I hope you can help me, I have been at this for the last couple of hours and I cant figure it out. I am creating an admin panel for specific users to log into. I got the PHP and MYSQL connection nailed the login works perfect and users can even register. Now the problem I have is that users can just simply use the direct url to get to the panel page. Thats why I looked around a bit and found some solutions. But for some reason all of these end up with a redirect look for me.
Here is my code: index.php | This page checks if users might already be logged in and includes the correct page users need to see.
<?php
require_once("config/db.php"); // Database Connection Details
require_once("classes/Login.php"); // Username check with mysql
$login = new Login();
if ($login->isUserLoggedIn() == true) {
include("/home.php"); // Admin Panel main page
} else {
include("views/not_logged_in.php"); // Login page
}
home.php | Main admin panel page
<?php
session_start();
if(empty($_SESSION['user']))
{
header("Location: index.php");
}
?>
<-HTML CODE GOES BELOW HERE->
Login.php | Checks if users and password exist/are correct with the mysql database plus throws out error messages when needed
<?php
class Login
{
private $db_connection = null;
public $errors = array();
public $messages = array();
public function __construct()
{
// create/read session, absolutely necessary
session_start();
if (isset($_GET["logout"])) {
$this->doLogout();
}
elseif (isset($_POST["login"])) {
$this->dologinWithPostData();
}
}
private function dologinWithPostData()
{
if (empty($_POST['user_name'])) {
$this->errors[] = "Username field was empty.";
} elseif (empty($_POST['user_password'])) {
$this->errors[] = "Password field was empty.";
} elseif (!empty($_POST['user_name']) && !empty($_POST['user_password'])) {
$this->db_connection = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME);
if (!$this->db_connection->set_charset("utf8")) {
$this->errors[] = $this->db_connection->error;
}
if (!$this->db_connection->connect_errno) {
$user_name = $this->db_connection->real_escape_string($_POST['user_name']);
$sql = "SELECT user_name, user_email, user_password_hash
FROM users
WHERE user_name = '" . $user_name . "' OR user_email = '" . $user_name . "';";
$result_of_login_check = $this->db_connection->query($sql);
if ($result_of_login_check->num_rows == 1) {
$result_row = $result_of_login_check->fetch_object();
if (password_verify($_POST['user_password'], $result_row->user_password_hash)) {
$_SESSION['user_name'] = $result_row->user_name;
$_SESSION['user_email'] = $result_row->user_email;
$_SESSION['user_login_status'] = 1;
} else {
$this->errors[] = "Wrong password. Try again.";
}
} else {
$this->errors[] = "This user does not exist.";
}
} else {
$this->errors[] = "Database connection problem.";
}
}
}
public function doLogout()
{
// delete the session of the user
$_SESSION = array();
session_destroy();
// return a little feeedback message
$this->messages[] = "You have been logged out.";
}
public function isUserLoggedIn()
{
if (isset($_SESSION['user_login_status']) AND $_SESSION['user_login_status'] == 1) {
return true;
}
// default return
return false;
}
}
I somebody can see through whats going on and find the issue because I am out of ideas.
Thank you!
$_SESSION['user']
isn't defined anywhere. Perhaps you mean to check for $_SESSION['user_name']
. You will also want to make sure the variable exists.
UPDATED This will not allow anyone access to your file via the url if the user_name var is not set.
if ( ! isset($_SESSION['user_name']) || empty($_SESSION['user_name']) ) {
header("Location: index.php");
}
Do you have error checking turned on? Put this at the top of your code:
error_reporting(E_ALL);
Use absolute path in header instead of just index.php
<?php
session_start();
if(empty($_SESSION['user']))
{
header("Location: http://www.example.com/path_to_index/index.php");
}
?>
Because if empty($_SESSION['user'])
returns true
than it redirects to current index.php
page and starts loops.
just use this code, into home.php! `
if (!isset($_SESSION['user_login_status']) || $_SESSION['user_login_status'] != 1){
header("Location: index.php");
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.