];

$query = mysql_query(" SELECT * FROM login WHERE username='$username' and password='$password'");
if($username == 'alex' && $password == 'lion'){
header('Location: alex.php' );
exit();
}
?>

<form class="login100-form validate-form" method="POST">
<span class="login100-form-title p-b-37">
Sign In
</span>

<div class="wrap-input100 validate-input m-b-20" data-validate="Enter username or email">
<input class="input100" type="text" name="username" placeholder="username or email">
<span class="focus-input100"></span>
</div>

<div class="wrap-input100 validate-input m-b-25" data-validate = "Enter password">
<input class="input100" type="password" name="pass" placeholder="password">
<span class="focus-input100"></span>
</div>

<div class="container-login100-form-btn">
<button class="login100-form-btn">
Sign In
</button>
<?php if(isset($_GET['error'])==true){
echo'<strong><p align ="center" id="wrong" color ="red">Wrong Username or Password !!</p></strong>';
}?>
</div>

alex.php

<?php
  ob_start();
  include("dbConnection.php");
 if(!isset($_SESSION['username'])){
   header("location:login.php");
}
  ?>
Beel
  • 31
  • 8

2 Answers2

1

Your first problem is you have to start the session in your "alex.php" file. Add following line in the top of your code.

session_start();

Your second problem is, you are validating user whether they have loggined or not using the variable $_SESSION['username'] But after successful validation you are not setting $_SESSION['username'] in "login.php" file.

So your code must be like this:

if($username == 'alex' && $password == 'lion'){
    $_SESSION['username'] = 'alex';
    header('Location: alex.php' );
    exit();
}

In you logout function don't forget to unset that session variable

unset($_SESSION['username']);
Puvipavan
  • 289
  • 3
  • 10
  • When I do that, then I can access the page just by typing the name "alex.php" in the web browser. That is not supposed to happen without logging in first. – Beel Sep 23 '18 at 02:56
1

Inside your second if block, you're not setting a value for $_SESSION['username'] which is needed in alex.php to further validate login.

Right after:

if($username == 'alex' && $password == 'lion'){

Insert the following statement:

$_SESSION['username'] = $username;.

And in alex.php, you need to do session_start(); as your first statement for $_SESSION['username'] to be accessible.

Again in alex.php, use the following code so that if the referrer page is not login.php, it will redirect to login.php.

Right after:

ob_start();

Add:

if(basename($_SERVER['HTTP_REFERER']) != 'login.php'){
   header('Location: login.php' );
   exit();
}
Karlo Kokkak
  • 3,674
  • 4
  • 18
  • 33
  • ^ fixed answer. – Karlo Kokkak Sep 23 '18 at 02:50
  • When i do that, then i can access the page just by typing in the web browser. That is not suppose to happen. – Beel Sep 23 '18 at 02:55
  • @Beel That's exactly what should happen. Take a look at [how do sessions work?](https://stackoverflow.com/questions/1535697/how-do-php-sessions-work-not-how-are-they-used). The whole point of the code is not to have to enter your credentials each time, right ? Well, the session exists already. Just clear your browser cookies and try accesing `alex.php` again. – msg Sep 23 '18 at 03:03
  • ^ fixed answer again. – Karlo Kokkak Sep 23 '18 at 03:10
  • 1
    Oh yea, I forgot about that. Thank you for the the help and the link aswell – Beel Sep 23 '18 at 03:11
  • No problem..! :D – Karlo Kokkak Sep 23 '18 at 03:19
  • One quick question. Since referrer is kind of a validator. What is the point of $_SESSION validation? – Beel Sep 23 '18 at 03:23
  • $_SESSION['username'] is to confirm that the login that happened in login.php is valid using the correct credentials, and it is also used to prevent fake logins using a fake login.php page. – Karlo Kokkak Sep 23 '18 at 03:26
  • @Beel Yeah, I wouldn't do that... It might work as it is but once you begin to add internal links to that page it's going to be a nightmare. Also, sessions allow you to store other information that might not be present in the request or otherwise available. – msg Sep 23 '18 at 03:29
  • So is it possible to add referrer and the $_SESSION['username'] on the same page without causing any error? – Beel Sep 23 '18 at 03:33
  • Yes it is. Same as my modifications above. – Karlo Kokkak Sep 23 '18 at 03:35
  • @Karlo @Beel Sorry, but that's incorrect. Referer is set by the user agent and can't be trusted (and should be `HTTP_REFERER`). Besides, you are checking using `basename`, which means that I could create my own `login.php` on my server and it will pass the check. – msg Sep 23 '18 at 03:42
  • @msg As I typed, "$_SESSION['username'] is also used to prevent fake logins using a fake login.php page." – Karlo Kokkak Sep 23 '18 at 03:44
  • The point of referrer as I understood it in this case is to make sure alex.php is only accessible directly from login.php and not from elsewhere including from alex.php itself. – Karlo Kokkak Sep 23 '18 at 03:47
  • 1
    Fair enough, if that's a requirement – msg Sep 23 '18 at 03:49