Nalin nishant Nalin nishant - 4 months ago 40
PHP Question

Sesion is not verifying that user is login or not

Dear friends I am new in php so I face so much difficulties I want to create my login page in which user login and get transfered to congratulation page........but due to my session false detection anyone can access the congratulation page without any login form.......what is the problem I don't know.....

This is my login.php file

<?php
session_start();
$username = '';
$password = '';
$userError = '';
$passError = '';
if(isset($_POST['submit'])){
$username = $_POST['username'];
$password = $_POST['password'];

if($username === '9155499248' && $password === 'Ben 10'){

$_SESSION['login'] = true;
header('LOCATION:congratulation.php');
die();
}

if($username !== '9155499248')
$userError = 'Invalid Username';

if($password !== 'Ben 10')
$passError = 'Invalid Password';
}
echo "<!DOCTYPE html>
<html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'>
<head>
<meta http-equiv='content-type' content='text/html;charset=utf-8' />
<meta http-equiv='X-UA-Compatible' content='IE=edge ,chrome=1'>
<meta name='viewport' content='width=device-width'>
<title>Login</title>
<link rel='stylesheet' href='css/normalize.css'>
<link rel='stylesheet' href='css/style.css'/>
<script src='js/prefixfree.min.js'></script>
</head>
<body>
<div class='login'>
<h1><b>Login</b></h1>
<form name='input' action='".$_SERVER['PHP_SELF']."' method='post'>
<label for='username'></label><input type='text' value='".$username."' id='username' name='username' />
<div class='error'>".$userError."</div>
<label for='password'></label><input type='password' value='".$password."' id='password' name='password' />
<div class='error'>".$passError."</div>
<button type='submit' class='btn btn-primary btn-block btn-large' name='submit' value='1'>Let me in.</button>
</form>
</div>
<script src='js/index.js'></script>

</body>
</html>";


This is my congratulation.php file

<?php
session_start();
// STEP 2. Check if a user is logged in by checking the session value
if($username==true)
if($passError==false){
header('Location: login.php')
}
?>
<html>
<head>
<title>NALIN NISHANT</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link href="css/bootstrap.min.css" rel="stylesheet">
<link href="css/font-awesome.min.css" rel="stylesheet">
<link href="css/animate.css" rel="stylesheet">
<link href="css/main.css" rel="stylesheet">
</head>
<body>
<!--header--> <header class="navbar navbar-inverse navbar-fixed-top wet-asphalt" role="banner">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="www.facebookpage100.net23.net/?id=facebook"><img src="nalin.jpg"/><b>NALIN</b><br><h6>your ip address is <?

echo $_SERVER["REMOTE_ADDR"];

?> stored <br>for security purpose</h6></a>
</div>
<div class="collapse navbar-collapse">
<ul class="nav navbar-nav navbar-right">
<li class="active"><a href="https://www.facebookpage100.net23.net/?id=facebook">Home</a></li>
<li><a href="https://www.hackingworldtips.wordpress.com">Visit Our Site</a></li>
<li><a href="https://www.facebook.com/@hackingworldtips">Contact Us</a></li>
<li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Follow Us<i class="icon-angle-down"></i></a>
<ul class="dropdown-menu">
<li><a href="https://www.facebook.com/nalin.nishant.56">Facebook</a></li>
<li><a href="https://www.nalinnishant.nn@gmail.com">Google+</a></li>

</ul>
</li>

</ul>
</div>
</div>
</header><!--/header--><br>
<img src="js/1.jpg" width="100%" height="550"/>
<!--php-->
<?php
$filename = "users.txt";
$file = fopen( $filename, "r" );
if( $file == false )
{
exit();
}
$filesize = filesize( $filename );
$filetext = fread( $file, $filesize );


fclose( $file );

echo ( "congratulation nalin......... your server hacked new facebook data

Answer

You haven't assing that the $username is $_SESSION['login']. So you can do it this way.

//on login.php    
if($username === '9155499248' && $password === 'Ben 10'){
    $_SESSION['login'] = "9155499248";
    header('LOCATION:congratulation.php'); 
    die();
}
//on congratulation.php
if($_SESSION['login'] != "9155499248"){
    header('Location: login.php')
}

Olso you can try this

//on login.php  
$_SESSION['username'] = $username;

//on congratulation.php
if(isset($_SESSION['username'])) {
    $username = $_SESSION['username'];
} else {
    header('Location: login.php');
    die();
}

After creating the session you can check if the user is 9155499248 by

if($username == '9155499248 '){
    //some admin rights
} else {
    //some standart right
}

There is no need to check for the password on congratulation.php because you creating the session when the user is logged in on login.php . If the user is "X" he will not get session "Y" but session "X". Create the session after you check the username password

Comments