php sessions to authenticate user on login form
I have the following code designed to begin a session and store username/password data, and if nothing is submitted, or no session data stored, redirect to a fail page.
-
Don't use
elsesection in secondifstatement.session_start(); if(isset($_POST['username']) || isset($_POST['password'])) { $username = $_POST['username']; $password = $_POST['password']; $_SESSION['username'] = $username; $_SESSION['password'] = $password; } if(isset($_SESSION['username']) || isset($_SESSION['password'])){ $navbar = "1"; $logindisplay = "0"; $username = $_SESSION['username']; $password = $_SESSION['password']; } $authed = auth($username, $password); if( $authed == "0" ){ header('Location:http://website.com/fail.php'); }讨论(0) -
Here are a few other things, which may or may not help you, by the way :
- Do you have error_reporting on ? (see also)
- Do you have display_errors on ?
- Is
session_startthe first thing you are doing in your page ? There must be nothing output before - Are the cookies created on the client-side ?
- header Location indicates the browser it has to go to another page ; it doesn't stop the execution of the PHP script. You might want to (almost always anyway) add "exit" after it.
讨论(0) -
The solution to my specific problem above
session_start(); if(isset($_POST['username']) || isset($_POST['password'])){ $username = $_POST['username']; $password = $_POST['password']; $_SESSION['username'] = $username; $_SESSION['password'] = $password; } if(isset($_SESSION['username']) || isset($_SESSION['password'])){ $navbar = "1"; $logindisplay = "0"; $username = $_SESSION['username']; $password = $_SESSION['password']; $authed = auth($username, $password); if( $authed == "0" ){ header('Location:http://website.com/fail.php'); } } else { header('Location:http://website.com/fail.php'); }讨论(0) -
Headers are not function calls. They put a directive into the HTTP headers, and the last one to execute is the one which will be processed. So let say if you have something like this
if ($bAuthed) { header("location: login.php"); } // error case header("location: error-login.php");You will always be redirected to error-login.php no matter what happens. Headers are not function calls!
讨论(0) -
First, don't store the password in the session. It's a bad thing. Second, don't store the username in the session until after you have authenticated.
Try the following:
<?php session_start(); if (isset($_POST['username']) && isset($_POST['password'])) { $username = $_POST['username']; $password = $_POST['password']; $authed = auth($username, $password); if (! $authed) { header('Location: http://website.com/fail.php'); } else { $_SESSION['username'] = $username; } } if (isset($_SESSION['username'])) { $navbar = 1; $logindisplay = 0; } else { header ('Location: http://website.com/fail.php'); }讨论(0) -
what about using this to setup session
session_start(); if( isset($_POST['username']) && isset($_POST['password']) ) { if( auth($_POST['username'], $_POST['password']) ) { // auth okay, setup session $_SESSION['user'] = $_POST['username']; // redirect to required page header( "Location: index.php" ); } else { // didn't auth go back to loginform header( "Location: loginform.html" ); } } else { // username and password not given so go back to login header( "Location: loginform.html" ); }and at the top of each "secure" page use this code:
session_start(); session_regenerate_id(); if(!isset($_SESSION['user'])) // if there is no valid session { header("Location: loginform.html"); }this keeps a very small amount of code at the top of each page instead of running the full auth at the top of every page. To logout of the session:
session_start(); unset($_SESSION['user']); session_destroy(); header("Location: loginform.html");讨论(0)
加载中...
- 热议问题