PDA

View Full Version : Stopping Just Anyone From Viewing Pages



tomyknoker
03-13-2007, 08:55 PM
Hi all,

Ok well I set up a username/password scenario and was able to get it to work and the add the header to the main.php page, which loaded if the user/pass is correct. But then I realised I can access any of the pages just by typing in the link directly... What do I need to add, so that if people link to the page they need to login first...???

aedrin
03-13-2007, 09:02 PM
If you're using Apache you can set up an .htaccess file, or setup a check in a .php file and include that in each file, depending on your situation.

mlseim
03-13-2007, 09:12 PM
Tomy ...

Coincidently, I just saw this on another forum:

=========================================

Simple use of sessions ...

1)
Your user inputs a username and password on a form,
which calls a PHP script named "login.php"

2)
That "login.php" script looks something like this:



<?php
session_start();

//variables from your HTML log-in form.
$pass = $_POST['pass'];
$name = $_POST['name'];

//this part, you check your database for the correct password ...
//not sure how you do that, but if the variables $pass and $name
//match your database, then register the session with a $userid, or
//something from your database that identifies the user.

if($pass === "the correct password"){
session_register(user);
$user = $userid;
$flag = 1;
}
else{
$flag = 0;
}

//this part can goto an admin page or do something if
//the user is logged-in. Otherwise, it can return back to
//your HTML form with or without an error message ...
//however you want to do that.

if($flag==1){
header ("location: admin.php");
}
else{
$mess="<h2>Sorry, we cannot find that member ...</h2>";
header ("location: myform.php?mess=$mess");
}
?>



Now, on every other PHP page you have, you start with this.
It checks the user session to see if $user has been set (they are logged-in).
It can drop through (do nothing) and display the page, or it will see that
the user is not logged-in and return back to the main page ...



<?php
session_start();
if(session_is_registered("user")){
//do nothing
}
else{
header ("location: index.php");
}

the rest of your page here

?>



To log-out, the user closes their browser or this script is executed:



<?php
if(session_start()){
session_destroy();}
header ("location: index.php");
?>

Nightfire
03-13-2007, 09:43 PM
The example above should use



$_SESSION['user'] = true;

and


if(isset($_SESSION['user'])){
instead of


session_register(user);

and


if(session_is_registered("user")){

as it is depreciated

mlseim
03-13-2007, 11:29 PM
Nightfire ....

Thanks .... I see those things (and do them myself) all the time.
I guess I'm lazy not to use current scripting. For those reading
this that are beginning PHP, start developing good habits.