Incorrect Redirection

0

I'm trying to redirect registered users to the control panel and other visitors to the login page, but I get this message:

Login

<?php$page="Login";
include "header.php";

$user_error='';
$pass_error='';

if(isset($_POST["login"])){

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);

if(empty($username)){
    $user_error = 'Please insert a username';
}
elseif(!empty($username)){
    $checkusername = mysql_query("SELECT * FROM 'database'.'user' WHERE 'username' = '".$username."'");
    if(mysql_num_rows($checkusername) == 0){
        $user_error = 'Wrong username';
    }
}
if(empty($password)){
    $pass_error = 'Please insert a password';
}
elseif(!empty($password)){
    $checkpassword = mysql_query("SELECT * FROM 'database'.'user' WHERE 'username' = '".$username."' AND 'password' = '".$password."'");
    if(mysql_num_rows($checkpassword) == 0){
        $pass_error = 'Wrong password';
    }
}
}
if(empty($user_error)&& empty($pass_error)&& isset($_POST['login'])){

$login_check = mysql_query("SELECT * FROM 'database'.'user' WHERE 'username' = '".$username."' and password = '".$password."'") or die(mysql_error());

if(mysql_num_rows($login_check) == 1){

    setcookie("username",$username);
    $_SESSION['username'];
    $_SESSION['password'];
    header("Location: control-painel.php");
    $logged == 1;
}
 }
     else{
    $user_error = empty($user_error)?'' : htmlEntities($user_error);
    $pass_error = empty($pass_error)?'' : htmlEntities($pass_error);
 ?>

<div id="loginform">
    <form name="loginform" method="post">
        <table cellpadding="0" id="tb">
            <tr>
            <td colspan="2">
            <div class="loginheader">
            <h2>Login</h2>
            </div>
            </td>
            </tr>
        </table>
            <div id="message">
                <?php echo $user_error; ?><br><br>
                <?php echo $pass_error; ?>
            </div>
        <table cellpadding="0">
            <tr>
            <td class="field">Username:</td>
            <td><input type="text" class="text" name="username"></td>
            </tr>
            <tr>
            <td class="field">Password:</td>
            <td><input type="password" class="text" name="password"></td>
            </tr>
        </table>
        <table cellpadding="0">
            <tr>
            <td class="field"></td>
            <td><input type="submit" class="submitbutton" name="login" value="Login"/></td>
            </tr>
        </table>
    </form>
</div>

<?php
}
include "footer.php";
?>

Logout

<?php
if(isset($_POST['logout'])){
session_start();
session_destroy();
header("Location: index.php");
}
?>

Control Panel

<?php
$page = "Control Painel";
include "header.php";

if(!isset($_SESSION['username'], $_SESSION['password'], $logged)){
header("location: control-painel.php");
}
else{
header("location: login.php");
}
?>

<form action="logout.php" method="post">
<input type="submit" class="submitbutton" name="logout" value="Logout"/>
</form>

<?php
include "footer.php";
?>
    
asked by anonymous 24.05.2014 / 00:56

1 answer

2

You need to revisit your logic a little better.

  • There are redundant queries on the login page.
  • You do not need to separate login validation from password validation, even for security reasons (do not you want a malicious user to discover a valid login in your application right?).
  • You can also use try / catch to better organize your code.
  • The reported error is occurring because the control panel page redirects to itself if there is no session. Then there will be no session again and she will redirect again to herself. This will be in an eternal loop.
  • Here are my suggestions:

    login.php

    $error = '';
    if (isset($_REQUEST['login']))
    {
        try
        {
            if (empty($_REQUEST['username']))
                throw new Exception('Informe o seu login.');     
    
            if (empty($_REQUEST['password']))
                throw new Exception('Informe a senha.');     
    
            $username = mysql_real_escape_string($_REQUEST['username']);
            $password = mysql_real_escape_string($_REQUEST['password']);
            $result = mysql_query("SELECT * FROM 'database'.'user' WHERE 'username' = '".$username."' AND 'password' = '".$password."'");
    
            if ($row = mysql_fetch_array($result))
            {
                 session_start();
                 $_SESSION['id'] = $row['id'];
                 // Acrescente à sessão outras informações que desejar, mas
                 // normalmente o id é a informação principal.
    
                 header('location: control-painel.php');
            }
            else throw new Exception('Login/senha inválidos.');    
        }
        catch (Exception $e)
        {
             $error = $e->getMessage();
        }
    }
    
    // A variável $error possuirá o erro (se houver).
    // Pra saber se houve erro basta verificar if (!empty($error)){}.
    

    control-session.php

    session_start();
    if (!isset($_SESSION['id']))
        header('location: login.php');
    

    On every page you want to control access (only logged in users can access) include the file 'control-session.php':

    control-panel.php

    // Isso precisa estar antes de qualquer conteúdo HTML.
    // Recomendo que seja o primeiro comando da página.
    require_once 'controle-sessao.php'
    

    logout.php

    session_start();
    session_destroy();
    header('location: login.php');
    
        
    24.05.2014 / 02:58