User redirection after a log-in...

[DaSe]

Hi guys.I'd like to find out the way of redirecting a user after a successful log-in to a page called "first.php".I guess I'll need like to implement it into the script below so what's the minimal option of doing it ? Thank you for any comments.


----------------------------------------------------
$sql = mysql_query("SELECT * FROM usersystem WHERE username = '$username' AND password = '$password' LIMIT 1") or die(mysql_error());

//check to see how many rows were returned

$rows = mysql_num_rows($sql);

if (($rows)<=0)

{

echo "Incorrect username/password";

}

else

{

//have them logged in

$_SESSION['username'] = $username;


}
}
?>


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "

http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="

http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
</body>
</html>

 

[vacunita]

use a header:

else

{

//have them logged in

$_SESSION['username'] = $username;
 
header("Location:first.php");
}

----------------------------------
Phil AKA Vacunita
----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

 

[DaSe]

Thank you !

 

[DonQuichote]

One note about security:

If you keep using the same session, your visitors are open to a session fixation attack. PHP has a function session_regenerate_id() to overcome this.

The danger is basically this:

Suppose I could start a session and trick you into using it. This is not a problem before login, because we are still both anonymous visitors and I can do nothing less than you can.

Now you log in. In your above example, the same session is used and that session is "upgraded" to a logged in state. If I am using the same session, I am now logged in as well. If the server had started a new session upon login, we would now have separate sessions: I would still have a not logged-in one, and you would have a logged-in one. So whenever the rights of the user change, change sessions as well. Off course, copy any data you need to the new session.

+++ Despite being wrong in every important aspect, that is a very good analogy +++
Hex (in Darwin's Watch)

 

[DaSe]

Maxi thanks for the advice..I'll try to copy the code and the sessions also.

 

[jpadie]

session_regenerate_id() should automatically copy the session data to a new session file. remember to generate the new ID before you output any content otherwise the new cookie will not be delivered.

 

[DaSe]

Thanks jpadie.I'll try to implement the function.

 

[kzn]

Forgive me for dropping into this post. Jpadie / DonQuichote
I think I might have a security hole. Once a user goes onto my site a session is created basically to keep track of what they have looked at, if they log in I create a session called ie loggedin and their previous info is available to them. From what I have mentioned, do I have a security concern? Thanks

 

[darrellblackhawk]

As the others mentioned, when the user logs in, regenerate the session id. That regeneration has to be accomplished before anything else gets sent to the browser.

 

[kzn]

Thanks darrellblackhawk will make the changes

Cheers