We help IT Professionals succeed at work.

building in some security...

aej1973
aej1973 asked
on
Hello:

I have a PHP application that has about 6 pages. I need to ensure that all the pages are accessible only after the user has logged in. For example, let me assume my pages are as follows:

Page1 : www.mysite.com/page1.php 
Page2 : www.mysite.com/page2.php 
Page3 : www.mysite.com/page3.php 

I don't want a user to be able to cut and paste the url for page 2 into a browser and be able to access it. Only if the user has logged in should he be able to access the pages. How can this be done, this app has a mySql database. Thank you for the help.

A
Comment
Watch Question

Commented:
1) Create a login page that submits to a php script
2) In this php script check if login is correct, if so start sessions and set a session variable (e.g. '$_SESSION['loggedin'] = 1)
3) create a file called sessions.php. In this file start sessions, and check if the above mentioned session varaible is set. If not then clear all sessiondata and redirect to the loginpage. If the variable is set do nothing.
4) Include the session.php as the first file in all scripts you want to protect.

 
>> login.php:

if ($_POST['user']=='admin' && $_POST['pass']=='pass')
  {
  @session_start();
  $_SESSION['logged_in']='yesweareloggedin';
  header('location: page1.php'); // redirect to page after login
  exit;
  }

>> session.php:

@session_start();
if (!$_SESSION['logged_in']=='yesweareloggedin')
  {
  session_destroy();
  header('location: login.php'); // redirect to login page
  exit;
  }

>> pageX.php:

require_once('session.php');
// rest of code in this file

Open in new window

Marco GasiFreelancer
CERTIFIED EXPERT
Top Expert 2010

Commented:

Author

Commented:
Helllo Pviler, thank you for the code, it works good. I have a couple of questions:

When I try and access the page without logging in I get the following error instead of being directed to the login page, why is that?

Warning: Cannot modify header information - headers already sent by (output started at /hermes/bosweb/web021/b214/ipg.myxxxx/maxxxxxx/session.php:2) in /hermes/bosweb/web021/b214/ipg.myxxxx/maxxxxxx/session.php on line 7

2) How do I make sure the session has ended when the user has logged off?

My code is as follows:


//login.php

<?php
//This file is used to check if a username exists in the user table
include "connect.php";

if (isset($_POST['submit'])){
$query = "SELECT user_name, user_passwd FROM user ".
"WHERE user_name = '" . $_POST['user_name'] . "'" .
"AND user_passwd = '" . $_POST['user_passwd'] . "'";
$result = mysql_query($query)
or die(mysql_error());

if (mysql_num_rows($result) == 1){
{
  @session_start();
  $_SESSION['logged_in']='yesweareloggedin';
  header('location: wo_page1.php'); // redirect to page after login
  exit;
  }
}//endif
else {
echo "Invalid username or password";
}//end else
}//end if (isset($_POST['submit'])
?>

//session.php

<?php
@session_start();
if (!$_SESSION['logged_in']=='yesweareloggedin')
  {
  session_destroy();
  header('location: index.php'); // redirect to login page
  exit;
  }
 
 ?>

Open in new window

Commented:
1) The client (browser) first needs to receive headers and after that the actual htmlcode. The redirect is done by sending a header to the browser telling him to go to another page. You have send output to the browser before the redirect is send. When you send output PHP check if the headers are send to the browser, if not they are automatically sent. So your trying to send headers after htmlcode is send, that's wrong.

options:
- use output buffering so no data is sent to the browser before you need to.
- look at session.php line 2 and make sure that it doesn't output any data to the browser (best option!). Not sure why it does at the moment. I think it throws an error saying $_SESSION['logged_in'] does not exist. Try changing the line (32 in your example) to:

if (!isset($_SESSION['logged_in']) || $_SESSION['logged_in']=='yesweareloggedin')

2) Sessions are deleted by default when the browsers closes. If you need to clear manually (logout button) then create a logout.php file containing:

 
<?php
@session_start();
session_destroy();
header('location: loggedoud.php'); // redirect to 'you are logged oud' page
exit;
?>

Open in new window


Ofcourse it doesn't have to be a seperate file. You could also redirect the loginbutton to "index.php?action=logout" and in index.php check if the variable $_GET['action'] exists and if it equals to "logout".  If so, run the code I've given.

Author

Commented:
Thank you.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.