php - password protection access denied on certain files

364

I am trying to setup password protection to use with certain files. I have followed an online tutorial, and get some success but in other instances keep getting a call to a page denying access despite what appears to be the exact same operations being performed.

From my login page, the login script calls a php login page, which should store session ID. I then have a separate page that checks if the session ID has been stored, and that page (called auth.php) is included in the pages I am trying to protect. I put the php code at the very beginning of the file, and as I said for some test pages it works but for the pages I need it for it reverts to the access-denied page, which to me means it is not recognizing that the session ID has been stored. I'm not getting any error messages relating to connection issues, so my focus is on the session ID issue. Any thoughts would be appreciated.

Include code:

<?php
require_once('auth.php');
?>

auth.php code:

<?php
//Check whether the session variable SESS_MEMBER_ID is present or not
if(!isset($_SESSION['SESS_MEMBER_ID']) || (trim($_SESSION['SESS_MEMBER_ID']) == '')) {
    header("location: access-denied.php");
    exit();
}
  ?>

Pertinent portion of login script code:

//Create query
$qry="SELECT * FROM members WHERE login='$login' AND password='".md5($_POST['password'])."'";
$result=mysql_query($qry);

//Check whether the query was successful or not
if($result) {
    if(mysql_num_rows($result) == 1) {
        //Login Successful
        session_regenerate_id();
        $member = mysql_fetch_assoc($result);
        $_SESSION['SESS_MEMBER_ID'] = $member['member_id'];
        $_SESSION['SESS_FIRST_NAME'] = $member['firstname'];
        $_SESSION['SESS_LAST_NAME'] = $member['lastname'];
        session_write_close();
        header("location: member-index.php");
        exit();
    }else {
        //Login failed
        header("location: login-failed.php");
        exit();
    }
}else {
    die("Query failed");
}

Full login code:

<?php
//Start session
session_start();

//Include database connection details
require_once('config.php');

//Array to store validation errors
$errmsg_arr = array();

//Validation error flag
$errflag = false;


//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
    $str = @trim($str);
    if(get_magic_quotes_gpc()) {
        $str = stripslashes($str);
    }
    return mysql_real_escape_string($str);
}

//Sanitize the POST values
$login = clean($_POST['login']);
$password = clean($_POST['password']);

//Input Validations
if($login == '') {
    $errmsg_arr[] = 'Login ID missing';
    $errflag = true;
}
if($password == '') {
    $errmsg_arr[] = 'Password missing';
    $errflag = true;
}

//If there are input validations, redirect back to the login form
if($errflag) {
    $_SESSION['ERRMSG_ARR'] = $errmsg_arr;
    session_write_close();
    header("location: login-form.php");
    exit();
}

//Create query
$qry="SELECT * FROM members WHERE login='$login' AND password='".md5($_POST['password'])."'";
$result=mysql_query($qry);

//Check whether the query was successful or not
if($result) {
    if(mysql_num_rows($result) == 1) {
        //Login Successful
        session_regenerate_id();
        $member = mysql_fetch_assoc($result);
        $_SESSION['SESS_MEMBER_ID'] = $member['member_id'];
        $_SESSION['SESS_FIRST_NAME'] = $member['firstname'];
        $_SESSION['SESS_LAST_NAME'] = $member['lastname'];
        session_write_close();
        header("location: member-index.php");
        exit();
    }else {
        //Login failed
        header("location: login-failed.php");
        exit();
    }
}else {
    die("Query failed");
}

?>

84

Answer

Solution:

I'm not seeing anysession_start() You need it (see the manual ) in the beginning of any php file that uses sessions...

People are also looking for solutions to the problem: php - How to do a gravity zoom in CodeIgniter with Imagemagick?

Source

Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Ask a Question

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.

Similar questions

Find the answer in similar questions on our website.