0

I have a php page that should only be accessed by admin. I am using a php $_SESSION to validate the user. I have this code segment on top of my page which should only be accessed by the admin

if (!isset($_SESSION["uname"])) {
    header("Location:../error.html");
    exit;
}

if ($_SESSION["uname"] != "admin") {
    header("Location:../error.html");
    exit;
}

uname variable is getting pass to the page correctly, I am sure about that. But my validating process does not work as I expected. any user can access the page. Is there anything wrong I have done here.

Improve this question
4
  • where is the validation.. you are redirecting to same page in any case... and do you have session_start() at the top....? Commented Jul 8, 2014 at 3:53
  • With phpinfo(); you can check all variables which are set by PHP so you can check wether your variable names are right. Commented Jul 8, 2014 at 4:04
  • Biggest question is are you outputting anything before calling the hearder() function, redirects wont work if you output even as little as an empty line first, I suggest adding ini_set('display_errors', 1); just above these checks. Commented Jul 8, 2014 at 4:07
  • Do not know how it is working now. But it is working now. I did not do any change. thank u everyone Commented Jul 8, 2014 at 6:54

4 Answers 4

Reset to default
1

Did you output anything before doing these checks, even a single empty line is enough to prevent redirecting the page using 

hearder()

As others stated I'd make sure you do

session_start();

But I have to assume you have the correct session values as you put

"uname variable is getting pass to the page correctly, I am sure about that. But my validating process does not work as I expected. any user can access the page. Is there anything wrong I have done here."

So that leads me to the header error, one way to tell is adding.

ini_set('display_errors', 1);

above your "validation checks" this should show any errors like "unable to send headers output already sent" etc.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

I have called session_start() and there is nothing(a new line or a space before the check). I can assure that uname variable getting passed to this page correctly. Here is my address bar in different usernames
unwanted output can be really hard to find it can be as simple as a line return before your opening <?php tag. As I suggested turn on error reporting.
Do not know how it is working now. But it is working now. I did not do any change. thank u everyone
I suggest clearing your browser cookies ctrl+shift+del, and starting fresh with a new session to make sure.
I think that was the solution
|
0

Did you call session_start() function at beginning.

It would not work unless we call session_start before using any SESSION data.

http://www.php.net/manual/en/function.session-start.php

Improve this answer

1 Comment

Do not know how it is working now. But it is working now. I did not do any change. thank u
0

You probably forgot to call session_start() at the very beginning of the restricted page as well as the page where $_SESSION['uname'] is being set. Also make sure that $_SESSION['uname'] does not contains the value of 'admin' for other logged in users.

Note: You can debug values of super globals like $_SESSION using the print_r() or var_dump() functions.

Improve this answer

6 Comments

If session_start wasn't called when creating the variable then that first if statement would catch it. It seems only logical that the variable must be set as admin so it passes through both if statements.
In that case I think answer of @artisiticphoenix is close candidate for the solution. Having something (even a new line or space) before the starting <?php tag is a common cause for not letting header function working as expected.
I still disagree. The exit command would not let any user can access the page, it would probably present a white screen hopefully with some errors.
Hmm. I missed the any user can access the page part of the OP's question. In that case the only reason left open to allow anyone access page content - $_SESSION['uname'] is being set with value 'admin' no matter what is the actual user name is.
"any user can access the page" - doesn't mean the page displays properly, we can assume that, but turning on error reporting is a good first step.
|
0

See the example given below;

Start your session in your index or the desire page

sesstion_start();

Create this function to validate and redirect automatically

function isValidate($value, $autoRedirect = true){
 if(empty($_SESSION['uname']) || $_SESSION['uname'] != $value){
   if($autoRedirect){
     header("Location:../error.html");
     exit;
   }else {
     return false;
   }
 } 
 else {
   return true;
 }
}

Now simply call this method to validate the session by name. For example;

isValidate("admin");
isValidate("user");
Improve this answer

2 Comments

Do not know how it is working now. But it is working now. I did not do any change. thank u everyone
No worries. You can ask more. I can explain. You are always welcome.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.