session variables and crack! help!

[frodiggs]

Hey, I'm going bonkers with this one. Below I am creating a session named 'accesslogin' once the user successfully logs in.
This is the latter part of the code...

if (($variable2 != $loginname) OR ($variable3 != $passwd))
{
echo &quot;<font size=4 color='fffff'><br>Login Failed. <br><br></font>&quot;;
echo &quot;<font size=2>Please check with your Account<br> Manager for the Account password. <br><br></font>&quot;;
echo &quot;<font size=2>Use your BACK button to try again. <br><br></font>&quot;;
exit;
}
else
{
session_start();
session_register('accesslogin');
echo &quot;<meta http-equiv='refresh' content='0; url=$variable4'>&quot;;

I want all pages to redirect to the login page if a user has not successfully logged to prevent boomarking etc.
This code is at the top of my pages but I can still acess them without logging in. I think I need an else statement. As you can see im a bit rough on the code...

<?// includes

// session check
session_start();
if (!session_is_registered(&quot;accesslogin&quot)
{
header(&quot;Location: login.php?ec=2&quot;
exit;
}
?>

 

[AnakinPt]

first you can throw out the name of the session cause is junk

suppose your login page is called login.php
and if login is ok it goes to /members
if ($_POST[login]==$login && $_POST[password]==$password)
session_start();
$_SESSION[accesslogin]=$_POST[login];
Header(&quot;location: /members&quot;
}else{
Header(&quot;location: /login.php?fail=1&quot;
}

Something like this works just fine.
Anikin
Hugo Alexandre Dias
Web-Programmer
anikin_jedi@hotmail.com

 

[frodiggs]

hmm. actually if the login is ok the SQL db determines the URL/path. the login.php connects to mssql so i think we may be talking about 2 different things (i could be wrong)

am i right to create a session name after successful login and then on each page in my directory check for the session and redirect to login.php if not registered?

i was told this is the best process. no?

 

[AnakinPt]

no ... i said that the session name in the session_start is junk.

session_start don't have any params.

1st you must to the login form.
2nd you must build a script to the the action of the form, in this case my script above login.php
3rd if the url is in the mssql, where i redirect to the members dir, you read from the mSSQL the right url and redirect the user to that url.

understand now? Anikin
Hugo Alexandre Dias
Web-Programmer
anikin_jedi@hotmail.com

 

[frodiggs]

i do sort of but my login page works fine so i am confused. i am successfully login them in, taking them to a URL in SQL and creatinga session with the value accesslogin.

now i just want to restrict all pages when the user has not logged in, redirecting them to the login page.

as far as your example plase bear with me as i;m trying to learn php. i can see where i would put the URL string from SQL in your login example though.

 

[AnakinPt]

when you check the login of the user, you create at least one session var and set it with some value

$_SESSION[islogin]=1;

then you redirect the user to the proper page.

know you create a file named (session_restricted.php), for example, with:
session_start();
if (!$_SESSION[islogin]) Header(&quot;Location: /login.php&quot;

then you include this file in ALL the files you want to be secured ones.
Anikin
Hugo Alexandre Dias
Web-Programmer
anikin_jedi@hotmail.com

 

[frodiggs]

i think i have a better idea. i somehow have two threads with the same topic, oops! sorry. this last example you gave me makes sense.

anyway, when you say include this file session_restricted.php in all secured files do you mean reference them?

i'm not sure how you include the 'session_restricted.php' file in these secured pages. i know at the beginning of each page it needs to check the session_restricted.php but not sure specifically how to do it.

 

[AnakinPt]

as simple as ALL the pages that should be acceced only with login/password in the site, just do:

include(&quot;session_restricted.php&quot;

Anikin
Hugo Alexandre Dias
Web-Programmer
anikin_jedi@hotmail.com