Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

php cookies and redirects

J

jsm4182

macrumors 6502
Original poster
Apr 3, 2006
346
12
Beacon, NY
on my site i have a login system and a few pages you need to be logged in to see. when you login your name in user id are put in a cookie. the script to redirct people who are not logged in looks like this
PHP: 
<?php
if (!isset($_SESSION['first_name'])) {

	// Start defining the URL.
	$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
	// Check for a trailing slash.
	if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
		$url = substr ($url, 0, -1); // Chop off the slash.
	}
	// Add the page.
	$url .= '/login.php';
	
	ob_end_clean(); // Delete the buffer.
	header("Location: $url");
	exit(); // Quit the script.
	
} 
?>
now i'm trying to set up a page where only one person with a specific user id(7) can use. the script i thought would work looks like this.
PHP: 
<?php
if ($_SESSION['user_id']!=7) {

	// Start defining the URL.
	$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
	// Check for a trailing slash.
	if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
		$url = substr ($url, 0, -1); // Chop off the slash.
	}
	// Add the page.
	$url .= '/index.php';
	
	ob_end_clean(); // Delete the buffer.
	header("Location: $url");
	exit(); // Quit the script.
	
}
?>
the problem is anyone that is logged in can see the page and isn't redirected. any ideas on what i did wrong?
 
I think is a bad idea to use cookies to authenticate your users, because cookies can be edited by anyone using a text editor. You can also use relative or absolute paths in the Location. For example ('Location: login.php'); or ('Location: ../login.php'); or ('Location: /login/login.php');.

What about something more simple like this

<?php

if (empty($_SESSION['userID'])) header('Location: login.php');

?>

<?php

if ($_SESSION['userID'] != 7) header('Location: login.php');

?>
 
Maybe you've tried the followings, but won't hurt to try again:
- Did you start the session?
- Did you make sure that the contents of $_SESSION includes user_id?
- Did your script ever execute the if() block? Try printing something there.

Also, as pointed, it's a bad idea to store sensitive information in cookie. But then again, just a cookie won't hurt too much if you're comparing it against the session value later.
 
re: cookie auth:
Storing stuff in cookies is bad, but stuff in $_SESSION isn't sent to the client, it's stored in the server's /tmp directory (usually). The cookie sent with the session start is the session ID, which is a long random string.


I would write a function to handle authentication, so you can make it more complicated as you need it, and spit out a login form as appropriate.

PHP: 
<?php
require_once('functions.inc.php'); //where the authenticate() function is

session_start();

include('header.inc.php');

$auth = authenticate(); //returns true on verified user

if ($auth) {
  if (7 == $_SESSION['userID']) {
    //special page!
  } else {
    //regular page!
  }
} else {
   //no prize for you page!
}

include('footer.inc.php');
?>
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back