Problem
I am building a panel for an admin for a web system. I have to make sure that hackers, if they have knowledge of the names of the files on this server cannot access certain pages directly without at least logging in.
Now after looking at similar php code used to achieve this, i discovered that after you have verified the existence of the user from the database, you start a session and then you store a boolean
variable indicating whether this user is logged in side the $_SESSION["loggedin"]
as true
.
I did exactly that in my login.php
file, and also included a conditional structure to check if user is logged in on top of my admin_upload.php
file. It checks the value of $_SESSION["loggedin"]
.
What I Expected
I expected that whenever i enter the url to access diirectly the admin_upload.php
file on the server without logging in, it would take me to login.php
to start a session before i can view that page, instead it opens the page with values that am supposed to grab from login with session null.
Code
The login.php file is posted below
<?php $conn=mysqli_connect("localhost","root","","rating"); if(!$conn){ echo "Connection to database was unsuccesful"; } $username=""; $password=""; $username=trim($_GET["p"]); $password=trim($_GET["q"]); //echo $password; $sql="SELECT username from Admin where username="."'".$username."'"; //echo $sql; $result=mysqli_query($conn,$sql); if(mysqli_num_rows($result)>0){ $pass="SELECT Password FROM Admin WHERE username="."'".$username."'"; $real_qry=mysqli_query($conn,$pass); if(mysqli_num_rows($real_qry)>0){ $row=mysqli_fetch_row($real_qry); $pass=$row[0]; //echo $password; if(password_verify($password, $pass)){ //start session session_start(); //store the admn name in a session $_SESSION["username"]=$username; $_SESSION["loggedin"]=true; echo "password verification passed"; }else{ echo "Incorrect password"; } } }else{ echo "No account with that username was found"; } ?>
The admin_upload.php is posted below
<?php session_start(); //initiaize the session //check if the user is logged in if(isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] !== true){ //redirect to welcome.php if false header("location: login.php"); exit; } //session_start(); $name=$_SESSION["username"]; //if he is loged in then display images to be added include "layout/product_add.php"; ?> <!DOCTYPE html> <html> <head> <link rel="stylesheet" href="materialize/css/materialize.min.css"/> </head> <body> </html>
Any help to make this check if user is logged in and redirect accordingly is greatly appreciated, Thank You.
Advertisement
Answer
Your going to want to update
if(isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] !== true){
with
if(!isset($_SESSION["loggedin"]) || !$_SESSION["loggedin"]) {
That verifies that the $_SESSION["loggedin"]
is not set OR that its set and NOT TRUE then it will do your redirection