CODEWITHSUNDEEP
phpauthentication
checkit923
checkit923

Reputation: 81

"You must be logged in to access this page" error

I have my login.php set up so that whenever a login is successful, it automatically directs to profile.php. However, even if the login is successful, whenever I go to profile.php it still says "You must be logged in to access this page". Why?

Here's my login.php:

$email = $_POST['email-field'];
$password = $_POST['password-field'];

if ($email && $password)
{
    $connect = mysql_connect("xx", "xx", "xx") or die("Couldnt connect!");
    mysql_select_db(xx) or die("Couldnt find db");

    $query = mysql_query("SELECT * FROM users WHERE email = '$email'");

    $numrows = mysql_num_rows($query);

    if ($numrows != 0)
    {

        while ($row = mysql_fetch_assoc($query))
        {
            $email = $row['email'];
            $md5password = $row['password'];
        }

        if ($email == $email && $md5password == md5($password))
        {
            header("Location: profile.php");
            $_SESSION['email']==$email;
        }
        else
            echo "Incorrect password";
    }
    else
        die("That user doessnt exist!");
}
else
    die("Please enter a username and a password");

And my profile.php:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<?php 

include('get-info.php');

session_start();

if ($_SESSION['email'])
    echo "<a href=logout.php>Logout</a>";
else
    die("You must be logged in to access this page");


?>


<html>

    <head>

        <title>

            R-A | Profile

        </title>

        <link href='css.css' rel='stylesheet' type='text/css' />

    </head>

    <body class='body3' >

        <div class='logo-bar'>

            <div class='menu'>

                <img src='images/rateaway.png' class='logo-bar-img' />

                    <div class='menu-options'>

                        <a href='index.php' class='menu-links' >Home</a>

                        <a href='profile.php' class='menu-links' >Profile</a>

                        <a href='profile.php' class='menu-links' >Friends</a>

                    </div>

            </div>

        </div>

        <div class='profile-main-content' >

            <div class='profile-current-info'>

                <p class='profile-name'> <?php get_info('[email protected]', 'name'); ?> </p>

                <img src='<?php get_info('[email protected]', 'profilepic'); ?>' class='profile-pic'/>

                <p class='profile-dob' > Born: <?php get_info('[email protected]', 'dob'); ?> </p>

                <p class='profile-country' > Currently lives in: <?php get_info('[email protected]', 'country'); ?> </p>

                <p class='profile-gender' > Gender: <?php get_info('[email protected]', 'gender'); ?> </p>

            </div>

            <div class='profile-edit-info' >



            </div>

        </div>

    </body>

Upvotes: 2

Views: 5315

Answers (4)

Jhony45
Jhony45

Reputation: 1

This function note required,

if ($email==$email&&$md5password==md5($password)) { header("Location: profile.php"); $_SESSION['email']==$email; }

By: Gaya Rambut

Upvotes: 0

Steve H
Steve H

Reputation: 561

In addition unless you have a solid validation to not allow multiple emails into your db on your sign up page your query should be: 

mysql_query("SELECT * FROM users WHERE email = '$email' LIMIT 1");

This will make sure only one record is retrieved (which in theory should always be the case) - but if more than one did manage to get retrieved, it would break your code.

Lastly ($email == $email... hmm not sure you got this right as this will always be true as you're essentially just checking that it equals itself (which it always will be), I think you got confused becuase you actually have overwritten your $email variable that you got from the $_POST with your data from the db. So you should amend your code to:

while ($row = mysql_fetch_assoc($query))
{
   $db_email = $row['email'];
   $md5password = $row['password'];
}

if ( $email == $db_email && $md5password == md5($password) )
{
   // assign variables / do things BEFORE redirecting as there is a risk that
   // your session data may not get written in some circumstances
   $_SESSION['email'] = $email;
   header("Location: profile.php");
   // always good habit to make sure nothing else is done after the redirection
   die();
}

EDIT:

One more tip:

This:

$email = $_POST['email-field'];
$password = $_POST['password-field'];

if ($email && $password)
{

Would be better as:

session_start();
if ( isset($_POST['email-field']) && isset($_POST['email-field']) )
{
    $email = $_POST['email-field'];
    $password = $_POST['password-field'];
    // add some validation to your $email and $password variables

The above will help avoid notices if your $_POST variables are not actually set as in your original code you were using the $_POST variables as if they had been set (which they may not have been) - again just good practice.

Upvotes: 0

bfavaretto
bfavaretto

Reputation: 71939

You are not writing to the session after a successful login. Consider this part:

if ($email==$email&&$md5password==md5($password))
    {
        header("Location: profile.php");
        $_SESSION['email']==$email;
    }

You should be using = instead of ==. Since you are not, you are not assigning $email to $_SESSION['email']. You're not assigning anything, just doing a comparison (and discarding its return value). So it should be:

$_SESSION['email'] = $email;

Also, you should add session_start(); to the top of login.php, as minitech suggested on his answer.

Upvotes: 1

Ry-
Ry-

Reputation: 225054

You forgot to start a session. On each page you want to use sessions, you must call:

session_start();

Also make sure you do this before outputting any content, or it won't work.

Upvotes: 2

Related Questions