Problem
I am building a panel for an admin for a web system. I have to make sure that hackers, if they have knowledge of the names of the files on this server cannot access certain pages directly without at least logging in.
Now after looking at similar php code used to achieve this, i discovered that after you have verified the existence of the user from the database, you start a session and then you store a boolean variable indicating whether this user is logged in side the $_SESSION["loggedin"] as true.
I did exactly that in my login.php file, and also included a conditional structure to check if user is logged in on top of my admin_upload.php file. It checks the value of $_SESSION["loggedin"].
What I Expected
I expected that whenever i enter the url to access diirectly the admin_upload.php file on the server without logging in, it would take me to login.php to start a session before i can view that page, instead it opens the page with values that am supposed to grab from login with session null.
Code
The login.php file is posted below
<?php
$conn=mysqli_connect("localhost","root","","rating");
if(!$conn){
echo "Connection to database was unsuccesful";
}
$username="";
$password="";
$username=trim($_GET["p"]);
$password=trim($_GET["q"]);
//echo $password;
$sql="SELECT username from Admin where username="."'".$username."'";
//echo $sql;
$result=mysqli_query($conn,$sql);
if(mysqli_num_rows($result)>0){
$pass="SELECT Password FROM Admin WHERE username="."'".$username."'";
$real_qry=mysqli_query($conn,$pass);
if(mysqli_num_rows($real_qry)>0){
$row=mysqli_fetch_row($real_qry);
$pass=$row[0];
//echo $password;
if(password_verify($password, $pass)){
//start session
session_start();
//store the admn name in a session
$_SESSION["username"]=$username;
$_SESSION["loggedin"]=true;
echo "password verification passed";
}else{
echo "Incorrect password";
}
}
}else{
echo "No account with that username was found";
}
?>
The admin_upload.php is posted below
<?php
session_start();
//initiaize the session
//check if the user is logged in
if(isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] !== true){
//redirect to welcome.php if false
header("location: login.php");
exit;
}
//session_start();
$name=$_SESSION["username"];
//if he is loged in then display images to be added
include "layout/product_add.php";
?>
<!DOCTYPE html>
<html>
<head>
<link rel="stylesheet" href="materialize/css/materialize.min.css"/>
</head>
<body>
</html>
Any help to make this check if user is logged in and redirect accordingly is greatly appreciated, Thank You.
Advertisement
Answer
Your going to want to update
if(isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] !== true){
with
if(!isset($_SESSION["loggedin"]) || !$_SESSION["loggedin"]) {
That verifies that the $_SESSION["loggedin"] is not set OR that its set and NOT TRUE then it will do your redirection