0

I'm creating a login system that features users with varying levels of permissions. The problem I am having is that the Session variables aren't persisting between the pages. Level 1 users seem to work correctly but level 2 users can't navigate past the login page even though the session variables are set. Currently I have 3 pages: a login page, a home page, and a restricted page where the user must be logged in to view it. Level 1 users only have an account name (email address) and must obtain a temporary password from an admin. After the password expires they must obtain another temporary password or have their permissions elevated to log in. Level 2 and 3 users have both an account name (email address) and a non expiring password. My problem lies with the level 2 and 3 accounts. For some reason, when they log in, the session variable are set but they are not redirected from the login page. Also, if they try to access a page that requires them to be logged in, the session variables are wiped.

Directory Location for home page: root/index.php
Php code for home page:

<?php
    session_start();
    //echo print_r($_SESSION);
?>

Directory Location for login page: root/pages/folder/login.php
Php code for login page:

<?php
    session_start();
    //echo print_r($_SESSION);
    if (isset($_SESSION['loggedIn']) && $_SESSION['loggedIn'] == true) {
        //echo "logged in";
        header("location: restrictedPage.php");
    }
?>

Directory Location for restricted page: root/pages/folder/restrictedPage.php
Php code for restricted page:

<?php
    session_start();
    //echo print_r($_SESSION);
    //phpinfo();
    if (isset($_SESSION['loggedIn']) && $_SESSION['loggedIn'] == true) {
        //echo "logged in";
    }
    else {
        header("location: login.php");
    }
?>

Directory Location for login script: root/scripts/loginScript.php
Php code for login script:

<?php


$host = "localhost";                        // Host name 
$username = "test";                         // mysqli username 
$password = "test";                 // mysqli password 
$db_name = "database";          // Database name 

// Connect to server and select databse.
$con = mysqli_connect($host, $username, $password, $db_name)or die("cannot connect");

// username and password sent from form 
$username = $_POST['login']; 
$password = $_POST['password'];

//sql queries
$accountQuery = "SELECT * FROM accounts WHERE email='$username'";
$emailPasswordQuery = "SELECT * FROM accounts WHERE email='$username' && password='$password'";
$level1PasswordQuery = "SELECT * FROM level1Passwords WHERE password = '$password' && DATEDIFF(CURDATE(), date_created) <= 3";

// Protects against mysqli injection (more detail about mysqli injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysqli_real_escape_string($con, $username);
$password = mysqli_real_escape_string($con, $password);

$result = mysqli_query($con, $accountQuery);
$count = mysqli_num_rows($result);              //counts number of rows that match username
$accountArray = mysqli_fetch_array($result);    //converts query result into an array
$accountLevel = $accountArray['accountLevel'];  //gets permissions level

if (strcmp($accountLevel, "1") == 0) {
    $level1Result = mysqli_query($con, $level1PasswordQuery);
    $count2 = mysqli_num_rows($level1Result);   //counts number of rows that match password and arent expired
    $level1ResultArray = mysqli_fetch_array($level1Result);

    // If $username and $password are valid and password isnt expired, both row counts will = 1
    if ($count == 1 && $count2 == 1) {
        session_start();
        $_SESSION['loginError'] = 0;
        $_SESSION['loggedIn'] = true;
        $_SESSION['username'] = $username;
        $_SESSION['accountLevel'] = $accountLevel;
        //echo print_r($_SESSION); //prints all session variables
        mysqli_close($con);
        header("location: ../pages/folder/restrictedPage.php");
        //header("location: ../pages/folder/login.php");
    }
    else {
        $_SESSION['loginError'] = 1;
        header("location: ../pages/folder/login.php");
    }
}
else if(strcmp($accountLevel, "2") == 0 || strcmp($accountLevel, "3") == 0) {
    $level2Result = mysqli_query($con, $emailPasswordQuery);
    $count2 = mysqli_num_rows($level2Result);   //counts number of rows that match password
    //$level2ResultArray = mysqli_fetch_array($level2Result);

    // If $username and $password are valid, both row counts will = 1
    if ($count == 1 && $count2 == 1) {
        session_start();
        $_SESSION['loginError'] = 0;
        $_SESSION['loggedin'] = true;
        $_SESSION['username'] = $username;
        $_SESSION['accountLevel'] = $accountLevel;
        header("location: ../pages/folder/restrictedPage.php");
        mysqli_close($con);
    }
    else {
        $_SESSION['loginError'] = 1;
        header("location: ../pages/folder/login.php");
    }
}
else {
    $_SESSION['loginError'] = 1;
    header("location: ../pages/folder/login.php");
}
?>

Any help would be much appreciated! Thanks in advance!

Edit:
Removing the echo statements from my php code does not fix the problem of my php sessions not persisting for level 2 and 3 users.
Also, if a user navigates back to the login page by hitting the back button on the browser it logs them out. Is there a way that I could prevent this from happening?

Luke Pokrajac
  • 41
  • 7
  • you're outputting before header in login page - use this http://php.net/manual/en/function.error-reporting.php and see for yourself – Funk Forty Niner Jan 08 '16 at 01:44
  • removing the echo statements doesn't fix the problem. my php sessions still dont persist between pages for level 2 and 3 users – Luke Pokrajac Jan 08 '16 at 21:24

0 Answers0