Issues With PHP Session

1
votes

I am trying to create a very simple session between 3 php pages as: index.php ,validate.php and target.php index.php

<?php
session_start();
$_SESSION['uid'] = 'test';
?>
<!DOCTYPE HTML>
<html>
<head>
<title>Start A Session</title>
</head>  
<body>
<h1>Welcome to Heaven</h1>
<form method="POST" action="validate.php">
Your Name: <input type="text" name="name" value="" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

and validate.php as:

<?php
session_start();
$err="Not Allowed";
if(($_POST['name']) == $_SESSION['uid']){
header ("Location: heaven.php");}
else
{echo $err; }
?>

and finally target.php as

<?php
session_start();
?>
<!DOCTYPE HTML>
<html>
<head>
<title>Start Email with PHP</title>
</head>
<body>
<h1>Welcome to Targer <?php echo $_SESSION['uid'] ?></h1>
<img src="session.jpg">
</body>
</html>

Now my questions are:

  1. How come user still can get access to target page while I have already set a session between pages(according to my understanding of sessions the target page must NOT be accessible unless the correct seesion value has been submitted but I can get access to page by clicking on page link in wamp index list! with echoing the $err; ! )
  2. I tried to validate the $_SESSION value by using the isset() but it did'nt go through! can you please let me know how I can modify the validate.php using the isset() instead of if(($_POST['name']) == $_SESSION['uid']) comarison?
  3. Can you please let me know how I can merge two (index.php and validate.php) in one page? I mean how I can validate the session inside the index.php and reduce the files two index and target? In this case I need to handle the wrong logins inside the index page.
  4. Finally, can you please let me know how I can assign the value to $_SESSION from user input? I mean instead of having a hard coded part like $_SESSION['uid'] = 'test'; let the session value start with user input! I know this looks meaningless here but I would like to get idea on creating captcha in same index page

Thanks for your time in advance

2
phpsession

2 Answers

1
votes

This should work properly and just with 2 files. You could even compress it to 1 file, if you really want so (it's much harder to understand), ask for it and I can make it.

index.php:

<?php
session_start();
$_SESSION['uid'] = 'test';
?>
<!DOCTYPE HTML>
<html>
    <head>
    <title>Start A Session</title>
    </head>  
    <body>
    <h1>Welcome to Heaven</h1>
    <form method="POST" action="heaven.php">
        Your Name: <input type="text" name="name" value="" />
        <input type="submit" value="Submit" />
    </form>
    </body>
</html>

And the other file, heaven.php

<?php
session_start();
if (!empty($_SESSION['uid'])&&$_POST['name']==$_SESSION['uid'])
    {
    ?>
    <!DOCTYPE HTML>
    <html>
    <head>
    <title>Start Email with PHP</title>
    </head>
    <body>
    <h1>Welcome to Targer <?php echo $_SESSION['uid'] ?></h1>
    <img src="session.jpg">
    </body>
    </html>
    <?php
    }
else
    {
    ?>
    <!DOCTYPE HTML>
    <html>
    <head>
    <title>Access denied</title>
    </head>
    <body>
    Sorry, you have no permission to access this page.
    </body>
    </html>
    <?php
    }
?>

'Validation' is just to display the desired message if the strings match or to display a 'you cannot see this page' if they don't match.

The !empty() needs to be set. Else, imagine what would happen if someone visited the 'heaven.php' page without going first to index.php. You'd compare 2 empty strings! So it would be validated. The alternative is to put $_SESSION['uid'] = 'test'; at the beginning of heaven.php also.

I didn't really answer your questions in order (and in the 2nd one I cheated as I put 2nd and 3rd file together instead of 1st and 2nd), but my code should cover all your problems. For the last part, it's simply $_SESSION['uid']=$_POST['name']; , but it'd be a no sense to do it while validating user. The validation must come from somewhere, generally from a mysql database.

Please start to accept answers to your questions if valid (below the up/down button).

0
votes

1) What do you mean by assigning correct session value? "heaven.php" is a file which is accessible by anyone if you don't check for access rights in that file.

2) Not sure what you mean. If you need to check if two variables exist and match, you need something like if ( (isset($_POST['name']) && isset($_SESSION['uid'])) && (($_POST['name']) == $_SESSION['uid']) )

3) If there's no need to reduce files to minumun, it's a good idea to keep validating, form processing etc. function in their respective files. If you want to valide session and form values within "index.php" you can do so by first checking if the values exist and then do to them whatever you like. (Like in the 2 above.)

4) You can assign user inputted values for variables by using forms. It's what you are doing with your form currently. In you process file/function you do something like:

if(isset($_POST['submit']){
  $_SESSION['uid'] == $_POST['name'];
}

The example above is very simplified.

Finally. You aren't really validating anything, you just check if two values match. Validating means that you make sure value meets the standard(s) specified, for example user submitted value is an integer when it should be an integer (when inserted into database or used some other manner). I think you should see some tutorials about form processing and user input validation before creating anything that's intended in production environment.