CHECK PHP SESSION - ISSET($SESSION - IS NOT WORKING
Solution 1
Add the NOT operator !
to the if statement. Also don't forget to add exit()
after your header. The location
header is telling the browser to redirect, but an attacker could view your page and simply ignore the location
header, thus bypassing your authentication system becuase your PHP code would continue to execute.
if( !isset($_SESSION["myusername"]) ){
header("location:main_login.html");
exit();
}
Furthermore, you aren't calling session_start()
in the login code that you posted, therefore the session is not accessible.
Solution 2
<?php
session_start();
if (!isset($_SESSION['myusername']))
{
header('Location: main_login.html');
}
?>
You need to negate the check.
Solution 3
You can also use:
<?php
session_start();
if (empty($_SESSION['myusername'])) {
header('Location: main_login.html');
}
?>
Henry Aspden
Updated on December 20, 2020Comments
-
Henry Aspden over 3 years
This is in my page, and it should check that a user is logged in on http://carbonyzed.co.uk/Websites/Jason/sites/2/test/login_success.php
but anybody can assess it, not just those logged in
<?php session_start(); if( isset($_SESSION["myusername"]) ){ header("location:main_login.html"); } ?>
I have tried
if( isset($_SESSION["myusername"]) ){
and
if( isset($_SESSION[$myusername]) ){
LOGIN CODE perhaps a session isn't being created?
<?php ob_start(); $host="ClubEvents.db.9606426.hostedresource.com"; // Host name $username="ClubEventsRead"; // Mysql username $password="Pa55word!"; // Mysql password $db_name="ClubEvents"; // Database name $tbl_name="members"; // Table name // Connect to server and select databse. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); // Define $myusername and $mypassword $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; // To protect MySQL injection (more detail about MySQL injection) $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword); $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1){ // Register $myusername, $mypassword and redirect to file "login_success.php" session_register("myusername"); session_register("mypassword"); header("location:login_success.php"); } else { echo "Wrong Username or Password"; } ob_end_flush(); ?>