Solved

Password protect link & webpage

Posted on 2012-03-29
17
509 Views
Last Modified: 2012-04-02
Hello Experts,

How I can protect a link on a webpage from non registered users ? Actually if users click on "video 3", then he's redirected to the login / signup page. The problem is that once he's logged in, he's not redirected back to where he was (access to video 3 granted).

The whole website is in HTML/CSS and only the signup, customer profile and cart are in PHP.

How I can do that?

Thanks
0
Comment
Question by:currentdb
  • 9
  • 6
  • 2
17 Comments
 
LVL 6

Expert Comment

by:ingriT
ID: 37785875
With the use of your .htaccess file? If you're not using Server Side Scripting (PHP) on these pages, you need to use webserver security.
0
 
LVL 1

Author Comment

by:currentdb
ID: 37785885
Hi ingriT,

I Googled a lot on the internet on how to use the .htaccess file and I'm still lost in how to use it this way.

How to use webserver security? is it hard to configure ?

Thanks for your patience.
0
 
LVL 6

Expert Comment

by:ingriT
ID: 37785890
It's not hard to configure, but your users need an account on your webserver, and not in your application code. So usually this is not the easiest solution.

Why can't you use PHP on the video page?
0
 
LVL 1

Author Comment

by:currentdb
ID: 37785906
Users do have an account on the webserver. These users are stored in a mysql database. If a new user signs up with a new account, he's automatically added to this database

I tried to use PHP on the video page,but it ended in a nightmare as most of the page coding depends on CSS styles :(

If you wish, I can post the html/css code of this webpage so you can take a look.
0
 
LVL 6

Expert Comment

by:ingriT
ID: 37785926
If users have an account in your mysql database, they do not have an account "in" your webserver (they are not present in your .htaccess file I mean), so this is not really the same.

Don't you have a function in your PHP code that just checks if the user is logged in? And if not logged in -> redirect to login/signup page?

Then you don't need to mess around in your video page html/css.
0
 
LVL 1

Author Comment

by:currentdb
ID: 37785948
>>Don't you have a function in your PHP code that just checks if the user is logged in? And if not logged in -> redirect to login/signup page?

Usually when the user enters the website, he can log in to check its profile, address and so on. On the video page, the only link I added was to redirect user to the login page first, but from there, I was not able to figure a way how to redirect him back...and to answer your question, there is no function in the PHP code for this.
0
 
LVL 6

Expert Comment

by:ingriT
ID: 37785954
You can redirect the user to the login page with something like this:
http_redirect("login.php", array("redirurl" => "video.php"));

Open in new window


Then on the login.php page, there will be a querystring parameter called "redirurl" with the value "video.php".
After a succesful login, you can redirect the user to the normal profile page that you described, or redirect them to the page that is in the querystring (being "video.php").
0
 
LVL 1

Author Comment

by:currentdb
ID: 37785981
Ok but where in the login page I can add your code? Because the login.phtml is not a short page
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 6

Expert Comment

by:ingriT
ID: 37785983
You should add it after the login check I think. I don't know your code, you should know best where to put it.
0
 
LVL 1

Author Comment

by:currentdb
ID: 37785989
I don't know where either as it is not my code.

If you can help me locate where I should add this line, it would be great.Here's the entire code so far:

<!-- login box on signup page widget -->
<?php if (!Am_Di::getInstance()->auth->getUserId()) : ?>
<div class="am-login-text"><?php __e("If you already have an account on our website, please %slogin%s to continue",
        '<a href="javascript:" id="show-login-box-on-signup">', '</a>') ?></div>
<div class="am-signup-login-form-container" style="display:none">
    <div style="font-size: xx-small; text-align: right; width: 100%;">
        <a href="javascript:" id="hide-login-box-on-signup">
            <img src="<?php echo $this->_scriptImg('modal-close.png') ?>" alt="<?php __e('Close') ?>" title="<?php __e('Close') ?>"/>
        </a>
    </div>
    <br />
    <div class="am-layout-two-coll">
        <div class="am-layout-two-coll-top"></div>
        <div class="am-coll-left">
            <div class="am-coll-content">

                <div class="am-form am-login-form am-signup-login-form">
                    <form name="login" method="post" action="<?php echo REL_ROOT_URL?>/login">
                        <fieldset>
                            <legend>&nbsp;&nbsp;<?php __e('Member Login') ?></legend>
                            <div class="row">
                                <div class="element-title">
                                    <label class="element-title" for="login"><?php __e('E-Mail Address or Username') ?></label>
                                </div>
                                <div class="element">
                                    <input type="text" id="login" name="amember_login" size="15" value="<?php p(@$_REQUEST['amember_login']) ?>" />
                                </div>
                            </div>
                            <div class="row">
                                <div class="element-title">
                                    <label class="element-title" for="pass"><?php __e('Password') ?></label>
                                </div>
                                <div class="element">
                                    <input type="password" id="pass" name="amember_pass" size="15" />
                                </div>
                            </div>
                            <div class="row">
                                <div class="element-title"></div>
                                <div class="element" style="vertical-align: baseline">
                                    <input type="submit" value="&nbsp;&nbsp;&nbsp;<?php __e('Login') ?>&nbsp;&nbsp;&nbsp;" />
                                </div>
                            </div>
                        </fieldset>
                        <input type="hidden" name="login_attempt_id" value="<?php print time()?>" />
                        <input type="hidden" name="amember_redirect_url" value="<?php p($_SERVER['REQUEST_URI']) ?>" />
                    </form>
                </div>
            </div>
        </div>
        <div class="am-coll-right">
            <div class="am-coll-content">
                <div class="am-form am-sendpass-form">
                    <form name="sendpass" method="post" action="<?php echo REL_ROOT_URL ?>/sendpass">
                        <fieldset>
                            <legend>&nbsp;&nbsp;<?php __e('Lost password') ?></legend>
                            <div class="row">
                                <div class="element-title">
                                    <label class="element-title" for="sendpass"><?php __e('Enter your <b>E-Mail Address</b> or <b>Username</b>') ?></label>
                                </div>
                                <div class="element"><input type="text" name="login" id="sendpass" size="15" /></div>
                            </div>
                            <div class="row">
                                <div class="element-title"></div>
                                <div class="element">
                                    <input type="submit" value="<?php __e('Get Password') ?>" />
                                </div>
                            </div>
                        </fieldset>
                    </form>
                </div>
            </div>
        </div>
        <div class="am-layout-two-coll-bottom"></div>
    </div>
</div>

<script type="text/javascript">
    jQuery(document).ready(function($) {
        $("#show-login-box-on-signup").click(function(){
            $("body").append("<div id='mask'></div>");
            $(".am-signup-login-form-container").show(100);
        });
        $("#hide-login-box-on-signup").click(function(){
            $("#mask").remove();
            $(".am-signup-login-form-container").hide(100);
        });
        $(".am-signup-login-form form").amAjaxLoginForm({
            success: function() { window.location.reload(true); }
        });// from user.js
    });
</script>
<?php else: // if logged-in ?>
<div class="am-login-text">
        <?php __e("You are logged-in as %s. %sLogout%s to signup as new user.",
                "<strong>". Am_Di::getInstance()->auth->getUsername() . "</strong>",
                "<a href='".REL_ROOT_URL."/logout?amember_redirect_url=".urlencode($_SERVER['REQUEST_URI'])."'>",
                "</a>"
        ); ?>
</div>
<?php endif // if not logged-in ?>
<!-- login box on signup page widget end -->

Open in new window

0
 
LVL 6

Assisted Solution

by:ingriT
ingriT earned 100 total points
ID: 37786010
Something like this;

<?php else: // if logged-in ?>
<?php
if ($_GET["redirurl"] == "video.php")
{
http_redirect("video.php");
}
?>
<div class="am-login-text">
        <?php __e("You are logged-in as %s. %sLogout%s to signup as new user.",
                "<strong>". Am_Di::getInstance()->auth->getUsername() . "</strong>",
                "<a href='".REL_ROOT_URL."/logout?amember_redirect_url=".urlencode($_SERVER['REQUEST_URI'])."'>",
                "</a>"
        ); ?>
</div>
<?php endif // if not logged-in ?>

Open in new window

0
 
LVL 1

Author Comment

by:currentdb
ID: 37786046
Looks like it does not work. I signed in, but I was redirected to the member's area, not to the page where I wanted to go. I re-checked the entire code and there is no reference of any redirection to a different url. I'm puzzled here :(
0
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 400 total points
ID: 37793131
This article shows the design pattern you want to use.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391.html

If you read that over you will see that the initial entry point is stored in the PHP session.  See the code snippet for RAY_EE_config at line 44.  

After authentication, this information in the session is used to redirect the client browser back to the entry page.  See the code snippet for RAY_EE_login at line 34-44.

Please read the article and code snippets, then post back here if you still have questions about how it works.  Best, ~Ray
0
 
LVL 1

Author Comment

by:currentdb
ID: 37794490
Hi Ray_Paseur,

Your article was very interesting to read and all explanations are very clear too.

What I did was to add the line
access_control();

Open in new window

to the page I wanted to protect. I added this line to the very top of the page. After updating the page on the server, I was hoping that it would work, but I am still back to my problem.

What I don't understand is that the client bought the aMember software which uses an already set-up database with everything. This client was not able to modify what he wanted, so I came in. It's just been a week and I struggled back and forth to understand how this software worked. I also contacted technical support to get some answers, but these answers were not really clear.

So on this webpage, I wanted to access a restricted page, and the link worked because it directed me to the log in page. Once I was logged in, instead of being redirected to the page I wanted, I was redirected to some "Member area". I had to review the entire code, but still I don't understand what does not work here. Your code seems easy, but something clearly is not working here.

If you have an idea how I can solve this, it would be grateful.

Thanks.
0
 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 400 total points
ID: 37796056
I don't know what more I can tell you.  This is drop-dead simple in a correctly designed authentication system.  The initial point of entry is found inside the access_control() function on this line (line 44) and it is stored in the session array.
$_SESSION["entry_uri"] = $_SERVER["REQUEST_URI"];

Open in new window

After authentication, the client browser is redirected to the initial point of entry by the login.php script here (lines 34-44)
// REDIRECT TO THE ENTRY PAGE OR TO THE HOME PAGE
if (isset($_SESSION["entry_uri"]))
{
    header("Location: {$_SESSION["entry_uri"]}");
    exit;
}
else
{
    header("Location: /");
    exit;
}

Open in new window

Here is what I would probably do if I were facing your challenge.  Get a code scanner and look for every instance of the word "header" since that can be one way to redirect the browser.  Look also for the word "refresh" because that can be used in the HTML stream, something like <meta http-equiv="refresh" content="0; url=http://example.com/">.  You will probably find one or the other of those pointing to the member area.  Change it to point to the location of the initial entry.
0
 
LVL 1

Author Comment

by:currentdb
ID: 37799529
Hi Ray_Paseur,

Your explanation makes sense. While I was scanning the entire code, I had an idea, so I made some smaller changes to the redirection link.

Before it was like this:
http://yoursite.com/amember/login?_amember_redirect_url=http://yoursite.com/fable4.html

And changed it to:
http://yoursite.com/amember/login?amember_redirect_url=http://yoursite.com/fable4.html

Now when the user want to access this page (fable4.html) he's directed to the login page where he logs in and then he's re-directed to the proper page (fable4.html).

One small problem here: If an user is not logged in and know what the link to this page looks like, he can access the page without being logged in first.

I have to award points on this question and open a new one, then post a link back here if you still want to help.

Thanks so much for your understanding.
0
 
LVL 1

Author Comment

by:currentdb
ID: 37799548
Here's the link to a new question: Protect page from non authorized use
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

This article explains all about SQL Server Piecemeal Restore with examples in step by step manner.
These days socially coordinated efforts have turned into a critical requirement for enterprises.
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now