I have several issues going on I have played with the code, and I have tried to follow other code snippets / tutorials as examples, but I am unable to achieve the following:
1: when the browser is closed the session is terminated or set a timeout period of inactivity?
2: fix security issue: when I login using 1 name, I can view all pages regardless of level,
how do I fix this?
Here is the code for my index page
<?php
session_start();
//Set page name
$thispage = 'index.php';
//If in the database info below.
$dbHost = 'Hostname';
$dbUser = 'Username';
$dbPass = 'Password';
$dbDB = 'DbName';
$con = mysql_connect($dbHost,$dbUser,$dbPass) or die('Could not connect');
mysql_select_db($dbDB) or die('Could not selected database');
if (!isset($_SESSION['username'])) {
if (isset($_POST['submit'])) {
$user = mysql_real_escape_string($_POST['username']);
$pass = mysql_real_escape_string($_POST['password']);
$msg = '';
$error = 0;
if ($user == '') {
$msg .= 'Username is blank<br />';
$error++;
}
if ($pass == '') {
$msg .= 'Password is blank<br />';
$error++;
}
if ($error > 0) {
$errmsg = $msg;
}
else {
$sql = "SELECT * FROM `admin` WHERE `username` = '" . $user . "' AND `password` = '" . $pass . "'";
$query = mysql_query($sql) or die('Error: ' . mysql_error());
$num = mysql_num_rows($query);
if ($num == 0) {
$errmsg = 'Username and/or Password incorrect';
}
else {
$res = mysql_fetch_assoc($query);
$level = $res['level'];
$_SESSION['username'] = $user;
$_SESSION['level'] = $level;
switch($level) {
case 1:
$location = 'page_1.php';
break;
case 2:
$location = 'page_2.php';
break;
case 3:
$location = 'page_3.php';
break;
}
header('Location: ' . $location);
die();
}
}
}
$html =<<<HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Title goes here</title>
</head>
<body>
<form action="index.php" method="post">
<table border="0"cellpadding="2" cellspacing="2" align="center">
<tr>
<td colspan="2">$errmsg</td>
</tr>
<tr>
<td>Username:</td>
<td><input name="username" type="text" id="username" size="30"></td>
</tr>
<tr>
<td>Password:</td>
<td><input name="password" type="password" id="password" size="30" class="password"></td>
</tr>
<tr>
<td colspan="2" align=center><input type="submit" name="submit" value="Login"></td>
</tr>
</table>
</form>
</body>
</html>
HTML;
}
else {
$level = $_SESSION['level'];
switch($level) {
case 1:
$location = 'page_1.php';
break;
case 2:
$location = 'page_2.php';
break;
case 3:
$location = 'page_3.php';
break;
}
header('Location: ' . $location);
die();
}
echo $html;
mysql_close($con);
?>
Here is the code that I use in the page(s).
<?php
session_start();
//Change this to the level of the page
$level = 1;
if (isset($_SESSION['level']))
{
if ($_SESSION['level'] !== $level)
{
header('Location: index.php');
die();
}
}
else
{
header('Location: index.php');
die();
}
?>
Any and all help would be appreciated, Thanks.