Link to home
Start Free TrialLog in
Avatar of aej1973
aej1973

asked on

building in some security...

Hello:

I have a PHP application that has about 6 pages. I need to ensure that all the pages are accessible only after the user has logged in. For example, let me assume my pages are as follows:

Page1 : www.mysite.com/page1.php 
Page2 : www.mysite.com/page2.php 
Page3 : www.mysite.com/page3.php 

I don't want a user to be able to cut and paste the url for page 2 into a browser and be able to access it. Only if the user has logged in should he be able to access the pages. How can this be done, this app has a mySql database. Thank you for the help.

A
Avatar of pvlier
pvlier
Flag of Netherlands image
1) Create a login page that submits to a php script
2) In this php script check if login is correct, if so start sessions and set a session variable (e.g. '$_SESSION['loggedin'] = 1)
3) create a file called sessions.php. In this file start sessions, and check if the above mentioned session varaible is set. If not then clear all sessiondata and redirect to the loginpage. If the variable is set do nothing.
4) Include the session.php as the first file in all scripts you want to protect.

  
>> login.php:

if ($_POST['user']=='admin' && $_POST['pass']=='pass')
  {
  @session_start();
  $_SESSION['logged_in']='yesweareloggedin';
  header('location: page1.php'); // redirect to page after login
  exit;
  }

>> session.php:

@session_start();
if (!$_SESSION['logged_in']=='yesweareloggedin')
  {
  session_destroy();
  header('location: login.php'); // redirect to login page
  exit;
  }

>> pageX.php:

require_once('session.php');
// rest of code in this file

Open in new window

Avatar of aej1973
aej1973

ASKER

Helllo Pviler, thank you for the code, it works good. I have a couple of questions:

When I try and access the page without logging in I get the following error instead of being directed to the login page, why is that?

Warning: Cannot modify header information - headers already sent by (output started at /hermes/bosweb/web021/b214/ipg.myxxxx/maxxxxxx/session.php:2) in /hermes/bosweb/web021/b214/ipg.myxxxx/maxxxxxx/session.php on line 7

2) How do I make sure the session has ended when the user has logged off?

My code is as follows:


//login.php

<?php
//This file is used to check if a username exists in the user table
include "connect.php";

if (isset($_POST['submit'])){
$query = "SELECT user_name, user_passwd FROM user ".
"WHERE user_name = '" . $_POST['user_name'] . "'" .
"AND user_passwd = '" . $_POST['user_passwd'] . "'";
$result = mysql_query($query)
or die(mysql_error());

if (mysql_num_rows($result) == 1){
{
  @session_start();
  $_SESSION['logged_in']='yesweareloggedin';
  header('location: wo_page1.php'); // redirect to page after login
  exit;
  }
}//endif
else {
echo "Invalid username or password";
}//end else
}//end if (isset($_POST['submit'])
?>

//session.php

<?php
@session_start();
if (!$_SESSION['logged_in']=='yesweareloggedin')
  {
  session_destroy();
  header('location: index.php'); // redirect to login page
  exit;
  }
 
 ?>

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of pvlier
pvlier
Flag of Netherlands image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of aej1973
aej1973

ASKER

Thank you.