Php Session Login Help

[driz]

Hi, I'm building a very simple login system that will protect a directory called /members/ on my site. The default index.php file will check if the user is logged in and then send them to the members page automatically if the session already exists. If they are not they can login and then will be taken to the members page afterwards.This is the code I have so far, which does not work. What are the problems? Thanks

<?phpsession_start();?><?php					if(isset($_SESSION['user'])){	header('Location: http://simplecandy.com/members/');};?><!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">	<head>			<meta http-equiv="content-type" content="text/html; charset=utf-8">			<title>simplecandy - Temporary Hiatus</title>			</head>		<body>			<form name="member" method="post" action="/index.php">							<ul>					<li>						<label for="">Members Password:</label>						<input type="text" name="password" value="" />					</li>					<li>						<input type="submit" name="submit" value="Continue" />					</li>				</ul>							<?php						$password=$_POST['password'];			$username='Member';						if (isset($_POST['submit'])) {							if($password=="enter") {									$_SESSION['user']=$username;									header('Location: http://simplecandy.com/members/');								}									else {									echo "<p>Wrong login details / Unauthorized Access</p>";				}			}						?>						</form>					</div>	</body>	</html>

[jlhaslip]

Here, check this out. The password form type is now a password input.The form re-directs on success.You should work on the input security next. This Form is wide open for injection.

<?phpsession_start();			$password=$_POST['password'];$username='Member';		if (isset($_POST['submit'])) {	if($password=="enter") {		$_SESSION['user']=$_POST['username'];		// Start defining the URL.	$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);	// Check for a trailing slash.	if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {		$url = substr ($url, 0, -1); // Chop off the slash.	}	$url .= '/members.php'; // Add the page.	header("Location: $url");	exit(); // Quit the script.		} else {			echo "<p>Unauthorized Access / Wrong login details</p>";		}	}				?><!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">	<head>			<meta http-equiv="content-type" content="text/html; charset=utf-8">			<title>simplecandy - Temporary Hiatus</title>			</head>		<body><form name="member" method="post" action="">				<ul>				<li>			<label for="">Member Name:</label>			<input type="text" name="username" value="" />		</li>		<li>			<label for="">Members Password:</label>			<input type="password" name="password" value="" />		</li>		<li>			<input type="submit" name="submit" value="Continue" />		</li>	</ul></form>				</div>	</body>	</html>

[vytas]

Let magic_quotes() do all SQL injection work. If it's on ofcourse.

[driz]

Just curious, when making some code function ONLY when a user has clicked a button. What would be the difference in just checking using isset like above, and creating a full function and then running the function when the button is clicked? Thanks

[jlhaslip]

A function would work, but the advantage to creating a function is 'reusing' the code.Functions work best for a task that you want to have something on several pages and then you write a function and include it on those pages. To write a function for a single task is not a wise use of a function, but it can be done.Example, write a function that checks for the SESSION value on each 'members-only' page and re-directs if the SESSION value is not correct would be a better use for a function because it could be used on several pages.

[driz]

Hey thanks for the code, problem is I ONLY want to have a password field, as its just a simple protection system to access a restricted page. I also want it AUTO redirect if the session exists regardless if the submit button has been pushed. Can you help with how to do that. Thanks.

[jlhaslip]

<?phpsession_start();			if (( isset($_POST['submit']) && ($_POST['password'] =="enter"))) {	$_SESSION['pass']= 'true';   }		if (( isset($_POST['submit']) && ($_POST['password'] =="enter")) || (isset($_SESSION['pass']) && !empty($_SESSION['pass']))) {		// Start defining the URL.	$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);	// Check for a trailing slash.	if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {		$url = substr ($url, 0, -1); // Chop off the slash.	}	$url .= '/members.php'; // Add the page.	header("Location: $url");	exit(); // Quit the script.		} else {		echo "<p>Unauthorized Access / Wrong login details</p>";		}?><!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">	<head>			<meta http-equiv="content-type" content="text/html; charset=utf-8">			<title>simplecandy - Temporary Hiatus</title>			</head>		<body><form name="member" method="post" action="">				<ul>		<li>			<label for="">Members Password:</label>			<input type="password" name="password" value="" />		</li>		<li>			<input type="submit" name="submit" value="Continue" />		</li>	</ul></form>				</div>	</body>	</html>

Don't forget to supply a log-out link that deletes the Session Array.

[justsomeguy]

Let magic_quotes() do all SQL injection work. If it's on ofcourse.

magic_quotes is not something to rely on. Among other reasons, it has been removed from PHP 6.