PHP check session, checking multiple variables to allow access to specific pages

Question

Apologies if there is a question and an answer for those, but I've been searching for about 30 minutes, and I keep getting hits on creating sessions which I don't need to know how to do.

My question is pretty simple, I have a database with a table of login information for users. Each user has a unique ID, and each page on the site checks the session for someone simply logged in. If a user is not logged in and session created, it kicks you back to the login screen, via the use of Header (Location:). In the table it stores a unique id, the username, the password, and a "redirect" column so that when a user logs in, they are redirected to the page they're supposed to see. There is no other navigation on the website, so seeing pages they aren't supposed to is at a minimal risk, seeing as they'd have to know the exact url to get to a page. However, to further the security, I want the check session function to check both that a user is logged in as well as check to see if the unique ID matches the unique id allowed to see that page.

This is the code I've tried (simply to see if I could restrict unique IDs), and it gives me the Header php warning that it cannot be modified as it's already been sent.

<?PHP
session_start();
if (!(isset($_SESSION['unique_id']) && $_SESSION['unique_id'] != '1, 2, 3')) {
header ("Location: /dampers/main_login.php");
}
?>

I read that as "If session is not set, and the unique ID does not equal 1, 2, or 3, return to login page".

I set the unique id in the same way username and password were set in the check login php.

    mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

$username=$_POST['username']; 
$password=$_POST['password'];
$unique_id=$_POST['unique_id'];


$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";
$result=mysql_query($sql);


$count=mysql_num_rows($result);


if($count==1){


session_start();
$_SESSION["username"] = $username;
$_SESSION["password"] = $password;
$_SESSION["unique_id"] = $unique_id;

$result = mysql_query("SELECT redirect FROM damper_members WHERE username = '".$_SESSION['username']."'");

while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
   header("Location:" . $row['redirect']);
}

// header("Location: /dampers/index.php");
exit;
}
else {
$errorMessage = "Wrong Username or Password";
header("Location: main_login.php");
}

ob_end_flush();
?>

I feel as though I'm probably missing something, and I realize that my pseudo code to check for specific unique IDs is probably way off. Any help would be appreciated!

The message "Headers already sent" normally occurs when there already has been an output (e.g. using echo) and then the http header is getting modified. But with the first out put the headers are sent to the client, and thus cannot be modifed anymore. I assume your code is included in another file, where some kind ouf output occurs. — Mario A, Jan 29 '15 at 21:02
This is the entire head section ` ` There is an include the check_session, but I've commented it out. there is only one Header(Location:) in the head. — realianstanford, Jan 29 '15 at 21:07

Mario A · Answer 1 · 2015-01-29T22:28:37.813

0

The reason for the error message is that there has been an output before you modified the header information. The output happens here:

<!-- <?php include('../../inc/check_session.php'); ?> -->

Before you open the <?php tag there is an html comment tag <!--. The html comment tag is an output and is sent to the client, and by the way has no effect on your php code because it is only processed in the browser. If you want to comment something out in php use /* .. */. That is in your case:

<?php 
  /* include('../../inc/check_session.php');  */ 
  session_start();
  /* ... */

Make sure that there is nothing before the opening <?php not even a blank space.

Further, I suppose with $_SESSION['unique_id'] != '1, 2, 3' you want to check if the session variable equals either '1' or '2' or '3'. But that doesn' work this way, try this:

if (!isset($_SESSION['unique_id']) || !in_array($_SESSION['unique_id'], array('1', '2', '3'))) {
  header ("Location: /dampers/main_login.php");
}

Edit: Ok, this seems to become a trial and error thing. But if I understand you right, the unique id is stored in the user table

$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){
 $userRow = mysql_fetch_array($result, MYSQL_ASSOC);

 session_start();
 $_SESSION["username"] = $username;
 $_SESSION["password"] = $password;
 $_SESSION["unique_id"] = $userRow['uniuque_id']; // assuming the corresponding table row name is 'unique_id'

edited Jan 29 '15 at 22:28

answered Jan 29 '15 at 21:22

Mario A

3,286
1
17
22

Appreciated, I didn't realize I was using the wrong comment tags. The text editor I use has a shortcut for it, and I assumed it automatically picked the correct commenting method based on the code that was selected like other editors I've used in the past. Still looking for restricting specific pages to specific IDs though ;) – realianstanford Jan 29 '15 at 21:25
I take it back haha, it's now not allowing any user to access the page. Every time I try and open the page it kicks the user back to the login. – realianstanford Jan 29 '15 at 21:29
I think it's possible that this has something to do with it. I think it's only grabbing username and password from the mysql table. `$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";` – realianstanford Jan 29 '15 at 21:38
sorry, just can do wild guessing without knowing your entire code. Try to output `$_SESSION['unique_id']` and see if it has a useful value. And where do the values 1,2,3 come from? – Mario A Jan 29 '15 at 21:49
editing the main post with everything but the server login credentials with the check login credentials. Those numbers are unique ids assigned to each login in the mysql table. admin is id 1, user number 2 is id 2, user number 3 is id 3 and so on and so forth. so the table has 4 columns: id, username, password, redirect. I want the page to check to see if the user trying to access it has the correct id to see the page. – realianstanford Jan 29 '15 at 21:52
Why does `$unique_id` come from post? shouldn't it come from the database? – Mario A Jan 29 '15 at 22:07
You're right, I'm still learning. Obviously that's a rookie mistake. So does the $sql="SELECT..." line need to grab unique_id as well as username and password then? I don't know, I tried searching for an sql statement that grabbed three columns from a table, but all I got back were results on how to grab results from multiple tables. – realianstanford Jan 29 '15 at 22:11
I made an update, but come on, I can't code the stuff for you, you need to work your own brain a little bit – Mario A Jan 29 '15 at 22:29
Thank you, that works. And I know. I'm trying to learn and operating under a deadline for my job, which my last day is tomorrow. Excuses, but that's what my reasoning. I will say I did try to figure this out on my own the past couple of days, but no luck. Again, thanks. – realianstanford Jan 29 '15 at 22:58

PHP check session, checking multiple variables to allow access to specific pages

1 Answers1

Linked