aej1973
asked on
building in some security...
Hello:
I have a PHP application that has about 6 pages. I need to ensure that all the pages are accessible only after the user has logged in. For example, let me assume my pages are as follows:
Page1 : www.mysite.com/page1.php
Page2 : www.mysite.com/page2.php
Page3 : www.mysite.com/page3.php
I don't want a user to be able to cut and paste the url for page 2 into a browser and be able to access it. Only if the user has logged in should he be able to access the pages. How can this be done, this app has a mySql database. Thank you for the help.
A
I have a PHP application that has about 6 pages. I need to ensure that all the pages are accessible only after the user has logged in. For example, let me assume my pages are as follows:
Page1 : www.mysite.com/page1.php
Page2 : www.mysite.com/page2.php
Page3 : www.mysite.com/page3.php
I don't want a user to be able to cut and paste the url for page 2 into a browser and be able to access it. Only if the user has logged in should he be able to access the pages. How can this be done, this app has a mySql database. Thank you for the help.
A
ASKER
Helllo Pviler, thank you for the code, it works good. I have a couple of questions:
When I try and access the page without logging in I get the following error instead of being directed to the login page, why is that?
Warning: Cannot modify header information - headers already sent by (output started at /hermes/bosweb/web021/b214 /ipg.myxxx x/maxxxxxx /session.p hp:2) in /hermes/bosweb/web021/b214 /ipg.myxxx x/maxxxxxx /session.p hp on line 7
2) How do I make sure the session has ended when the user has logged off?
My code is as follows:
When I try and access the page without logging in I get the following error instead of being directed to the login page, why is that?
Warning: Cannot modify header information - headers already sent by (output started at /hermes/bosweb/web021/b214
2) How do I make sure the session has ended when the user has logged off?
My code is as follows:
//login.php
<?php
//This file is used to check if a username exists in the user table
include "connect.php";
if (isset($_POST['submit'])){
$query = "SELECT user_name, user_passwd FROM user ".
"WHERE user_name = '" . $_POST['user_name'] . "'" .
"AND user_passwd = '" . $_POST['user_passwd'] . "'";
$result = mysql_query($query)
or die(mysql_error());
if (mysql_num_rows($result) == 1){
{
@session_start();
$_SESSION['logged_in']='yesweareloggedin';
header('location: wo_page1.php'); // redirect to page after login
exit;
}
}//endif
else {
echo "Invalid username or password";
}//end else
}//end if (isset($_POST['submit'])
?>
//session.php
<?php
@session_start();
if (!$_SESSION['logged_in']=='yesweareloggedin')
{
session_destroy();
header('location: index.php'); // redirect to login page
exit;
}
?>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you.
2) In this php script check if login is correct, if so start sessions and set a session variable (e.g. '$_SESSION['loggedin'] = 1)
3) create a file called sessions.php. In this file start sessions, and check if the above mentioned session varaible is set. If not then clear all sessiondata and redirect to the loginpage. If the variable is set do nothing.
4) Include the session.php as the first file in all scripts you want to protect.
Open in new window