PHP username and password session variables don't get passed to next url

MrWheezy · #1 (**permalink**) 07-12-09, 07:51 AM

Hello everyone,

I am trying to access an API where my mobile sim status (balance, valid until) and call history is displayed.

The login works well, and the first page is being displayed with my balance, but when I want to access my call history, the user name (variable "user") and password (variable "pass") don't get passed to the next page (mv.php?area=history) where I get an error from the API wich states:

"failed to open stream: HTTP request failed! HTTP/1.1 401 UNAUTHORIZED"

If you look at the code below, I get logged in from index.php to mv.php, but when I want to go to mv.php?area=history I get the above error.

Note: no user names and passwords are stored on my side, everything is authenticated at the API side of my mobile provider.

What am I doing wrong? This is my first time working with logins and sessions.

Below are index.php, mv.php and logout.php:

index.php

HTML Code:

<form method="post" action="mv.php">
Username: <input type="text" name="user"/><br/><br/>
Password: <input type="password" name="pass"/><br/><br/>
<input type="submit" name="submit" value="Login"/> </form>

mv.php

PHP Code:


			
<?php

// Start een nieuwe sessie

session_start();

$_SESSION['user'] = $_POST['user'];

$_SESSION['pass'] = $_POST['pass'];

 



$user = $_SESSION['user'];

$pass = $_SESSION['pass'];

 

// Aantal historiek items

$aantal = "10";

 

// Pagina nummering

$pagina = $_GET['pagina'];

if ($pagina == "") {

        $pagina = 1;

}

else {

        $pagina = $_GET['pagina'];

}

 

// MobileVikings API URL's

$mv_balance = "https://" . $user . ":". $pass . "@mobilevikings.com/api/1.0/rest/mobilevikings/sim_balance.xml";

$mv_topuphistory = "https://" . $user . ":". $pass . "@mobilevikings.com/api/1.0/rest/mobilevikings/top_up_history.xml?page_size=1";

$mv_callhistory = "https://" . $user . ":". $pass . "@mobilevikings.com/api/1.0/rest/mobilevikings/call_history.xml?from_date=2009-01-01T00:00:00&page_size=". $aantal . "";

 

// Inlezen XML 'Balance' in array

$balance_data = file_get_contents($mv_balance);

$balance_xml = new SimpleXMLElement($balance_data);

 

// Inlezen XML 'Top Up History' in array

$topup_data = file_get_contents($mv_topuphistory);

$topup_xml = new SimpleXMLElement($topup_data);

 

// Inlezen XML 'Call History' in array

$callhistory_data = file_get_contents($mv_callhistory);

$callhistory_xml = new SimpleXMLElement($callhistory_data);

 

?>

<html>

<head>

<title>My Mobile Viking</title>

</head>

<body>

<h1>My Mobile Viking</h1>

<p>Welkom, je bent aangemeld als <?php echo $user; ?>. <a href="logout.php">Uitloggen</a></p>

<p><a href="?area=home">Home</a> - <a href="?area=history">Historiek</a> - <a href="?area=news">MV Nieuws</a></p>

 

<?php

 

if (!isset($_GET['area'])) {

$area = "home"; // Default page

        include ("content/".$area.".php");

} else {

$area = $_GET['area'];

        include ("content/".$area.".php");

}

 

?> 

 

 

</body>

</html>

logout.php

PHP Code:


			
<? session_start();

unset($_SESSION['user']);

unset($_SESSION['pass']);

session_destroy();

header("Location: index.php");

?>

TheDemoSite · #2 (**permalink**) 07-12-09, 02:09 PM

You seem to be assigning the session user/pass variables to $_POST values everytime the mv.php is loaded!

Comment out the two lines:
$_SESSION['user'] = $_POST['user'];
$_SESSION['pass'] = $_POST['pass'];

and put them in your login.php page, for an example see:
free PHP source code for the login example page

Hope that helps.

MrWheezy · #3 (**permalink**) 07-13-09, 01:51 AM

You were right... eacht time mv.php loaded the session went fubar

I now managed it with this code in mv.php:

PHP Code:


			
session_start();

$user = $_SESSION['user'];

$pass = $_SESSION['pass'];

if ($_SESSION['user']=='' and $_POST['user']!='')

{

  $_SESSION['user'] = $_POST['user'];

  $_SESSION['pass'] = $_POST['pass'];

  $user = $_POST['user'];

  $pass = $_POST['pass'];

}

Thanks

kvnband · #4 (**permalink**) 07-14-09, 10:34 AM

You can shorten it up even more:

PHP Code:


			
session_start();
$user=(isset($_POST['user'])) ? $_POST['user'] : $_SESSION['user'];
$pass=(isset($_POST['pass'])) ? $_POST['pass'] : $_SESSION['pass'];
$_SESSION['user']=$user;
$_SESSION['pass']=$pass;

Quote:

Originally Posted by MrWheezy

You were right... eacht time mv.php loaded the session went fubar

I now managed it with this code in mv.php:

PHP Code:


			
session_start();
$user = $_SESSION['user'];
$pass = $_SESSION['pass'];
if ($_SESSION['user']=='' and $_POST['user']!='')
{
  $_SESSION['user'] = $_POST['user'];
  $_SESSION['pass'] = $_POST['pass'];
  $user = $_POST['user'];
  $pass = $_POST['pass'];
}

Thanks

job0107 · #5 (**permalink**) 07-15-09, 04:06 AM

Hello MrWheezy,

You need to do some username and password validation before you load the username and password in to the $_SESSION variables.

First you need to validate that a username and password were sent from the login form.
And then you should validate that the username and password are correct by checking them against a username and password in a database.
And you have to make sure that the $_SESSION variables don't get erased when you click on your navigation links.

Also it would be nice if the username and/or password didn't get erased if you get sent back to the login form.
Some of the reasons you might get sent back to the login form would be "you didn't enter a username or password" or "the username and password entered are not valid".

And then you should make sure that the XML files you are trying to access, exist.
You will also probably have to do some editing in your $area.php pages to accommodate any problems you may encounter if any of the XML files are missing.

Just remember, you can not assume anything when you are programming.
The computer won't do your thinking for you.

Example:
index.php

PHP Code:


			
<?php
session_start();
$user = empty($_SESSION["user"]) ? "" : $_SESSION["user"];
$pass = empty($_SESSION['pass']) ? "" : $_SESSION['pass'];
?>
<html>
<head>
<title>My Mobile Viking</title>
</head>
<body>
<?php
echo $login_msg = empty($_SESSION["msg"]) ? "<div>Login:</div>" : "<div>".$_SESSION["msg"]."</div>";
?>
<form method="post" action="mv.php">
Username: <input type="text" name="user" value="<?php echo $user; ?>" /><br /><br />
Password: <input type="password" name="pass" value="<?php echo $pass; ?>" /><br /><br />
<input type="submit" name="submit" value="Login"/> </form>
</body>
</html>

mv.php

PHP Code:


			
<?php
session_start();
/* Load $_SESSION variables from login form.
   Else set them to NULL. */
if(empty($_GET["area"]))
{
 $_SESSION["user"] = empty($_POST["user"]) ? "" : $_POST["user"];
 $_SESSION["pass"] = empty($_POST["pass"]) ? "" : $_POST["pass"];
 }

/* Check to see if $_SESSION variables were loaded from login form.
   If not then go back to login form. */
if(empty($_SESSION["user"]) || empty($_SESSION["pass"]))
{
 $_SESSION["msg"] = "<span>Please login.</span><br /><span style='color:#f00;'>You must enter a username and password.</span>";
 header("location:index.php");
 die();
 }
 
// Check to see if username and password are in database. //
else
{
 $host = "localhost";   // MySql Host address goes here. //
 $username = "root";    // MySql username goes here. //
 $password = "";        // MySql password goes here. //
 $db = "test";          // MySql database name goes here. //
 $table = "user_table"; // MySql table name goes here. //
 
 // Connect to the MySql server. //
 mysql_connect($host,$username,$password);
 
 // Select MySql database. //
 mysql_select_db($db);
 
 // Select a record from fields username and password. //
 $r = mysql_fetch_assoc(mysql_query("SELECT * FROM $table WHERE username='".$_SESSION["user"]."' AND password='".$_SESSION["pass"]."'"));
 
 /* Verify username and password in database equals username and password in $_SESSION variables.
    If not then go back to login form. */
 if($_SESSION["user"]!=$r["username"]&&$_SESSION["pass"]!=$r["password"])
 {
  $_SESSION["msg"] = "<span>Please login.</span><br /><span style='color:#f00;'>Invalid username or password.</span>";
  header("location:index.php");
  die();
  }
 }
////////////////////////////////////////////////////////////

$user = $_SESSION['user'];
$pass = $_SESSION['pass'];

// Aantal historiek items
$aantal = "10";

// Pagina nummering
$pagina = !empty($_GET['pagina']) ? $_GET['pagina'] : 1;

// MobileVikings API URL's
$mv_balance = "https://" . $user . ":". $pass . "@mobilevikings.com/api/1.0/rest/mobilevikings/sim_balance.xml";
$mv_topuphistory = "https://" . $user . ":". $pass . "@mobilevikings.com/api/1.0/rest/mobilevikings/top_up_history.xml?page_size=1";
$mv_callhistory = "https://" . $user . ":". $pass . "@mobilevikings.com/api/1.0/rest/mobilevikings/call_history.xml?from_date=2009-01-01T00:00:00&page_size=". $aantal . "";

if(file_exists($mv_balance)&&file_exists($mv_topuphistory)&&file_exists($mv_callhistory))
{
 // Inlezen XML 'Balance' in array
 $balance_data = file_get_contents($mv_balance);
 $balance_xml = new SimpleXMLElement($balance_data);

 // Inlezen XML 'Top Up History' in array
 $topup_data = file_get_contents($mv_topuphistory);
 $topup_xml = new SimpleXMLElement($topup_data);

 // Inlezen XML 'Call History' in array
 $callhistory_data = file_get_contents($mv_callhistory);
 $callhistory_xml = new SimpleXMLElement($callhistory_data);
 }

?>
<html>
<head>
<title>My Mobile Viking</title>
</head>
<body>
<h1>My Mobile Viking</h1>
<p>Welkom, je bent aangemeld als <?php echo $user; ?>. <a href="logout.php">Uitloggen</a></p>
<p><a href="mv.php?area=home">Home</a> - <a href="mv.php?area=history">Historiek</a> - <a href="mv.php?area=news">MV Nieuws</a></p>

<?php
$area = empty($_GET["area"]) ? "home" : $_GET["area"];
include("content/".$area.".php");
?>

</body>
</html>

logout.php

PHP Code:


			
<?php
session_start();
unset($_SESSION['user']);
unset($_SESSION['pass']);
session_destroy();
header("Location: index.php");
?>