SESSIONS - Chapter 12 - Can view all pages logged OUT or IN?

[Coolio 0]

For a few weeks now I have been working on Chapter 12 of the book.  I'm transitioning the code from COOKIES to SESSIONS.

I've updated the web pages with the session_start();  and echo session_id() so I can see the session cookie... SESSION code Chapter 12 pages 404 - 411.

I have an index.php page (which is home.php) with session_start(); added.

When you visit the site, the echo session_id(); value shows a session_id(); of :458bd4cae95c75797fc4feec43e54ff1 
 

What I am confused about is that I am not logged in!  Should I not be redirected the login page?  Where is the page getting the session id from?
This also happens when I visit other pages on the site that I added session_start(); code to the beginning of the web page. I can view them when I am not logged in!

Any help on this will be appreciated.

Thanks

 

 

  

 

 

[Larry 423]

If you use session_start(), that creates a PHP session with a session ID. Whether the visitor is logged in or not is actually an entirely separate concept, a concept that PHP on the server will have no awareness of. The concept of "logged in" is normally represented by storing meaningful data in the session. 

Think of session_start() as PHP providing a bucket for you to put stuff. That bucket is going to exist whether it's empty or full. Once the user logs in, your code starts putting stuff in the bucket. 

[Coolio 0]

Hi Larry,
Thanks for the reply and great book, very well written...again any assistance is appreciated. 

Ok the bucket concept I get.  What I don't get is controlling access to the pages.  Along with adding session_start to each page I want to control access to...

do I also need to add the logic on page 405 lines 12 to 34 from the login.php script?

I'm thinking that the login.php page should be saved as index.php so clients land there first then are forced to login in?

Here's my site:  mylock.dev

I'm able to view all pages of the site if I'm logged out.  I've completed the pages in the book (code) up to page 411. 
home, index, view_users, register all have session_start at the beginning of the page...
Should I be able to view all pages even if I am logged out?

Here's the index.php page code. The other pages register, view_users etc I've also added the session_start()...

**********************************

<?php # Script 3.4 - index.php

session_start();
echo session_id();  * just put this code here so I can see the session id

$page_title ='Welcome to this site!';
include('includes/header.html');                            *  there's logic in the header script  line 22 to check if the SESSION['user_id'] is set...
?>

<div class="page-header"><h1>Index Page</h1></div>
<p>This site will demonstrate the use of SESSIONS</p>
<p> </p>
<br>
<p>
<br>
<?php
include('includes/footer.html');
?>

************************************

My header file as it's a bit different from the books:

*********************************************************
 

<!DOCTYPE html>
<html lang="en">
<head>
  <title><?php echo $page_title; ?></title>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css">
  
<link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.7.0/css/all.css" integrity="sha384-lZN37f5QGtY3VHgisS14W3ExzMWZxybE1SJSEsQp9S+oqd12jhcu+A56Ebc1zFSJ" crossorigin="anonymous">

  <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
  <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js"></script>
  <script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js"></script>
</head>
<body>

<!-- <nav class="navbar navbar-expand-md navbar-dark" style="background-color : #174276;">  -->
<!-- purple aa1923, 6d214f  gray/blue 7f8fa6,  blue 273c75     black 2c3a47,  gray cad3c8  orange f97f51 -->
<! -- lite blue 479cd1  another lite blue 0072bc -->

<nav class="navbar navbar-expand-md navbar-dark" style="background-color : #0072bc;">

  <a class="navbar-brand" href="home.php"><b>COLEY Web Admin </b></a>
  <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#collapsibleNavbar">
    <span class="navbar-toggler-icon"></span>
  </button>
  <div class="collapse navbar-collapse" id="collapsibleNavbar">
    <ul class="navbar-nav">
      <li class="nav-item">
        <a class="nav-link" href="home.php">Home</a>
      </li>
      <li class="nav-item">
        <a class="nav-link" href="register.php">Register</a>
      </li>
      <li class="nav-item">
        <a class="nav-link" href="view_users.php">View Users</a>
      </li> 
       <!-- Dropdown 
    <li class="nav-item dropdown">
      <a class="nav-link dropdown-toggle" href="#" id="navbardrop" data-toggle="dropdown">
        Not Used
      </a>
      <div class="dropdown-menu">
        <a class="dropdown-item" href="#">Not Used</a>
        <a class="dropdown-item" href="#">Not Used</a>
        </div>
    </li> -->
    <li class="nav-item">
        <a class="nav-link" href="password.php">Change Password</a>
      </li> 
<li><?php if (isset($_SESSION['user_id'])) {
   
      echo '<a class="nav-link" href="logout.php">Logout</a>';
} else {
    echo '<a class="nav-link" href="login.php">Login</a>';
}
?></li>
   <!-- <li class="nav-item">
        <a class="nav-link" href="#"><i class="fa fa-fw fa-user"></i>Not Used</a>
      </li>  -->
    </ul>
  </div>  
</nav>
<br>

<div class="container">
  
<!-- Script 9.1 - header.html -->

*************************************************
 

[Larry 423]

Thanks for the nice words! If you look at Script 12.9 on page 407, you can see sample code for restricting access to a page to logged in users. Also, Ch 18 fleshes out the whole concept more for you.