CODEWITHSUNDEEP
php
connor.p
connor.p

Reputation: 866

Session information being lost

I'm running a login script and according to who logs in I redirect to one of two pages

If I direct to a page that is in a directory below the main directory all works fine, however if i direct to a page that is above the directory in which the index.php file sits, the session information seems to be lost and the user is asked to login again

I know that I could simply place the second page in a directory below the main directory but I would like to understand if it is possible to maintain the session information when directing to a page above the main directory

the user goes to a page called login.html, when they have input there information, they are sent to login.php, it is here where the redirect occurs 

if ($username==$dbusername&&$password==$dbpassoword)
{
    if($admin == "1"){
        header('location: http://www.edit.domain_name.co.uk/');
        $_SESSION['username']=$username;
        $_SESSION['id']=$id;

    }else{
        header('location: /member');
        $_SESSION['username']=$username;
        $_SESSION['id']=$id;
    }
}

I have put session_start (); at the beginning of every page where the user would need to login to access. Any input would be greatly received

the full code for the login script is 

<?php
session_start () ;

$username = $_POST['username'] ;
$password = $_POST['password'] ;

################# ADMIN OR NOT   ###################################################

include_once "mysql/global.php";
$result = mysql_query("SELECT admin FROM users WHERE username = '$username'");
if (!$result) {
    echo 'Could not run query: ' . mysql_error();
    exit;
}


$row = mysql_fetch_row($result);

$admin = $row[0];


################# ###############################################################

if ($username&&$password)
{

include "mysql/global.php";

$query = mysql_query("SELECT * FROM users WHERE username='$username'") ;

$numrows = mysql_num_rows($query) ;

if ($numrows!=0)
{

  while ($row = mysql_fetch_assoc($query) )
  {
      $dbusername = $row['username'] ;
      $dbpassoword = $row["password"] ;

  }

  // check to see if they match!
  if ($username==$dbusername&&$password==$dbpassoword)
  {
      if($admin == "1"){
          session_start();
          header('location: http://www.edit.domin_name.co.uk/admin');
          $_SESSION['username']=$username;
          $_SESSION['id']=$id;

      }else{
      session_start();
      header('location: /member');
      $_SESSION['username']=$username;
      $_SESSION['id']=$id;


      }
  }
  else 
      echo "<center>incorrect password!</center>" ;

}
else
    die ("<center>That user does not exist!</center>") ;


}
else
    echo ("<center>Please enter a username and password</center><br/>") ;
    die ("<a href=\"index.php\"><center><b>Click here to try again</b></center></font>");


    ?>

Upvotes: 1

Views: 322

Answers (2)

Anonymous
Anonymous

Reputation: 553

In order to load sessions, you must place session_start() at the top of each page.

Also, you need to call session_start() before setting them and before redirecting:

if ($username == $dbusername && $password == $dbpassoword) {
    if($admin == "1"){
        session_start();
        $_SESSION['username']=$username;
        $_SESSION['id']=$id;
        header('Location: http://www.edit.domain_name.co.uk/');
    } 
    else {
        session_start();
        $_SESSION['username']=$username;
        $_SESSION['id']=$id;
        header('Location: /member');
    }
}

Upvotes: 2

TRiG
TRiG

Reputation: 10643

header('location: /member');

For a start, this is invalid. The Location header should be followed by a full, not a relative, URL.

Secondally, if /member is a directory, and you access www.example.com/member, Apache is quite likely to redirect you to example.com/member/, adding the forward slash and dropping the www.. The move to a different domain name is likely to result in the loss of session data.

Upvotes: 0

Related Questions