PHP - denying access to a page not working

Question

I have a simple login/logout script and you should not be able to have direct access to a specific page that I have called 'success.php'. I don't know if it's a typo somewhere or if my session is not working properly.

index.php

<?php

// Start the session
session_start();

// Defines username and password. Retrieve however you like,
$username = "user";
$password = "pw";

// Error message
$error = "";

// Checks to see if the user is already logged in. If so, refirect to correct page.
if (isset($_SESSION['loggedIn']) && $_SESSION['loggedIn'] == true) {
    $error = "success";
    header('Location: success.php');
} 

// Checks to see if the username and password have been entered.
// If so and are equal to the username and password defined above, log them in.
if (isset($_POST['username']) && isset($_POST['password'])) {
    if ($_POST['username'] == $username && $_POST['password'] == $password) {
        $_SESSION['loggedIn'] = true;
        setcookie('userName', $_POST['username'], time()+3600); // Expiring after 2 hours
        header('Location: success.php');
    } else {
        $_SESSION['loggedIn'] = false;
        $error = "<p style='color:red;font-size:11px;'>Invalid username and/or password!</p>";
    }
}

<div class="col-md-3 col-lg-2 col-sm-6 col-xs-6">
    <div class="form-login">
        <form method="post" action="index.php">
        <h4 style="color: #FFF;">S-Files</h4>
        <input type="text" name="username" class="form-control" placeholder="username" maxlength="40" autofocus required />
        <br />
        <input id="password" type="password" name="password" class="form-control" placeholder="password" maxlength="15" required />
        <br />
        <div class="wrapper">
            <span class="group-btn">
                <button type="submit" name="submit" class="btn btn-primary btn-md">login <i class="fa fa-sign-in" ></i></button>
            </span>
        </div>
        </form>
        <!-- Output error message if any -->
    <?php echo $error; ?>
    </div>
</div>

success.php

<?php
// Start the session
session_start();
// ob_start();

// Check to see if actually logged in. If not, redirect to login page
if (!isset($_SESSION['loggedIn']) && $_SESSION['loggedIn'] == false && !isset($_COOKIE['userName'])) 
{
    header('Location: index.php');
}

Logout.php

<?php
session_start();
$_SESSION['loggedIn'] = false;
unset($_SESSION);

// Delete cookie
if (isset($_COOKIE['userName'])) 
{
unset($_COOKIE['userName']);
    setcookie('userName', '', time() - 3600); // empty value and old 
timestamp
}

// Unset all of the session variables. 
$_SESSION = array(); 

// If it's desired to kill the session, also delete the session cookie. 
// Note: This will destroy the session, and not just the session data! 
if (ini_get("session.use_cookies")) { 
    $params = session_get_cookie_params(); 
    setcookie(session_name(), '', time() - 42000, 
        $params["path"], $params["domain"], 
        $params["secure"], $params["httponly"] 
        ); 
} 

// Finally, destroy the session. 
session_destroy(); 
header("Location: index.php");

So my problem is that users can type the url /success.php and view the content in there without logging in, I want them to be redirected to index.php if they are not authenticated. What am I doing wrong?

You want them to be redirected to **index.php** if they are not authenticated but if they are authenticated you also redirect them to same page. I think your conditions are not structured properly. — C. Norris, Apr 24 '17 at 05:33
How do I go on about redirecting them to same page if they are authenticated? I thought you could only redirect once from a page. — Marst, Apr 24 '17 at 05:38

score 0 · Answer 1 · answered Apr 24 '17 at 06:42

0

Your condition is wrong, 'cause you're using an AND instead of an OR for the session checking, you can't combinate between "SESSION NEEDS TO NOT EXIST" && "SESSION NEEDS TO BE SET TO FALSE", a session that's set to FALSE returns a false for the !isset($_SESSION['loggedIn]) so the whole condition will be false and the user won't be redirected. So you might change your code that way:

 session_start();

    if(isset($_SESSION['loggedIn'])
    {
        if($_SESSION['loggedIn'] != true)
        {
            header("location:index.php");
        }
    }
    else
    {
        header("location:index.php");
    }

answered Apr 24 '17 at 06:42

PHPdevpro

18
6

This gave me a 500 error when I try to login with the correct credentials and when I try to directly visit the **/success.php** url. 500 error means something wrong in the php code I believe? – Marst Apr 24 '17 at 16:55
I fixed the error, I think it was due to white spaces but I cannot pinpoint exactly. However, I can still go through with directly visiting **/success.php**.. – Marst Apr 24 '17 at 17:53

score 0 · Answer 2 · edited May 23 '17 at 12:34

I turned on error reporting and I got the 500-error: "Warning: Cannot modify header information - headers already sent by...on line 3... blabla...". I removed the code at line 3 and pasted it on the line above and it worked. The smallest problems, are always the largest.. I guess it has something to do with that it auto-added some weird invisible symbols to that line or something similar. this stack-thread helped me a bunch!

Also, thanks for all the responses!

PHP - denying access to a page not working

2 Answers2