I am working on login form where multiple users can sign in using their username and password. Depending on who it is, it will take them to certain file or link depending on how we set it for that user (john.doe goes to test1.php and jane.doe goes to test2.php).

When I try to login with username and password, it won't take me to the page. It keep saying the page has a redirect loop and it timed out. Also, how do I secure a page where once I logout, I can't go back to it by using the back button or type in the url directly? Please help. Thank you in advance. Here is what I have so far:

SQL has 4 fields

Field      Type         Collation           Null   Extra
id         int10                            No     auto_increment
username   varchar20    latin1_swedish_ci   No
password   varchar20    latin1_swedish_ci   No
redirect   varchar250   latin1_swedish_ci   No

I have 4 php files I work with. workspace.php, workspace_login.php, workspace_logout.php, workspace_files.php.

workspace.php - login screen

<form name="form" method="post" action="workspace_login.php">
<table>
<tr><td>Login</td></tr>
<tr><td>Username: <input name="username" type="text" style="width:215px" autocomplete="off"></td></tr>
<tr><td>Password: <input name="password" type="password" style="width:215px" autocomplete="off"></td></tr>
<tr><td><input type="submit" name="submit" value="Login"></td></tr>
</table>
</form>

workspace_login.php - login script

workspace_login.php - login script
<?php 
$host="localhost"; // Host name 
$username="*****"; // Mysql username 
$password="******"; // Mysql password 
$db_name="*****"; // Database name 
$tbl_name="workspace"; // Table name 

// Connect to server and select databse. 
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB"); 

// username and password sent from form 
$username=$_POST['username']; 
$password=$_POST['password']; 

// To protect MySQL injection (more detail about MySQL injection) 
$username = stripslashes($username); 
$password = stripslashes($password); 
$username = mysql_real_escape_string($username); 
$password = mysql_real_escape_string($password); 
$sql = "SELECT * FROM $tbl_name WHERE username='$username' and password='$password'"; 
$result = mysql_query($sql); 

// Mysql_num_row is counting table row 
$count = mysql_num_rows($result); 

// If result matched $username and $password, table row must be 1 row 
if($count == 1){ 
    // Register $username, $password and redirect to file "workspace_success.php" 
    $_SESSION['username'] = $username; 
    $_SESSION['password'] = $password; 
    // get the result set from the query
    $result = mysql_fetch_array($result); 
    // get the redirect column's value
    $redirect = trim($result['redirect']); 
    if ($redirect == '') {
        echo "No redirect value was set!";
    } else {
        header('Location: ' . $redirect);
        exit;
    }
} else { 
     echo "Wrong Password!";
} 
?>

workspace_logout.php - logout script

<?php
session_start();
$username=$_SESSION['username'];

if (session_destroy()){
unset($username);
}

if($username=="")
{
header("Location: workspace.php");
exit();
}
?>

workspace_files.php

<?php
session_start();
if (!isset($_SESSION['username'])) {
header('Location: workspace_files.php');
}
?>
<html>
<head>
<title>Secured Page</title>
</head>
<body>
<p>Welcome <b><?php echo $_SESSION['username']; ?></b>
Information here.</p>
<p><a href="logout.php">Logout</a></p>
</body>
</html>

Recommended Answers

All 75 Replies

first thing, you need to add the following code to all the page so that the website will detect whether is login or not..if login,then allow to go to the page,if not,go back to workspace.php

<?php
session_start();
if (!isset($_SESSION['username'])) {
header('Location: workspace.php');
}
?>

Second thing,try to change the code in workspace_login.php (line 40) to this:

header("Location: $redirect");

Devianleong,

I changed and added everything like you said. Now that I try to log in, it just bring me right back to workspace.php. No errors or taking me to the redirect page.

In mySql under redirect, I just put in the file location which is workspace_files.php. Almost feel like if it is not registering the session.

Thanks,

Member Avatar for Zagga

Hi diablo4151,

before you can use any session variables (line 30 workspace_login.php) you must use session_start();

You are correct that the username is not being set as a session variable (for the above reason) so when this is checked for, and not found, you are redirected to workspace.php

Zagga,

Still not working. I did added session_start(); yesterday as I realized it after my post but still redirecting to workspace.php.

Do I even this these line in the file since I am keeping track of who is signing in?

// Register $username, $password and redirect to file "workspace_success.php" 
$_SESSION['username'] = $username; 
$_SESSION['password'] = $password;

Here is what I hvae for workspace_login.php again.

<?
//Start session
session_start();

$host="localhost"; // Host name 
$username="*****"; // Mysql username 
$password="*****"; // Mysql password 
$db_name="*****"; // Database name 
$tbl_name="workspace"; // Table name 

// Connect to server and select databse. 
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB"); 

// username and password sent from form 
$username=$_POST['username']; 
$password=$_POST['password']; 

// To protect MySQL injection (more detail about MySQL injection) 
$username = stripslashes($username); 
$password = stripslashes($password); 
$username = mysql_real_escape_string($username); 
$password = mysql_real_escape_string($password); 
$sql = "SELECT * FROM $tbl_name WHERE username='$username' and password='$password'"; 
$result = mysql_query($sql); 

// Mysql_num_row is counting table row 
$count = mysql_num_rows($result); 

// If result matched $username and $password, table row must be 1 row 
if($count == 1){ 

// Register $username, $password and redirect" 
$_SESSION['username'] = $username; 
$_SESSION['password'] = $password;

// get the result set from the query
$result = mysql_fetch_array($result); 

// get the redirect column's value
$redirect = trim($result['redirect']); 
    if ($redirect == '') {
        echo "No redirect value was set!";
    } else {
        header("Location: $redirect");
        exit;
    }
} else { 
     echo "Wrong Password!";
} 
?>

Thanks,

Member Avatar for Zagga

Hi again.

First off, it's not a good idea to pass the users password in a SESSION variable, once they have logged in you don't need it anyway by the looks of things.
You DO need to set the username as a SESSION variable though so you can ensure the correct, logged in user is visiting the page, not just someone than found the URL (this is devianleong's first bit of code).

Have you checked which redirect is taking you to workspace.php?
Add this line to the very top of workspace_files.php

exit("Made it to workspace_files");

when you login, if you see the message we know the problem lies in workspace_files.php somewhere and can investigate further.

Zagga, thank you for the quick response. I am not all that good with php. Most of these files are found elsewhere and I am just trying to incorporate it and learn from it. I did add the line exit("Made it to workspace_files"); and it is still redirecting back to workspace.php. However, if I put anything else at the very top such as //, it will actually redirect me to workspace_files.php and say Made it to workspace_files. Please see example below.

//
<?php
session_start();
if (!isset($_SESSION['username'])) {
header('Location: workspace.php');
exit("Made it to workspace_files");
}
?>

Below is the 3 files as to what it is right now. Thank you again for your continuing help.

workspace.php (form):

<?
//Start session
session_start();
?>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title></title>
</HEAD>
<BODY>
<form name="form" method="post" action="workspace_login.php">
<table>
<tr><td>Login</td></tr>
<tr><td>Username: <input name="username" type="text" style="width:215px" autocomplete="off"></td></tr>
<tr><td>Password: <input name="password" type="password" style="width:215px" autocomplete="off"></td></tr>
<tr><td><input type="submit" name="submit" value="Login"></td></tr>
</table>
</form>

workspace_login.php

<?
//Start session
session_start();

$host="localhost"; // Host name 
$username="*****"; // Mysql username 
$password="*****"; // Mysql password 
$db_name="*****"; // Database name 
$tbl_name="workspace"; // Table name 

// Connect to server and select databse. 
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB"); 

// username and password sent from form 
$username=$_POST['username']; 
$password=$_POST['password']; 

// To protect MySQL injection (more detail about MySQL injection) 
$username = stripslashes($username); 
$password = stripslashes($password); 
$username = mysql_real_escape_string($username); 
$password = mysql_real_escape_string($password); 
$sql = "SELECT * FROM $tbl_name WHERE username='$username' and password='$password'"; 
$result = mysql_query($sql); 

// Mysql_num_row is counting table row 
$count = mysql_num_rows($result); 

// If result matched $username and $password, table row must be 1 row 
if($count == 1){ 

// Register $username, $password and redirect" 
$_SESSION['username'] = $username; 
$_SESSION['password'] = $password;

// get the result set from the query
$result = mysql_fetch_array($result); 

// get the redirect column's value
$redirect = trim($result['redirect']); 
    if ($redirect == '') {
        echo "No redirect value was set!";
    } else {
        header("Location: $redirect");
        exit;
    }
} else { 
     echo "Wrong Password!";
} 
?>

workspace_files.php

<?php
session_start();
if (!isset($_SESSION['username'])) {
header('Location: workspace.php');
exit("Made it to workspace_files");
}
?>
<html>
<head>
<title>Secured Page</title>
</head>
<body>
<p>Welcome <b><?php echo $_SESSION['username']; ?></b>
Information here.</p>
<p><a href="logout.php">Logout</a></p>
</body>
</html>
Member Avatar for Zagga

Hi again.

It does seem that $_SESSION['username'] is not being set correctly.

Try moving the exit statement to the very top of workspace_files.php so it looks like this:

  <?php
  exit("Made it to workspace_files");
  session_start();
  if (!isset($_SESSION['username'])) {
    header('Location: workspace.php');
  }
  ?>
  <html>
  <head>
  <title>Secured Page</title>
  </head>
  <body>
  <p>Welcome <b><?php echo $_SESSION['username']; ?></b>
  Information here.</p>
  <p><a href="logout.php">Logout</a></p>
  </body>
  </html>

This should show you the message and exit the script as soon as you are redirected to workspace_files.php, before it checks for a valid $_SESSION['username'] variable.

Zagga, yes the message Made it to workspace_files now show at the top and nothing more. I'm sorry but are mine missing something here? How do we go about getting the content of workspace_files.php to show up?

Member Avatar for Zagga

Hi again.

Your script seems to run through fine until workspace_files.php where it checks to see if $_SESSION['username'] is set. Your script finds that it isn't set so redirects you to workspace.php.

Looking over your code again I noticed you open PHP correctly in workspace_files.php with <?php but in workspace.php and workspace_login.php you open PHP with the short tag version <?

If your PHP installation is not set to accept short tags then it will fail to open PHP and therefor will fail to register your SESSION.

Change <? to <?php and see what happens. (Don't forget to remove the exit statement you added).

I removed the exit statment and change the short tag version to the <?php and all it does is take me back to workspace.php.

Try this first, at the top of workspace_files.php:

session_start();
$nm = $_SESSION['username'];
exit("The username in this session is $nm.");

If you get "empty" or "Null" or "The username in this session is ." Then you have a whole different problem to handle.

Then we can try below if necessary.
I kinda wrote this backwards, as I thought of the above after I wrote the below.

Correct me if Im wrong, but shouldn't it just be:

if(!$_SESSION['username']) {
}

instead of using isset()... seems a bit redundant, and may be what is causing the error...

Alternatively, though unlikely, global variables may be turned on in your particular configuration, and if you are using mysql on each of your pages (importing, whatever), you may be overwriting the $username variable from your mysql loging.

Consider changing either $username to $usrnm and change all calls to it --
mysql_connect($host, $usr, $pw);

Alternatively, you can change all your session variables from $_SESSION['username'] to $_SESSION['usr'];

Whichever will save you more typing.. shrug

Ryan

Ryan, I tried the first code and it does come back with "The username in this session is."

I tried the 2nd code you suggested and it came back with

0
Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Thanks for your response.

Your sessions are not staying persistent... interesting.

Make a new page, and put <?php phpinfo() ?>

and see what version you are running (you can use cntl+f and search version), and see if you have global_vars (search global) turned on or off.

Im guessing youre running PHP4 and you need to use HTTP_SESSION_VARS[] instead of $_SESSION[] but we wont know until you tell us the version.

I am running PHP Version 5.2.17

on line 34 of login, try chaging it to:

$_SESSION['username'] = $_POST['username'];

Same thing. It just redirect back to workspace.php.

you will need to eventually add exit(); after a header() call, so put that in because it belongs there.

on line 33 of login page, put die("$username");

So this is what I have so far for workspace_login.php and what it does is take me to workspace_files.php and the username is ontop.

<?php
//Start session
session_start();

$host="localhost"; // Host name 
$username="*****"; // Mysql username 
$password="*****"; // Mysql password 
$db_name="*****"; // Database name 
$tbl_name="workspace"; // Table name 

// Connect to server and select databse. 
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB"); 

// username and password sent from form 
$username=$_POST['username']; 
$password=$_POST['password']; 

// To protect MySQL injection (more detail about MySQL injection) 
$username = stripslashes($username); 
$password = stripslashes($password); 
$username = mysql_real_escape_string($username); 
$password = mysql_real_escape_string($password); 
$sql = "SELECT * FROM $tbl_name WHERE username='$username' and password='$password'"; 
$result = mysql_query($sql); 

// Mysql_num_row is counting table row 
$count = mysql_num_rows($result); 

// If result matched $username and $password, table row must be 1 row 
if($count == 1){ 

// Register $username, $password and redirect" 
die("$username");
$_SESSION['username'] = $username; 
$_SESSION['password'] = $password;

// get the result set from the query
$result = mysql_fetch_array($result); 

// get the redirect column's value
$redirect = trim($result['redirect']); 
    if ($redirect == '') {
        echo "No redirect value was set!";
    } else {
        header("Location: $redirect");
        exit;
    }
} else { 
     header("Location: workspace.php");
} 
?>

k.. you can get rid of the die()... I have no idea why it isnt going through....

Just to be clear, it is the right username? You have $username declared twice, which is why I pointed it out earlier... it's the only thing I can think of that is causing the problem.. but your query goes through... which means the POST is not overwriting it... so I really don't know :(

I still suggest changing the first $username to $user and changing the mysql_connect() to use $user as well... if not that, I dont know.

I will try thank you for trying. I do appreciate it.

Is there another code somewhere out there where I can try and use that will do the same thing? Login, redirect to certain files or url depending on username?

You can embed a bunch of includes on the main login page, and have it parse to itself.

so...

<?php
if(!isset($_POST) || !isset($_SESSION)){ ?>    //if neither POST or SESSION is set, show form
show your table here with html
<?
}else {

if ($_POST['username']) {
//run script to validate

//if invalid, redirect or error message. Your choice.

//if valid, session_start()
//$_SESSION['username'] = $_POST['username'];
}

if(isset($_SESSION['username'])) {
//determine what page to include as $page_to_include

if($page_to_include == 1) {
include_once('page1.php');
}
else if ($page_to_include == 2) {
include_once('page2.php');

}

.... etc... etc...




}
?>

mySQL has 4 fields with id set to "PRIMARY" and username, password, redirect set to default.

Field      Type         Collation           Null   Extra
id         int10                            No     auto_increment
username   varchar20    latin1_swedish_ci   No
password   varchar20    latin1_swedish_ci   No
redirect   varchar250   latin1_swedish_ci   No

Primary refers to it being a primary key, which means it is the first column checked against when relating to other tables, when running joined queries.

Default is the default value given, assuming that no data is passed to it when a row is created.

Please keep in mind that you should be hashing your passwords when they are stored in a database. They should be hashed in PHP, then stored as a varchar(8/16/32) depending on the hash type you use.

Passwords are not meant to be saved as plain text in a database. Imagine getting hacked, and all your users will have their passwords exposed. Always try to make it one step harder if you can.

However, before you even get there, we need to get you a working page.

Thank you Ryan. Its 3:30am where I am and I am heading to bed as I have to be at work in about 5 hours or so. These codes take a toll easily on you when you are not experience or a coder. I will try it tomorrow. Again, thank you for your help and everyone else thus far. I really do appreciate all the effort. I know that not everyone out there will put the effort into helping someone they don't know. I know that I do when and if I can and when I do see someone who help others without getting anything in return, I want to express my appreciation. Again, thank you for your help and time.

Sorry I couldnt help more... goodnight :)

You have helped me more than you think. The resolution has not be found but it will get there. Good night.

Member Avatar for Zagga

I copied your code (removing the exit and die statements) and it works fine on my system, I get the message saying 'Welcome Zagga' etc. It sounds like there may be a problem with your PHP installation.

Are you running this on a local server (on your machine) or on a remote host?

Zagga, thanks for continuing to help. I am running it on a remote host with ipower.com.

Member Avatar for Zagga

Hi again,

I really can't understand why it works on my local system but not yours.

This is the exact version of your code I am using (I just changed the database connection details):

workspace.php

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title></title>
</HEAD>
<BODY>
<form name="form" method="post" action="workspace_login.php">
<table>
<tr><td>Login</td></tr>
<tr><td>Username: <input name="username" type="text" style="width:215px" autocomplete="off"></td></tr>
<tr><td>Password: <input name="password" type="password" style="width:215px" autocomplete="off"></td></tr>
<tr><td><input type="submit" name="submit" value="Login"></td></tr>
</table>
</form>

workspace_login.php

<?php
//Start session
session_start();
$host="localhost"; // Host name
$username="****"; // Mysql username
$password="****"; // Mysql password
$db_name="****"; // Database name
$tbl_name="****"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form
$username=$_POST['username'];
$password=$_POST['password'];
// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$sql = "SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";
$result = mysql_query($sql);
// Mysql_num_row is counting table row
$count = mysql_num_rows($result);
// If result matched $username and $password, table row must be 1 row
if($count == 1){
// Register $username, $password and redirect
    $_SESSION['username'] = $username;
    $_SESSION['password'] = $password;
// get the result set from the query
    $result = mysql_fetch_array($result);
// get the redirect column's value
    $redirect = trim($result['redirect']);
    if ($redirect == '') {
        echo "No redirect value was set!";
    } else {
        header("Location: $redirect");
        exit;
    }
} else {
    header("Location: workspace.php");
}
?>

workspace_files.php

<?php
session_start();
if (!isset($_SESSION['username'])) {
    header('Location: workspace.php');
    exit();
}
?>
<html>
<head>
<title>Secured Page</title>
</head>
<body>
<p>Welcome <b><?php echo $_SESSION['username']; ?></b>
Information here.</p>
<p><a href="logout.php">Logout</a></p>
</body>
</html>
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.