Hi,

I am having a little access/control issue. I can add a user to the database using a signup page, go back to the login page, and then log in using the new user. but if i click on a link to go to anoher page that requires the user to be logged in, it forgets the user, and directs them to log back in.

this is the code i am using to control access, the file is implemented like this on every protected page:

include ("access.php");


<?php
session_start();

$username = isset($_POST['username']) ? $_POST['username'] : $_SESSION['username'];
$password = isset($_POST['password']) ? $_POST['password'] : $_SESSION['username'];

if(!isset($username))
{
?> 
<html>
<head>
<title>The Book.com - Not Signed In</title>
</head>
<body>
<div class = "head">
<p>The Book.com</p>
</div>
<div class = "content">
<p>You are not signed in. Pleas sign in</p>
<form method = "POST" action = "<?=$_SERVER[PHP_SELF]?>">
<label>Username:</label>
<input type = "text" name = "username" maxlength = "100" size = "25" />
<label>Password: </label>
<input type = "password" name = "password" maxlength = "16" size = "25" />
<input type = "submit" value = "Log In" name = "submit" />
</form>
</div>
</html>
<?php
exit; }

$_SESSION['username'] = $username;
$_SESSION['password'] = $password;

$dbhost = "localhost";
$dbname = "thebook";
$dbuser = "TheBook";
$dbpass = "thebook";

$dbcon = mysql_connect($dbhost, $dbuser, $dbpass);
mysql_select_db($dbname, $dbcon);

$sql = "SELECT * FROM user WHERE username = '$username' AND password = '$password'";
$query = mysql_query($sql, $dbcon);

if(mysql_num_rows($query) == 0)
{
    unset($_SESSION['username']);
    unset($_SESSION['password']);
?>
<html>
<head>
<title>The Book.com - Access Denied</title>
</head>
<body>
<p>Your username or password was incorrect, or you are not a registered user of the site. 
To try logging in again click <a href = "<?=$_SERVER[PHP_SELF]?>">here</a>. T become a registered
member of this site click <a href = "signup.php">here</a>.</p>
</body>
</html>
<?php
exit;
}
?>

any help would be muchly appreciated.

Let me first tell you: NEVER give a password through a SESSION UNCODED. I also recommend you simply do the following:

- If a user has logged in (correctly) then a variable named $_SESSION is set "true" or "yes" and if it is needed in the rest of the pages, you also set a $_SESSION or a $_SESSION. If you still want to give a password through, please use md5(), sha1() or another encrypt function.

And at each page you do the following:

<?php
session_start();
?>
... other HTML
<body>
<?php
if ($_SESSION['auth'] == "yes") {
//
// You show the members only page
//
echo "You are now logged in and are able to see this!!!";
} else {
//
// You either show the login page or a link to the login page,
// example:
echo 'You are not logged in, please go to the <a href="login.php">login page</a>.';
}
?>
</body>
// Other HTML....

You can also put some javascript in it that redirects the user directly to the login page.

~G

Thanks heaps, that helped alot. I was using some code that a friend gave me, but I think it has a fair few holes in it. I'm new to PHP, so I think I might start my site from the beginning and try your way.
Cheers.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.