1

I'm trying to add a bit more security to my website process so that an external user who tries to bypass the login page will run into an !isset that checks whether the login $_SESSION variables are set and if not, destroys the session and redirects back to the main login page.

My problem is that the !isset function returns a FALSE value and thus destroys the session and redirects, but when I test the variables on that page with print_r they are being recognized and stored.

My code (I've blanked out the variables):

<?php  

 session_start();

 if(!isset($_SESSION['xxx'], $_SESSION['xxx']))
  { echo "Login successfull"; }

  else 

  { session_destroy();
    header("location:main_login.php");
  }

?>

If anyone could explain me what I did wrong (not even necessarily give me the answer on paper, I like to understand and learn since I'm a rookie) that would be amazing. I tried looking around but couldn't really find what I was looking for. Many thanks in advance!

Cœur
  • 37,241
  • 25
  • 195
  • 267
Sean Limpens
  • 79
  • 1
  • 1
  • 12

2 Answers2

2
isset($_SESSION['xxx'], $_SESSION['xxx'])

will return false if not ALL of the vars are set.

So your condition must be as below.

if(isset($_SESSION['xxx'], $_SESSION['xxx']))
Dipesh Parmar
  • 27,090
  • 8
  • 61
  • 90
2
if(!isset($_SESSION['xxx'], $_SESSION['xxx']))

This is checking if the session is not set, note the ! symbol. So you are echoing Login Successfull when the session variables are not set.

You should have it like the following:

if(isset($_SESSION['xxx'], $_SESSION['xxx']))
{ 
    echo "Login successfull"; 
}
else 
{ 
    session_destroy();
    header("location:main_login.php");
}
Paddyd
  • 1,870
  • 16
  • 26