0

As part of this php login and redirect software I have a piece of code I need to add to the beginning of every page to be secured. It lets a user on perfectly if they have valid user login information, but if they go to another 'secured' page and attempt to revisit the original page (or just copy and paste its address in a new tab to visit) it goes to a denied access screen.

Does this error occur because theres something wrong with the session cache headers or is it some deeper problem?

It currently looks like this:

 <?php
session_start();
session_cache_limiter();
header("Expires: Sat, 01 Jan 2000 00:00:00 GMT");
header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");
header("Cache-Control: post-check=0, pre-check=0",false);

require('config.php');

require('functions.php');

//this is group name or username of the group or person that you wish to allow access     to
// - please be advise that the Administrators Groups has access to all pages.
if (allow_access(Users) != "yes")
{
include ('/home/folder/public_html/members/no_access.php');
exit;
}
?>

I've tried changing the headers from other people's questions etc but it doesnt change the problem. I've also looked at any relevant links and made sure they are not broken etc.

The allow access function seems to be this:

function allow_access($group)
{
        if ($_SESSION[group1] == "$group" || $_SESSION[group2] == "$group" || $_SESSION[group3] == "$group" ||
                $_SESSION[group1] == "Administrators" || $_SESSION[group2] == "Administrators" || $_SESSION[group3] == "Administrators" ||
                $_SESSION[user_name] == "$group")
                {
                        $allowed = "yes";
                }else{
                        $allowed = "no";
                }
        return $allowed;
}
user1470324
  • 7
  • 1
  • 6

1 Answers1

0

You don't need:

session_cache_limiter();
header("Expires: Sat, 01 Jan 2000 00:00:00 GMT");
header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");
header("Cache-Control: post-check=0, pre-check=0",false);

And might be the stuff that's actually causing the problems.

You can improve this answer by telling us what:

allow_access

Is. And of course use booleans instead of textual yes or no.

Also what is Users ? Is it not a constant from what I see and it is not an object from what I see and it is not a variable...So what is that?

Sammaye
  • 43,242
  • 7
  • 104
  • 146
  • Yes I know I still need to learn a lot about php, I am a beginner still. I did not write this header code, it is from a software that Im using, that recommends its added to any page that needs to be secure. I will paste the allow access function in my question. – user1470324 Aug 24 '12 at 13:20
  • @user1470324 May I ask what software this is? – Sammaye Aug 24 '12 at 13:24
  • its name is actually 'php login and redirect' - www.mpdolan.com/downloads.php – user1470324 Aug 24 '12 at 13:27
  • @user1470324 Ok Looking at the new function it is very bad, it is using methods which are not supported and if you turned on the PHP error handling to what it should be you would get a whole chunk of errors. This software is not very good at all, not even in PHP4's days (PHP is on v5.4 now) try following a tutorial like this: http://www.devshed.com/c/a/PHP/Creating-a-Secure-PHP-Login-Script/ it's still old but good. – Sammaye Aug 24 '12 at 13:29
  • ah, thats bad news. I liked it as it is easy to add new users, customize it heavily and have integrated it into a site and it did until now work well to do what its supposed to do. As it has a simple interface to let a non-tech client edit it without getting confused. So I guess there isn't any way I can just edit something to fix this login problem? Doing the entire system again is not something im mad about, as it was difficult at times. I struggled to find any alternative (that you just have to install more or less). – user1470324 Aug 24 '12 at 13:34
  • @user1470324 Without running the code personally and knowing your server setup it is very hard for me to really answer this and give you a definite method by which to solve this problem especially if the code has not changed since it was working last. Maybe you should hire a web dev? Many on here would do freelance work for you. – Sammaye Aug 24 '12 at 13:39
  • I see I understand, thanks for the link though I will look at it and maybe use it. Recently was the first time I added a new page, and thats when I discovered the issue, so it could have been there from the beginning. I will think about the web dev idea too, but im not too keen on the idea as Im getting paid, though its more to help out a friend, but I dont want to come across as incompetent haha. – user1470324 Aug 24 '12 at 13:45
  • @user1470324 Well try removing what I said to remove cos that actually sets the headers at expire now which could be conflicting with the sessions own headers. – Sammaye Aug 24 '12 at 13:50
  • If I keep the beginning php and remove exactly what you pasted then it now goes straight to the access denied screen. The login form itself's action value is this file, which does have the same headers, so Im not sure if they should be removed too, you can see it here: http://pastebin.com/wmnaLcvv I saw your other question now, Users is the default user group, as you can make different groups, the user's im testing to also belongs to that group. – user1470324 Aug 24 '12 at 14:01