Access Control Not Working

papadammy · October 7, 2012, 2:16am

I Have this code shown below processing my login form:

// process the script only if the form has been submitted
if (isset($_POST['action']) && $_POST['action'] == 'login')
{

// start the session
session_start();
// clean the $_POST array and assign to shorter variables
$userName = trim($_POST['userName']);
$passWord = trim($_POST['passWord']);

// connect to the database
$conn = DatabaseManager::getConnection();

// get the username's details from the database
$sql = "SELECT * FROM user WHERE userName = ?";
$stmt = $conn->prepare($sql);
$stmt->execute(array($userName));
$row = $stmt->fetch();

if (md5($passWord . 'mysecret@#$mysecret') == $row['passWord']) {
$_SESSION['loggedIn'] = TRUE;
$_SESSION['userName'] = $_POST['userName'];
$_SESSION['passWord'] = $passWord;
}

// if no match, destroy the session and prepare error message
else {
$_SESSION = array();
session_destroy();
$error = 'Invalid username or password';
}
// if the session variable has been set, redirect
if (isset($_SESSION['loggedIn'])) {
// get the time the session started
$_SESSION['start'] = time();

$login = TRUE;
header('Location: homepage.php');
exit();
}
else
{
	$GLOBALS['loginError'] = 'Please fill in both fields';
	header('Location: index.php');
	}
}

else{
	require $_SERVER['DOCUMENT_ROOT'] . 'mysite/login.php';
	exit();
}

This is my login form

<form action="" method="post">
        <tr>
          <td colspan="2" align="center" valign="middle"><p id="p_header2"><strong> Please Login</strong></p></td>
        </tr>
        <tr>
          <td width="35%" align="right" valign="middle"><label for="username">Username:</label></td>
          <td width="65%"><input type="text" name="userName" placeholder="Your username" required="required" autofocus="autofocus" maxlength="30"/></td>
        </tr>
        <tr>
          <td width="35%" align="right"><label for="password">Password:</label></td>
          <td width="65%"><input type="password" name="passWord" placeholder="Your password" required="required" autofocus="autofocus" maxlength="30"/></td>
        </tr>
        <tr>
          <td colspan="2" align="center" valign="middle">Forgot your password ? <a href="forget_pwd.html.php">Click here</a></td>
        </tr>
        <tr>
          <td colspan="2" align="center" valign="middle"><input type="hidden" name="action" value="login" />
            <input type="reset" name="reset" value="Reset" />
            &nbsp; &nbsp;
            <input type="submit"  value="Log in" /></td>
        </tr>
      </form>

Everything works fine but the challenge I’m having here is that, the when I tried to use this code below in homepage.php

<?php if ($_POST['action'] == 'login')
	  {
	    echo 'I am logged in';
	  }
	  ?>

It gave me this error message: Notice: Undefined index: action in C:\wamp\www\mysite\homepage.php on line 33

The major effect this is having on my project is that, as far as $_POST[‘action’] == ‘login’ doesn’t work, my Access Control List too won’t work because it depends on it entirely. I have my $_SESSION variables up and running and the only problem I couldn’t figure out is how to get $_POST[‘action’] == ‘login’ from the login page to work on other pages. Please note, immediately after the login, it leads straight to homepage.php from where users can select the area they want to go. Thanks in advance.

codeatar · October 7, 2012, 5:18am

Hi papadammy, welcome to the forum. I wasnt 100% clear on your question, so please forgive me if my advice is off the mark for your situation.

if I follow you correctly, you have a login page that redirects to homepage.php if the username and password was valid. You are then using the last code block you posted to see if the user is logged in on homepage.php. Remember that http requests are typically stateless. In other words, homepage.php has no idea what happened on your login page. Your login page doesnt submit your username and password right to homepage.php, so when the check fires on homepage.php, it knows nothing about the hidden action parameter.

To maintain state across pages, sessions are required, which I see you are using. Instead of checking against $_POST[‘action’] you should check directly against your session data like so:


if($_SESSION['loggedIn'] == true) {
    echo 'Logged in';
}

Also you will want to make sure that your homepage.php file (or one if your main includes) has a call to session_start() before you try to do your auth check.

papadammy · October 7, 2012, 9:49pm

codeatar:

Hi papadammy, welcome to the forum. I wasnt 100% clear on your question, so please forgive me if my advice is off the mark for your situation.

if I follow you correctly, you have a login page that redirects to homepage.php if the username and password was valid. You are then using the last code block you posted to see if the user is logged in on homepage.php. Remember that http requests are typically stateless. In other words, homepage.php has no idea what happened on your login page. Your login page doesnt submit your username and password right to homepage.php, so when the check fires on homepage.php, it knows nothing about the hidden action parameter.

To maintain state across pages, sessions are required, which I see you are using. Instead of checking against $_POST[‘action’] you should check directly against your session data like so:
if($_SESSION['loggedIn'] == true) {
    echo 'Logged in';
}
Also you will want to make sure that your homepage.php file (or one if your main includes) has a call to session_start() before you try to do your auth check.

papadammy · October 7, 2012, 9:51pm

Codeatar, you really rock. That code did exactly what I wanted, I just tweaked it a little bit and everything is fine now. Thanks man.