PHP session help rq'd

[thekeemo]

I have a login form that does this:

    if (password_verify($password, $hash)) {
        session_start();
        $_SESSION['authorized'] = true;
        if ($position = 'admin'){
            echo "<script> window.location.replace(\"admin-home.php\"); </script>";
        } else {
            echo "<script> window.location.replace(\"user-home.php\"); </script>";
        }
    } else {
        echo "<script> window.location.replace(\"login-failed.php\"); </script>";
    }

and I have the pages to do this to make sure they are logged in

if (isset($_SESSION['authorized']) && ($_SESSION['authorized'] === true)){ 
    echo "blah blah blah";
}else{
    echo "<script> window.location.replace(\"unauthorized.php\"); </script>";
}

but it doesnt detect that it is set to true

 

@Cruorzy

[Hazy125]

Before I continue making test webpages to do stuffs and check

10 minutes ago, thekeemo said:

and I have the pages to do this to make sure they are logged in

On these pages you ARE using session_start() right?

[SSL]

You need to call session_start() on every page. Otherwise you can't use the $_SESSION global.

[thekeemo]

1 minute ago, Hazy125 said:

Before I continue making test webpages to do stuffs and check

On these pages you ARE using session_start() right?

 

1 minute ago, SSL said:

You need to call session_start() on every page. Otherwise you can't use the $_SESSION global.

Thought I had it on a different page that is included.. turns out i didnt.. will test now

[fizzlesticks]

And to go with what they said

if ($position = 'admin'){

Should have a ===

[Cruorzy]

Something like this.

should work, and yes you have to start a session before the actual auth statement

 

if (password_verify($password, $hash)) {
	session_start();
	$_SESSION['authorized'] = true;
	if ($position === 'admin'){
		header("Location: admin-home.php");
		die();
	} 
	else {
		header("Location: user-home.php");
		die();
	}
}

 

session_start();
	if($_SESSION['authorized'] === true){
	echo "blah blah blah";
}
else{
	header("Location: index.php");
	die();
}

The better thing to do is do this above a page that you need to be authorized for.

 

//Starts the session
session_start();
//If $_SESSION['authorized'] is not true then go back to index.php
if($_SESSION['authorized'] !== true){
	header("Location: index.php");
	die();
}

 

[thekeemo]

27 minutes ago, Cruorzy said:

Something like this.

should work, and yes you have to start a session before the actual auth statement

 

if (password_verify($password, $hash)) {
	session_start();
	$_SESSION['authorized'] = true;
	if ($position === 'admin'){
		header("Location: admin-home.php");
		die();
	} 
	else {
		header("Location: user-home.php");
		die();
	}
}

 

session_start();
	if($_SESSION['authorized'] === true){
	echo "blah blah blah";
}
else{
	header("Location: index.php");
	die();
}

The better thing to do is do this above a page that you need to be authorized for.

 

//Starts the session
session_start();
//If $_SESSION['authorized'] is not true then go back to index.php
if($_SESSION['authorized'] !== true){
	header("Location: index.php");
	die();
}

 

Problem with header is that it can't have anything above it. Anyway I thought the rqd file had session_start in it. It did not which was the issue.

[vorticalbox]

Other that the session start issue I believe there are more. Firstly 

10 hours ago, Cruorzy said:

//Starts the session session_start(); 
//If $_SESSION['authorized'] is not true then go back to index.php 
if($_SESSION['authorized'] !== true){ 
header("Location: index.php"); 
die(); 
}

 

This code will give a varible undefind error so use isset 

if(!isset($_SESSION['authorized']))

This basically asks if the session is not set or null then do this this also stop your undefined error when it is not set.

Also in your first post you check to see if the users position was admin and redirect to the admin page however as you haven't set any session other then authorized so anyone that logs in could go to the page and access it. I assume as you're checking for a position there are more than 1 type of user.

 

You should use something like this.

 

$session_start();
if($position == 'admin')
{
$_SESSION['authorized'] = true;
}
{
$_SESSION['authorized']['admin'] = true;
}

 

Then for your admin pages

if(!isset($_SESSION['authorized']['admin'])){
echo "you are not an admin";
die();
}

This first checks if the session for admin is set

And any pages viewable by all users
 

if(!isset($_SESSION['authorized'])){
echo "you are not logged in";
die();
}

 

[thekeemo]

5 hours ago, vorticalbox said:

Other that the session start issue I believe there are more. Firstly 

This code will give a varible undefind error so use isset 

if(!isset($_SESSION['authorized']))

This basically asks if the session is not set or null then do this this also stop your undefined error when it is not set.

Also in your first post you check to see if the users position was admin and redirect to the admin page however as you haven't set any session other then authorized so anyone that logs in could go to the page and access it. I assume as you're checking for a position there are more than 1 type of user.

 

You should use something like this.

 

$session_start();
if($position == 'admin')
{
$_SESSION['authorized'] = true;
}
{
$_SESSION['authorized']['admin'] = true;
}

 

Then for your admin pages

if(!isset($_SESSION['authorized']['admin'])){
echo "you are not an admin";
die();
}

This first checks if the session for admin is set

And any pages viewable by all users
 

if(!isset($_SESSION['authorized'])){
echo "you are not logged in";
die();
}

 

There is no error? As for the admin thing I have implemented that already

[vorticalbox]

46 minutes ago, thekeemo said:

There is no error? As for the admin thing I have implemented that already

arr no bother then  it depends on what setting are on and off on the server, most servers i have used throw an undefined error. 

[thekeemo]

On 6/4/2016 at 1:27 PM, Hazy125 said:

Before I continue making test webpages to do stuffs and check

On these pages you ARE using session_start() right?

 

On 6/4/2016 at 1:27 PM, SSL said:

You need to call session_start() on every page. Otherwise you can't use the $_SESSION global.

Out of nowhere this page stopped working, when I refresh the page it ends the session..

 

<?php
include_once ("/required.php"); //has session start now..
if (isset($_SESSION['authorized']) && ($_SESSION['authorized'] === true && ($_SESSION['admin'] === true)){
    include_once ("/admin-required.php");

    mysqli_select_db($con,$DATABASE);
    $sql = "SELECT * FROM photo ORDER BY photo_id DESC";
    $result = mysqli_query($con,$sql);

    echo "<table class=sortable>";
    echo "<tr><td>Photo ID</td><td>Project ID</td><td>Project Section</td><td>Project Subsection</td><td>Photo Date</td><td>Date Posted</td><td>Photo Description</td><td>Image</td><td>Direction</td><td>Uploader</td></tr>";
    while ($row = mysqli_fetch_array($result)){
        echo "<tr><td>" . $row['photo_id'] . "</td><td>" . $row['photo_project_id'] . "</td><td>" . $row['photo_section'] . "</td><td>" . $row['photo_subsection'] . "</td><td>" . $row['photo_date'] . "</td><td>" . $row['photo_post'] . "</td><td>" . $row['photo_desc'] . "</td><td><img src=domain" . date('d-m-Y', strtotime($row['photo_post'])) . "/" . $row['photo_url'] . " style=width:10%;height:auto;>" . "</td><td>" . $row['photo_dir'] . "</td><td>" . $row['photo_first'] . " " . $row['photo_last'] . "</td></tr>";  //$row['index'] the index here is a field name
    }
    mysqli_close($con);
}else{
    echo "<script> window.location.replace(\"unauthorized.php\"); </script>";
}
?>

and its not a fault of the required files because they work on other pages..

[SSL]

session[admin] or session[authenticated][admin]?

[thekeemo]

1 minute ago, SSL said:

session[admin] or session[authenticated][admin]?

session admin that line is on other pages that are working 

[SSL]

2 minutes ago, thekeemo said:

session admin

what's in admin-required?

 

[thekeemo]

1 minute ago, SSL said:

what's in admin-required?

HTML table functioning as header (is there a better way to make a header because I feel there is a better way)

[SSL]

I'm sure what else might be causing the issue; this very much still looks like session_start() isn't being called. Try changing the include_once to a require_once.

 

2 minutes ago, thekeemo said:

HTML table functioning as header (is there a better way to make a header because I feel there is a better way)

 

Yes. Use a template and inject the main content through variables.

 

Simple example: https://github.com/npacker/nFramework/blob/packern/dependency-container/packages/Nigel/WebsitePackage/templates/html.tpl.php

 

Populate the template variables and include the template as the last thing on every page.

[thekeemo]

3 minutes ago, SSL said:

I'm sure what else might be causing the issue; this very much still looks like session_start() isn't being called. Try changing the include_once to a require_once.

 

 

Yes. Use a template and inject the main content through variables.

 

Simple example: https://github.com/npacker/nFramework/blob/packern/dependency-container/packages/Nigel/WebsitePackage/templates/html.tpl.php

 

Populate the template variables and include the template as the last thing on every page.

Its being called.. that code is used elsewhere on the site and it works the first time. require once isnt doing it either..

[SSL]

2 hours ago, thekeemo said:

Its being called.. that code is used elsewhere on the site and it works the first time. require once isnt doing it either..

 

Check the file encoding. That file may be saved as UTF-8 BOM (byte order mark), which writes characters to the start of the file. These characters start output buffering before session_start() is called, at which point it will no longer work.

 

You can use something like the Encoding menu in Notepad++ to set it to plain UTF-8.

[thekeemo]

2 minutes ago, SSL said:

 

Check the file encoding. That file may be saved as UTF-8 BOM (byte order mark), which writes characters to the start of the file. These characters start output buffering before session_start() is called, at which point it will no longer work.

 

You can use something like the Encoding menu in Notepad++ to set it to plain UTF-8.

its utf8

[SSL]

1 minute ago, thekeemo said:

its utf8

 

Does the problem occur if you paste the contents of required.php inline in your script instead of using the include?

[thekeemo]

2 minutes ago, SSL said:

 

Does the problem occur if you paste the contents of required.php inline in your script instead of using the include?

required.php is on every page how would that cause an issue? Also a bit difficult since it includes some libraries

[SSL]

1 minute ago, thekeemo said:

required.php is on every page how would that cause an issue?

 

Probably wouldn't in this case.

 

Is this the only page that is authenticating to an admin user?

[thekeemo]

1 minute ago, SSL said:

 

Probably wouldn't in this case.

 

Is this the only page that is authenticating to an admin user?

no

the other ones are fine..

[SSL]

13 minutes ago, thekeemo said:

no

the other ones are fine..

 

Your should have a cookie called PHPSESSID. Can you report what the value of this cookie does when you reload the script in question (after already authenticated)?

[thekeemo]

6 minutes ago, SSL said:

 

Your should have a cookie called PHPSESSID. Can you report what the value of this cookie does when you reload the script in question (after already authenticated)?

e8vag2kg4cnob69fvg0bo9hgj5

its different everytime

says it expires when the browsing session ends