StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POCan't make SESSION to work
text
Body
copied!<p>Here is the story. I'm coding (fairly) simple login in PHP with no database. Yes, I do agree, it's unsecure and dirty way to do it but I'm just learning. Anyway, the code is simple and everything works fine except the session. I'm trying to make attacker stop accessing <code>panel.php</code> which is protected page only administrator can enter. The <code>index.php</code> is login page with form.</p> <p><strong>config.php</strong></p> <pre><code><?php $loginToken = '123456'; $uname = 'test'; $upass = '123123'; $a_login = 'index.php'; $a_panel = 'panel.php'; $a_list = 'list.php'; $a_add = 'add.php'; $a_other = 'other.php'; ?> </code></pre> <p><strong>index.php</strong> (Login form - for some reason, SO does not allow me to paste the code correctly):</p> <blockquote> <pre><code><?php // Load & start a session before everything session_start(); // If session is already loaded, get into panel area if ($_SESSION['login'] == "1") { Header("Location: $a_panel"); } // Load configuration file include_once('cfg/config.php'); if (isset ( $_POST ['username'] )) { $password = $_POST ['password']; $username = $_POST ['username']; if ($password == $upass && $username == $uname) { header ( "Location: $a_panel" ); exit (); } } ?><html> <head> <title>Test</title> <link rel="stylesheet" href="css/login.css" media="all" /> </head> <body> <br /><br /> <center><a href="index.php"><img src="images/logo_b.png" /></a></center> <br /><br /> <?php if (isset($_GET['nToken'])) // A little bit of security (index.php?nToken=123456) { if ($_GET['nToken'] == $loginToken) { ?> <form id="login" action="" method="post"> <fieldset id="inputs"> <input name='username' id="username" type="text" placeholder="Username" autofocus required> <input name='password' id="password" type="password" placeholder="Password" required> </fieldset> <fieldset id="actions"> <input type="submit" id="submit" value="Log in"> </fieldset> </form> <?php } } echo ' </body> </html>'; ?> </code></pre> </blockquote> <p><strong>panel.php</strong> (Administrator area)</p> <pre><code><?php session_start(); // Insert a config file require_once('cfg/config.php'); // Check if logged (and if loaded display buttons) if ($_SESSION['login'] == "1") { ?> <head> <title> Admin panel @ TEST </title> <link rel="stylesheet" href="css/bg.css" media="all" /> <center><img src="images/header_1.png" /></center> <div class="hot-container"> <p> <a href="#" class="btn btn-blue">Listing</a> <a href="#" class="btn btn-blue">Add new</a> <a href="#" class="btn btn-blue">Settings</a> </p> <p> </p> </div> <?php } ?> </code></pre> <p>As far as I know, code should work fine as <code>session_start()</code> is posted everywhere where it needs to be (except config.php) but session is not registered. When I access the <code>panel.php</code> with information I enter into form (from configuration file) I get a blank page, thus, that is not everything. Even if I access the page by entering "/panel.php" into URL, I get blank page.</p> <p>Now I'm curious is it just me and my level of knowledge or there is some correction I have to do in php.ini :) Just to note I was trying to get as much info from SO with same questions before but didn't work no matter what.</p> <p>Thanks!</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload