0

If I want to protect my files (pages), I use this code: 

<?php
    if( isset ($_SESSION['user']['name']) && $_SESSION['user']['ip'] == $_SERVER['REMOTE_ADDR']) { 
      echo''; 
    } else {
     header ("Location: index.php"); 
   }
?>

I put this code in each case from above on a page. So, if you're not logged in you will return to the login form. The problem is, I can not really work with sessions and I would not know if I would make it into what it should be. Class.users a If anyone could help me I would be very happy. The problem with logging is that he probably does not use the sessions ... Here my sessions:

<?php


if($_SERVER['REQUEST_METHOD']== 'POST') 
{
    //echo 'Request started';
    $username = $_POST['username']; 
    $password = $_POST['password'];


    $sth = $db->prepare("SELECT * FROM users WHERE username = :username AND password = :password");
    $sth->bindParam(':username', $username);
    $sth->bindParam(':password', $password);
    $sth->execute();
    $total = $sth->rowCount();

    if($total == 1)
    {
        //echo 'Row found';
        $row = $sth->fetch();

        if($row['activated'] == 1)
        {
            //echo 'User is activated';
            $_SESSION['user']['name'] = $username;
            $_SESSION['user']['loggedin'] = true;
            $_SESSION['user']['id'] = $row['id'];
            $_SESSION['user']['timestamp'] = time();
            $_SESSION['user']['ip'] = $_SERVER['REMOTE_ADDR'];
            $_SESSION['user']['time'] = date('d/m/Y - H-m-s');
            header ("Location: ./home.php");  
            exit();
        }
        else
        {
            echo '<div id="login-form-alert"><div class="alert alert-warning"><h5>Uw account is niet actief. Contacteer aub de beheerder op het mail adres <a href="mailto:info@rallypodium.be">info@rallypodium.be</a><h5></div></div>';
        }
    }
    else
    {
        echo '<div id="login-form-alert"><div class="alert alert-danger"><h5>Uw wachtwoord of gebruikersnaam klopt niet.<h5></div></div>';
    }
}

?>

I'm looking here for a few weeks ... Who can help me, is my hero!!

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
Advil
  • 43
  • 6

2 Answers2

1

You're missing session_start() at the top of your pages.

<?php
    session_start();
    if( isset ($_SESSION['user']['name']) && $_SESSION['user']['ip'] == $_SERVER['REMOTE_ADDR']) { 
      echo''; 


<?php
    session_start();

if($_SERVER['REQUEST_METHOD']== 'POST') 
{
John Conde
  • 217,595
  • 99
  • 455
  • 496
  • No, that stands on the login. It must also be on other pages? – Advil Feb 16 '14 at 16:42
  • Every page that you use session variable must have that function at the top of the page – John Conde Feb 16 '14 at 16:43
  • Yes i mean that, but when i 'destroy' the session, you still can acces the site? Sow i have made a file called logout.php in that file i have this code: How can it that you after going in thet file that you still have access to the webpages? – Advil Feb 16 '14 at 17:07
  • 1
    That's not how you effectively destroy session. See this question for information on how to do that: http://stackoverflow.com/questions/3948230/best-way-to-completely-destroy-a-session-even-if-the-browser-is-not-closed – John Conde Feb 16 '14 at 17:19
0

Put session start at first line of each page where this session should be used. 

  session_start();

/* @var $_SERVER type */

//use identical (====) operator instead instead 

 if($_SERVER['REQUEST_METHOD'] === 'POST')
{

and here don't access Superglobarl $_POST array directly, use some filter input function instead (e.g. filter_input(); and etc)

  /* @var $username type */
     $username = $_POST['username']; 
     $password = $_POST['password'];

       }
Mubo
  • 1,078
  • 8
  • 16
  • But when i want to log out, how can i do that? – Advil Feb 16 '14 at 16:47
  • Do you mean when you want destroy the session. By default PHP sessions are automatically deleted when users close their browser, because the PHPSESSID cookie’s expires field is set to zero. you can read the how sessions work on php.net http://www.php.net/manual/en/function.session-start.php or http://webwidetutor.com/php/sessions-and-cookies/ – Mubo Feb 16 '14 at 16:53
  • Yes i mean that, but when i 'destroy' the session, you still can acces the site? – Advil Feb 16 '14 at 17:03
  • When you the person logs out the session should be explicitly destroyed like this:- unset( $_SESSION['user'] ); – Mubo Feb 16 '14 at 17:16