Clicky

Hello:

I have a PHP application that has about 6 pages. I need to ensure that all the pages are accessible only after the user has logged in. For example, let me assume my pages are as follows:

Page1 : www.mysite.com/page1.php
Page2 : www.mysite.com/page2.php
Page3 : www.mysite.com/page3.php

I don't want a user to be able to cut and paste the url for page 2 into a browser and be able to access it. Only if the user has logged in should he be able to access the pages. How can this be done, this app has a mySql database. Thank you for the help.

A

asked 11/02/2011 11:39

aej1973's gravatar image

aej1973 ♦♦


5 Answers:
1) Create a login page that submits to a php script
2) In this php script check if login is correct, if so start sessions and set a session variable (e.g. '$_SESSION['loggedin'] = 1)
3) create a file called sessions.php. In this file start sessions, and check if the above mentioned session varaible is set. If not then clear all sessiondata and redirect to the loginpage. If the variable is set do nothing.
4) Include the session.php as the first file in all scripts you want to protect.

 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
>> login.php:

if ($_POST['user']=='admin' && $_POST['pass']=='pass')
  {
  @session_start();
  $_SESSION['logged_in']='yesweareloggedin';
  header('location: page1.php'); // redirect to page after login
  exit;
  }

>> session.php:

@session_start();
if (!$_SESSION['logged_in']=='yesweareloggedin')
  {
  session_destroy();
  header('location: login.php'); // redirect to login page
  exit;
  }

>> pageX.php:

require_once('session.php');
// rest of code in this file
link

answered

pvlier's gravatar image

pvlier

Helllo Pviler, thank you for the code, it works good. I have a couple of questions:

When I try and access the page without logging in I get the following error instead of being directed to the login page, why is that?

Warning: Cannot modify header information - headers already sent by (output started at /hermes/bosweb/web021/b214/ipg.myxxxx/maxxxxxx/session.php:2) in /hermes/bosweb/web021/b214/ipg.myxxxx/maxxxxxx/session.php on line 7

2) How do I make sure the session has ended when the user has logged off?

My code is as follows:

1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
//login.php

<?php
//This file is used to check if a username exists in the user table
include "connect.php";

if (isset($_POST['submit'])){
$query = "SELECT user_name, user_passwd FROM user ".
"WHERE user_name = '" . $_POST['user_name'] . "'" .
"AND user_passwd = '" . $_POST['user_passwd'] . "'";
$result = mysql_query($query)
or die(mysql_error());

if (mysql_num_rows($result) == 1){
{
  @session_start();
  $_SESSION['logged_in']='yesweareloggedin';
  header('location: wo_page1.php'); // redirect to page after login
  exit;
  }
}//endif
else {
echo "Invalid username or password";
}//end else
}//end if (isset($_POST['submit'])
?>

//session.php

<?php
@session_start();
if (!$_SESSION['logged_in']=='yesweareloggedin')
  {
  session_destroy();
  header('location: index.php'); // redirect to login page
  exit;
  }
 
 ?>
link

answered 11/02/11 09:50 AM

aej1973's gravatar image

aej1973

1) The client (browser) first needs to receive headers and after that the actual htmlcode. The redirect is done by sending a header to the browser telling him to go to another page. You have send output to the browser before the redirect is send. When you send output PHP check if the headers are send to the browser, if not they are automatically sent. So your trying to send headers after htmlcode is send, that's wrong.

options:
- use output buffering so no data is sent to the browser before you need to.
- look at session.php line 2 and make sure that it doesn't output any data to the browser (best option!). Not sure why it does at the moment. I think it throws an error saying $_SESSION['logged_in'] does not exist. Try changing the line (32 in your example) to:

if (!isset($_SESSION['logged_in']) || $_SESSION['logged_in']=='yesweareloggedin')

2) Sessions are deleted by default when the browsers closes. If you need to clear manually (logout button) then create a logout.php file containing:

 
1:
2:
3:
4:
5:
6:
<?php
@session_start();
session_destroy();
header('location: loggedoud.php'); // redirect to 'you are logged oud' page
exit;
?>


Ofcourse it doesn't have to be a seperate file. You could also redirect the loginbutton to "index.php?action=logout" and in index.php check if the variable $_GET['action'] exists and if it equals to "logout".  If so, run the code I've given.
link

answered 11/03/11 03:44 PM

pvlier's gravatar image

pvlier

Thank you.
link

answered 11/04/11 06:48 AM

aej1973's gravatar image

aej1973

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

Asked: 11/02/2011 11:39

Seen: 347 times

Last updated: 11/04/2011 05:36