I am making a login system for my web site and I have almost everything in place. My only problem is that it seems that my session info is not being passed between pages. I start the session at the beginning of each page I need to use it on, and have a login that compares the information to a mysql database. What I am trying to prevent is someone just coming along and typing the address of a "protected" page directly into a browser and getting to it without logging in. Which can happen right now because there is nothing in place that will check if the user is logged in already or not. That is why I am trying to use sessions. Here is the code that I have in my login page:
Code:
<?php
session_start();
$directory_self = str_replace(basename($_SERVER['PHP_SELF']), '', $_SERVER['PHP_SELF']);
if(isset($_SESSION['logged']) && $_SESSION['logged'] == 1) {
header("Location: http://" . $_SERVER['HTTP_HOST'] . $directory_self . "upload.php");
exit();
} else {
$logmsg = "";
$_SESSION['logged'] = 0;
if (isset($_POST['login'])) {
$username = isset($_POST['username']) ? trim($_POST['username']) : "";
$password = isset($_POST['password']) ? trim($_POST['password']) : "";
if ($username == "" OR $password == "") {
$logmsg = "You must enter both a user name and a password to login.";
} else {
require_once('mysql_config.php');
$connect = mysql_connect(SQL_HOST,SQL_USER,SQL_PASS) or die('Could not connect to the Database.' .mysql_error());
mysql_select_db(SQL_DB,$connect);
$hashpw = hash("sha512",$password);
$query = "SELECT user_name FROM login_info WHERE user_name = '$username' AND password = '$hashpw' LIMIT 1;";
$result = mysql_query($query) or die(mysql_error());
if (mysql_num_rows($result) == 1) {
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
$_SESSION['logged'] = 1;
//$record = "Session logged: " .$_SESSION['logged'];
header("Location: http://" . $_SERVER['HTTP_HOST'] . $directory_self . "upload.php");
exit();
} else {
$_SESSION['logged'] = 0;
$logmsg = "<p><span style='color:#CC0000'><strong>The Username and Password you entered does not exist.</strong></span><br/>";
$logmsg .= "You can contact our <a href='mailto:[email protected]'>Customer Service</a> department if you need help with your account.";
}
}
}
}
?>
and this in the page I am trying to protect:
Code:
<?php
session_start();
//recored pages current directory
$directory_self = str_replace(basename($_SERVER['PHP_SELF']), '', $_SERVER['PHP_SELF']);
// set a max file size for the html upload form
$max_file_size = 209715200; // size in bytes
if(isset($_SESSION['logged']) && $_SESSION['logged'] == 1) {
//do nothing, and let user upload a file
} else {
header("Location: http://" . $_SERVER['HTTP_HOST'] . $directory_self . "login.php");
exit();
}
?>
What is happening is that no matter what I am getting bounced back to the login page. If I add
Code:
elseif(isset($_SESSION['logged']) && $_SESSION['logged'] == 0)
I can get to the protected page, but I can get to it even if I don't log in. What is happening, for reasons I can not figure out, is that the session variables I set in the login page are not being passed to the protected page. I have posted this on webdeveloper.com but no one there seems able to help me out. It doesn't make any sense to me, I have gone through hundreds of examples from numerous sources and they are all telling me to do the same thing, which I am already doing, but it is not working. Can anyone see anything wrong with this code that would prevent the session variables from being passed to a different page, or prevent them from being stored in the session array in the first place? When I put print_r($_SESSION) into my login page it prints all the contents of the session and it shows everything i put into it, but when i do the same thing on my protected page it is showing that $_SESSION is empty.