Restricting access to PHP pages

I am building (or trying to!) a password restricted site where different user-levels see different content.

I am using the code attached below to start the session, login and display the relevant pages according to the users status.

The problem is that none of the pages are restricted so for example if a member logs in they are shown the links...'Change Password', 'Log out', and 'Admin'

But non members can still see these pages if they navigate directly to the URL.

It seems as if the code below only displays links according to user level but does not offer any restrictions to those pages.

How would I add this? It would simply need to be a function that redirects users to a login page if they are not logged in.





<div id="AdminMenu">

<?php # Script 16.1 - header.html
// This page begins the HTML header for the site.

// Start output buffering:
ob_start();

// Initialize a session:
session_start();


?><?php

// Displaylinks based upon thelogin status:

if (isset($_SESSION['user_id'])) {
	
	echo 'Welcome';
	
	if (isset($_SESSION['first_name'])) {
		echo ", {$_SESSION['first_name']}!&nbsp";
		
		}

echo '<a href="logout.php" title="Logout">Logout</a>&nbsp;

<a href="change_password.php" title="Change Password">Change Password</a>

';

// Add links if the user is an administrator:

if ($_SESSION['user_level'] == 1) {

echo '<a href="admin/test.php" title="Admin">Admin</a>&nbsp;

';

}

} else

 { // Not loggin in.



echo '<a href="joinanjoman.php" title="Join Anjoman">Join</a>&nbsp;

<a href="login.php"
title="Login">Login</a><br />


';

}

?>

</div>

Open in new window

BrighteyesDesignAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hugh McCurdyCommented:
Put the restrictions on each page you want protected.
0
Hugh McCurdyCommented:
What I suggest is you create a script which is included with include_once or require_once.  Include it near the beginning of your page.  That script verifies authentication.  If accepted, just load the page normally.  If not, I use header() to redirect the user to the login page.

Do you need help with how header() works?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Gary ColtharpSr. Systems EngineerCommented:
How are you keeping track of your users? Are using a database connection of some sort?

PHP is server side so you can query the logged in user against the database and display links based on the return.

Hope this helps.
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Marco GasiFreelancerCommented:
Yes. You could enclose the check code within a script and require it inm every page needs to have a restricted access:

 
//login.php
if (isset($_SESSION['user_id'])) {
	
	echo 'Welcome';
	
	if (isset($_SESSION['first_name'])) {
		echo ", {$_SESSION['first_name']}!&nbsp";
		
		}

echo '<a href="logout.php" title="Logout">Logout</a>&nbsp;

<a href="change_password.php" title="Change Password">Change Password</a>

';

// Add links if the user is an administrator:

if ($_SESSION['user_level'] == 1) {

echo '<a href="admin/test.php" title="Admin">Admin</a>&nbsp;

';

}

} else

 { // Not loggin in.



echo '<a href="joinanjoman.php" title="Join Anjoman">Join</a>&nbsp;

<a href="login.php"
title="Login">Login</a><br />


';

}

Open in new window


and then write you file this way:
<div id="AdminMenu">

<?php # Script 16.1 - header.html
// This page begins the HTML header for the site.

// Start output buffering:
ob_start();

// Initialize a session:
session_start();

require("login.php");
?>

Open in new window


I also suggets to read this good article by Ray Paseur: http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html?sfQueryTermInfo=1+10+30+40+login

Cheers
0
Ray PaseurCommented:
The general design pattern is shown in this article.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

It has only one level of control: thumbs up or thumbs down.  However you could add an additional field to the user's record and use that field to provide a multi-layer security check.  You would modify the access_control() function to do this.
0
maeltarCommented:
Ensure your

session_start();

Open in new window


is at the very beginning of the page, no white space at all for it to be effective..
0
BrighteyesDesignAuthor Commented:
Thanks all, i'll look at this tomorrow and let you know how I get on!
0
BrighteyesDesignAuthor Commented:
Thanks, all helped get closer to the solution!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.