have this question in mind. I know there are a lot questions like this on the internet, but none of them seem to do the trick for me :(
So I'm planning on making an adminpanel on a website. You enter by going through a login screen, when the name+pass is correct an session is made. On the other adminpages I'll test if this session is set, by this I'll know if the user can access the page or not.
Inlog.php (simplyfied)
<?php session_start(); ?> <html ...
then after lots of controls
if ($adminpwd == $pass) {
session_regenerate_id();
$_SESSION["mysessionname"] = $name;
$tijd = date('H:i:s', strtotime('+ 30 minutes'));
$_SESSION["E4A_einde"] = $tijd;
session_write_close();
echo "<script type='text/javascript'>window.location = 'myotheradminpage'</script>";
}
My other php pages include this script
<?php session_start();
if (!isset($_SESSION["mysessionname"])) {
session_destroy();
echo '<SCRIPT LANGUAGE="JavaScript"> window.alert("no session found") </SCRIPT>';
echo "<script type='text/javascript'>window.location = 'myloginpage'</script>";
}
With this element, if the session is not set there's a redirect, if the session is set the other code on the php page wil be triggered.
But the fact is that Every single time i'm redirected again to my loginpage. so my session is not set :s Can't figure out why so please help me out.
I tried a lot of thins with on every page to add the session_start() methode, I tried to regenerated the session id before I set the sessions, but nothing works..
In your initial session_start before the HTML, try setting this:
<?php session_start();
$_SESSION["mysessionname"]; ?>
<html ...
This will declare your session variable before anything runs.
Let me know if this works.
Drop the session_regenerate_id. It sends another cookie, but output has been already sent.
Also drop the call to session_write_close. It would happen in the end of the script anyway and this micro-optimization has negative impact on the quality of the code base. If you have concurrency issues, go with memcached session store, but you are far away from there.
Also drop the session_destroy call. If he is not authorized, then he is not authorized. Your logic here suggests purging an already empty session.