Help with PHP Login Stuff

[cold_fusion]

---

If login.php is included with admin.php, there maybe a case that 2 session_start() are called.
And I don't see any "Welcome Admin" echo on your post above. Where is this shown?
This welcome message should be under the "else" of your if condition.

[poymode]

If login.php is included with admin.php, there maybe a case that 2 session_start() are called.

If there are two session_start() functions, will this lead to an unexpected behavior?


here's the complete admin.php, sorry posted an incomplete one

<?php


$bool_allowed = false;

//check if there is a current session for the flag for admin viewing

session_start();

if(isset($_SESSION["AllowAdmin"]))
{

//check if the current user is allowed to view this page
if($_SESSION["AllowAdmin"])
{
$bool_allowed = true;
}
}

//if the current user is not allowed to view the admin page
if(!$bool_allowed)
{
header("Location: login.php"); /* Redirect him to login page*/
}

?>
<!--The following codes will be displayed if the user is allowed to view this page-->

<html>
<head>
<title>Admin Page<title>
</head>
<body>
Welcome, Admin!
</body>
</html>

[poymode]

Bump.

[cold_fusion]

If there are two session_start() functions, will this lead to an unexpected behavior?

Maybe.

On your code the "Welcome, Admin!" message is always printed because it is not on the "else" block.
See my very first post.

[poymode]

Okay na akong page lock. Di na siya mu display ug Welcome Admin. Ang login nalang jud, whenever I Login mu redirect ra siya sa login page balik. I am confident na sakto na akong code.

Edit:
I think I have found the problem, it is in the show_page() function.

login.php has this function

function show_page($usertype)
{

session_start(); //start a session
if($usertype=="admin") //if user type is admin
{

//create a session for the flag that determines that
//the current user is allowed to visit the admin pages
//and set this to true
$_SESSION['AllowAdmin'] = true;

//redirect him/her to the admin page
header("Location: admin.php");
}
else
{
//create a session for the flag that determines that
//the current user is allowed to visit the user pages that requires login
//and set this to true
$_SESSION['AllowUser'] = true;

//redirect him/her to the userindex page
header("Location: userindex.php");
}
}

Now, I did something to check if show_page really executes, I logged-in my admin details but instead of redirecting me to admin.php, I replaced it with header("Location: welcome.php"); which contains...

<?php
echo "Hello World Success!."<br>";

It works and shows that there is nothing wrong with my variables so the function show_page() is really executed. The problem now is in my admin.php file, there is a checker whether my session variable for admin is set, so to check if this is working, I added my welcome.php...

<?php
echo "Hello World Success!."<br>";

if(isset($_SESSION['AllowAdmin']))
{
echo "Admin is set";
}
else {
echo "Admin not set";
}
?>

But unfortunately, It prints that it is NOT set.
$_SESSION['AllowAdmin'] = true; was declared in show_page() before calling header("Location: admin.php");.

I've googled stuff and I saw one, what he did was he put this function session_write_close(); before calling the header. His reason was the header() function executes very fast that it does not give time to $_SESSION to be set. I tried this also but to no avail.

Please help, what's wrong with it?

[cold_fusion]

Its the same problem.
You should include the <form> with login in an "else" block. See again my very first post.

[cold_fusion]

When is show_page() called? At the very first when no other output are echoed?
I asked this because session_start() needs to be called BEFORE all other functions that echos/displays something on your page. Even before <html> and <head> tags.

[poymode]

show_page() is called here

if(count($_POST) > 0)
{
//get the username and password from the post variables
$username = $_POST['UName'];
$password = $_POST['PWord'];

$query = "SELECT username,pword,usertype FROM user_info WHERE username = '$username' AND pword = '$password'";
$result = mysql_query($query);

//count number of rows being retrieved
//if it has a record
if (mysql_num_rows($result) > 0)
{
$row = mysql_fetch_row($result); //fetch the results
//check if it user and pass from the form vs. from the DB matches
if($username==$row[0] && $password==$row[1])
{
$usertype = $row[2];
show_page($usertype);
}
}
}

this is when the user input is found in my database, it calls show_page();

[cold_fusion]

What about before the if(count($_POST) >0) line?
Is there any "echo" or even blank lines shown?
If there is session_start() won't work.

You should place session_start() *BEFORE* anything else.

[poymode]

Ill post the complete login.php

<?php
include('db.php');

function show_page($usertype)
{

session_start(); //start a session
if($usertype=="admin") //if user type is admin
{

//create a session for the flag that determines that
//the current user is allowed to visit the admin pages
//and set this to true
$_SESSION['AllowAdmin'] = true;


session_write_close();
//redirect him/her to the admin page
header("Location: welcome.php");
}
else
{
//create a session for the flag that determines that
//the current user is allowed to visit the user pages that requires login
//and set this to true
$_SESSION['AllowUser'] = true;

//redirect him/her to the userindex page
header("Location: welcomeuser.php");
}
}



//check if there is a postback or a form is submitted
if(count($_POST) > 0)
{
//get the username and password from the post variables
$username = $_POST['UName'];
$password = $_POST['PWord'];

$query = "SELECT username,pword,usertype FROM user_info WHERE username = '$username' AND pword = '$password'";
$result = mysql_query($query);

//count number of rows being retrieved
//if it has a record
if (mysql_num_rows($result) > 0)
{
$row = mysql_fetch_row($result); //fetch the results
//check if it user and pass from the form vs. from the DB matches
if($username==$row[0] && $password==$row[1])
{
$usertype = $row[2];
show_page($usertype);
}
}
}


?>

<form method="post">
Username: <input type="text" name="UName" /><br>
Password: <input type="password" name="PWord" /><br>
<input type="submit" value="Go" />

I have already encountered an error regarding WHITE SPACES, echo's and output stuff before session_start();.
I guess I have fixed it already.
When I login, it will just redirect me again to the login page even with the correct details.

In the db.php included above, there is no echo statement or whatsoever.

db.php

<?php
$link = mysql_connect( "localhost", "root", "" );
if ( ! $link ) {
die( "Couldn't connect to MySQL" );
}
$database = "poy";
mysql_select_db( $database ) or die ( "Couldn't open $database" );
?>