providing login check, page redirect in all pages in php

Question

I am making a simple Dynamic Website using PHP, where i allow the user to login and then access specific pages. So here's what i have done so far.

• The logged in values are taken though $_POST variables in a php script where it fetches values from database for registered users. If the user is found i do the following

  session_register('userid'); $_SESSION['userid'] = $username;//this is taken from $_POST $_SESSION['accesslevel'] = $access;

at the beginning of the php script i have put session_start();

Now here comes my problem.

At every page now i have to check if the user is allowed to view that page or not, if he ain't then he must be redirected to login.php, if he is then the page load must continue.

Now so far what i have learnt is that only way to maintain values across php pages is to use $_SESSION variables, and which ever page i am using Session Variables i must write session_start() on each page as the first line, else i will be getting Headers Already Sent error..

Strangely i exactly have done that but still get erros with the "headers already sent".

SO i want to what is the best way to design a website, where i have to use Session variables across most of the pages, and keep these common checks at a common place..

• Can i use include() feature some how?
• Are sessions only way to communicate data across php pages.
• What is a better way?

I have the following code :

<?php
session_start();
if(!isset($_SESSION['user']))
{
    $_SESSION['loc'] = "adminhome.php";
    header("location:ettschoollogin.php");
    exit();
}
    ?>

Which resides on top of every page which wants to check if the user has logged in.

And this is teh script to check for login

<?php
session_start();
include("connection.php");
$userid =$_POST['userid'];
$userpwd =$_POST['userpwd'];

$query="Select UNAME,UPASSWORD,SCHOOL,uaccess from schooluser where uname = '$userid'";

$result=mysql_query($query) or die("couldn't execute the query");
$row=mysql_fetch_array($result);
$useraccess = $row["uaccess"];


$school =$row[2];

if(($row[0]==$userid)&&($row[1]==$userpwd))
{
     session_register('userid');
     $_SESSION['userid']=$userid;
     $_SESSION['school']=$school;

    if($useraccess =="admin") 
    {  
     header("Location:adminhome.php");
    }

    if($useraccess !="admin")
    {
     header("Location:school_main.php");

    }
}
else
{
    header("Location:ettschoollogin.php?err=1"); 
}
?>

i was aware of the common error of having extra spaces after "?>", BUT I STILL GET IT.

Thanks guys, i missed out and the "connection.php" file actually had extra spaces after "?>" i had removed it before, but some how the file got rewritten again.Thanks a lot.

Answer 1

•Can i use include() feature some how?

Yes. You can do whatever you want before your session_start() call, only, you must not have outputted anything, not even a single space or character. Probably you have already outputted something, maybe on an automatic inclusion or apache prepend.

•Are sessions only way to communicate data across php pages. •What is a better way?

Other ways are cookies, post and get parameters. But sessions are the only way to securely pass data among pages without sending them to the client and back (which may pose security risks)

Answer 2

Yes, you can use include. Put all your common functions in a separate php file and "include" it at the top of each file.

You can use cookies to store information (typically just an id that you use to look up additional information in the PHP page). Normally, PHP sessions are handled using cookies though. See setcookie in the docs.

You are probably getting the error messages due to stray characters outside of a <?php ?> block. A common error is to have an extra blank line at the end of an include file, after the ?>. That blank line will be output and your headers will have been sent. If that isn't the problem, you will just need to make sure you move the session related code above any code that might generate some output (eg by using print or echo).