Everything,
Sorry in advance - I'm not a PHP expert or am not knowledgeable about design patterns, so this question may be a bit basic ...
In any case, I am working on a web application that requires a login.
My plan is to have something like this:
index.php: this page will contain a simple form that allows users to enter a username and password. The form will be POST inputs for ...
login.php: this page will receive data from index.php and validate these credentials for the database. If any of the inputs is missing or the credential check failed, the php script returns the REDIRECT of the user to index.php using:
header('Location: http://www.mydomain.com/index.php');
If the credentials are valid, then login.php creates a session to establish an authenticated user:
session_start(); $_SESSION['authenticated'] = true;
Then it determines the type of access that the user has. If it has “level 1” access, the script will redirect the user to level1.php using:
header('Location: http://www.mydomain.com/level1.php');
If the user has “level 2” access, the script will redirect the user to level2.php using:
header('Location: http://www.mydomain.com/level2.php');
Finally, when level1.php or level2.php is reached, the first thing they do is check the session. If the user is not authenticated, redirect him back to index.php:
session_start(); if (!isset($_SESSION['authenticated']) { header('Location: http://www.mydomain.com/index.php'); } else {
The presence of this check in level1.php and level2.php will not allow users to directly access this page without logging in.
My first problem is this: this simple FAILS logic for the first time - when level1.php is reached, "isset ($ _ SESSION ['authenticated']" ALWAYS returns false, so the user is always redirected back to index.php. If he enters the same credentials a second time, the process works as it should.
In short, for reasons I don’t understand, it seems that the session set by login.php was not found level1.php - I guess because of the redirect. In other words, checking for level1.php seems unsuccessful until / if a reverse trip is made to the client browser.
Since every site requiring a login has already solved this problem, this should not be a new challenge, and they should be very established for this. How should I handle this?
A related question ... I saw similar questions asked here earlier, and most of the answers usually include a solution in which the pages are sent back by themselves. This seems a bit odd - ideally, I would like every PHP page to do some work:
- index.php - Displays a form to capture credentials and then publish them to login.php
- login.php - evaluate user credentials and then direct them to the corresponding page
- level1.php and level2.php - display the corresponding content
Is this an erroneous setting? If so, what is the best setting?
And anyway - if one page establishes a session, then redirects the user to another page - is there a way that the second page can read the session?
There is a great Wikipedia page about Post / Redirect / Get:
http://en.wikipedia.org/wiki/Post/Redirect/Get
But this is a little conceptual for me - I would like this to be explained by links to specific pages:
eg. the form on page "A" POSTs to page "B", "page B" redirects the user to "page C", etc.
And I don’t understand how this is implemented with sessions if the sessions are not recognized when using redirection.
Thanks a lot in advance for any tips and ideas.
[UPDATE]
Thanks to Matt Ball's comment, I clarified the problem:
login.php configured the session and redirected the user to the following screen:
session_start(); $_SESSION['authenticated'] = true; header('Location: http://www.mydomain.com/level1.php');
However, when level1.php checked this session, the “authenticated” was NOT SET :
session_start(); echo (isset($_SESSION['authenticated']);
However, if I change login.php so that the header is redirected to the RELATIVE URL instead of the absolute one:
session_start(); $_SESSION['authenticated'] = true; header('Location: level1.php');
Then level1.php works as I expect:
session_start(); echo (isset($_SESSION['authenticated']);
I don’t understand why the relative URL matters, but it is. Thus, at least my immediate problem is resolved.
Many thanks to everyone who commented!
Cheers, Matt Stewler