Php Login Script- can login, but secure pages arent working.

[Tanis]

Hey guys, heres the deal.I have a login script on my site, which allows users to login in perfectly fine.Only problem is, when they view a secure page, they get the "Not authorized" messsage (not a 505, just the one I created).Login form code:

<H1><font face="Verdana" size="4" color="#C7C7C7">Staff Login:</font></H1><form method='post' action ='/staff/login.php'><font color="#C7C7C7">Username:  <input type='text' name='username'><br><font color="#C7C7C7">Password: <input type='password' name='password'><br><input type='submit' name='login' value='Login'></form>

Login page code (login.php):

<html><head><title>Logging in...</title></head><body><?phpsession_start();//--==login==--$login = $_POST['login'];if (isset($login)) {$username = $_POST['username'];$password = $_POST['password'];$isauth = false;$logcon = mysql_connect ('Host','User','Pass');if (!$logcon) {die("Could Not Connect To MySQL");}mysql_select_db("DB", $logcon) or die("Could Not Connect To DB because: ". mysql_error());$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";$result = mysql_query($query, $logcon);  while ($row = mysql_fetch_array($result)) {	if ($row['username'] === $username) {	$isauth = true;	$run = $row['username']; 	$group = $row['group'];	}  }  if ($isauth) {	if ($group == "admin") { 	  $_SESSION['adminlogged'] = $run;	  echo "<font face='arial'><b>Thank you for logging in, " . $run . "</b></font><meta http-equiv='Refresh' content='5;url=/staff/adminpage.php'>";	}	elseif ($group == "usrv") {	  $_SESSION['usrvlogged'] = $run;	  echo "<font face='arial'><b>Thank you for logging in, " . $run . "</b></font><meta http-equiv='Refresh' content='5;url=/rarevalues/USA/reporter.php'>";	}	elseif ($group == "ukrv") {	  $_SESSION['ukrvlogged'] = $run;	  echo "<font face='arial'><b>Thank you for logging in, " . $run . "</b></font><meta http-equiv='Refresh' content='5;url=/rarevalues/UK/reporter.php'>";	}	elseif ($group == "aurv") {	  $_SESSION['aurvlogged'] = $run;	  echo "<font face='arial'><b>Thank you for logging in, " . $run . "</b></font><meta http-equiv='Refresh' content='5;url=/AU/reporter.php'>";	}	elseif ($group == "carv") {	  $_SESSION['carvlogged'] = $run;	  echo "<font face='arial'><b>Thank you for logging in, " . $run . "</b></font><meta http-equiv='Refresh' content='5;url=/rarevalues/CA/reporter.php'>";	}	elseif ($group == "dj") {	  $_SESSION['djlogged'] = $run;	  echo "<font face='arial'><b>Thank you for logging in, " . $run . "</b></font><meta http-equiv='Refresh' content='5;url=/DJpage.php'>";	}	else {	  echo "Error: Please contact your web admin and ask about your group";	}  }  else {  echo "<font face='arial'><b>Incorrect Username or Password.</b></font><meta http-equiv='Refresh' content='5;url=/'>";  }  mysql_close($logcon);}else {echo "<font face='arial'><b>Oops! You have accessed this page incorrectly.</b></font>";}?> </body></html>

Finally, example of a secure page (each group has a page similar to it):

<?phpinclude("http://www.habbground.com/headinclude.php");?><title>HG Administration!</title></head><?phpsession_start();if ( isset( $_SESSION['adminlogged'] ) ) {	echo "<center><font color=#C7C7C7><a href='http://www.habbothunder.com/fwc/'>Visitor Counter Control Panel</a><br>Username is *removed*, password is *removed*<br><font color='red'>~~~!!!!WARNING!!!!~~~</font><br>DO NOT CHANGE ANY SETTINGS WITHOUT PERMISSION FROM *removed*!!!!<br><br><img src='/divide.jpg'><br><br><font size='4'><a href='/rarevalues/reporter/reporter.php'>Reporter Page</a></font><br><br><img src='/divide.jpg'><br><br><form action='/news/cutenews/' method=post><br> Username:<input type=text name=username><br> Password:<input type=password name=password><br><input type=hidden name=action value=dologin><input type=submit value='Login'><br></form><br><br><img src='/divide.jpg'><br><br>Email login coming soon...";}else {	echo "You are not authorized to view this page.";}include("http://www.habbground.com/footerinclude.php");?>

Can anyone figure out whats wrong?

[justsomeguy]

One thing you might want to check on your protected pages is to see what is inside the session. You can do this to print the entire session and make sure that what you are expecting to be in the session is actually there:print_r($_SESSION);Another consideration is what is inside the headinclude.php file, is there any code in there that would check in the session or modify it? If so, including the file using http might be causing problems.

[Tanis]

One thing you might want to check on your protected pages is to see what is inside the session. You can do this to print the entire session and make sure that what you are expecting to be in the session is actually there:print_r($_SESSION);Another consideration is what is inside the headinclude.php file, is there any code in there that would check in the session or modify it? If so, including the file using http might be causing problems.

The header file is-

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><link rel="stylesheet" type="text/css" href="/udm4-php/udm-resources/udm-style.php" media="screen, projection" /><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /><style type="text/css">body { margin-top: 0;  margin-bottom: 0;  margin-left: 0;  margin-right: 0;  padding-left: 0;  padding-right: 0;  background: #000000;  color: #C7C7C7;}#header {  margin: 20px;  padding: 10px;  height: 200px;}#left {  position: absolute;  left: 15px;  top: 340px;  width: 180px;}#center {  top: 0;  margin-left: 215px;  margin-right: 180px;  width: 580px;}#right {  position: absolute;  right: 15px;  top: 340px;  width: 180px;}</style><div id="header"><center><img src="http://www.habbground.com/needbanner.jpg"></center></div><div id="center"><table border="0" cellspacing="0" cellpadding="0"><tr><td width="580" height="50" background="/pics/top.png"></td></tr><tr><td width="580" background="/pics/middle.jpg">

So, nothing with sessions there.As for checking for whats in the session, I'm not actually putting anything in the sessions, or checking whats in the sessions, I'm just setting the session, then checking to see if its set.

[MrAdam]

session_start(); must be sent before anything is outputted to the page..

[justsomeguy]

As for checking for whats in the session, I'm not actually putting anything in the sessions, or checking whats in the sessions, I'm just setting the session, then checking to see if its set.

Granted I didn't eat my Wheaties this morning, but I think one of us is confused. "setting" the session == putting (anything) in the session

I'm not actually putting anything in the sessions, or checking whats in the sessions, I'm just setting the session, then checking to see if its set

Correct me if I'm wrong, but to me that looks like "I'm not doing A or B, I'm just doing A and B".This was my point. If you are seeing your "not authorized" message, then this is failing:if ( isset( $_SESSION['adminlogged'] ) ) {So clearly $_SESSION['adminlogged'] is not set. That's the problem we are trying to solve, why is $_SESSION['adminlogged'] not set? My suggestion was to see what is set, and then we can figure out if the session is not being set at all, or if it is being set but you're checking for the wrong thing.

[MrAdam]

session_start(); must be sent before anything is outputted to the page..

quoting myself, in the code you supplied, session_start(); was written after some HTML .. and if errors are off .. you won't realise it's not actually starting the session.