restricting access

runnerjp · 05-09-2008, 05:19 PM

at the moment i use this to restirct only let logged on people to view the page

<?php if($logged[username])
{
//Logged in code
}else
{
//Not logged in code
} ?>

but i was wondering if there was a better way of doing this?

TheShaner · 05-09-2008, 06:22 PM

For my sites, I use sessions and at the top of each page, I first do the normal session_start() and then:

PHP Code:


			
if(!isset($_SESSION['user'])) header("Location: http://mysite.com/login.php?err=login");

This just redirects the user to the login page if they're not logged in and the login page catches the error that they're not logged in, thus displaying a message like "You must be logged in". This method prevents having to if/else every page. You could even just put this session info into a separate PHP page and make it required at the top of every page that needs a login.

-Shane

runnerjp · 05-09-2008, 06:29 PM

humm ok so what woul my session_user be??

at the moment i have set it so when a user logs in there login session are set liek so

PHP Code:


			
//sets the logged session

$_SESSION['id'] = "$user[id]";

$_SESSION['password'] = "$user[password]";

TheShaner · 05-09-2008, 06:36 PM

Substitute my $_SESSION['user'] for your $_SESSION['id'].

On a side note, it's not wise to store a password in a session, or really anywhere but your DB for that matter. It's more secure to always make passwords non-retrievable. If a user needs their password, like an email validation script, you should send them an email with a link to create a new password.

-Shane

runnerjp · 05-09-2008, 06:49 PM

ok i tried it but it redirects me to my error page if im logged in or not :S

PHP Code:


			
<?php if(!isset($_SESSION['id'])) header("Location: http://www.runningprofiles.com/error.php");?><?php  
session_start(); 
    require_once '../config.php';
        

include ("../header.php");  
?>
<style type="text/css">
<!--
body {
    margin-left: 1px;
    margin-top: 1px;
    margin-right: 1px;
    margin-bottom: 1px;
}
-->
</style> 

<table width="100%" cellpadding="0" bgcolor="#FFFFFF" colspan='0'>
<tr>
        <td  width="11%" height="505" align="left" valign="top"><table width="100%" height="505" align="left" cellpadding="0" bgcolor="#D6E0E0">
    <tr>
        <td width="9%" height="58" colspan="2" align="center" valign="top" bgcolor="#D6E0E0"><p>Menu</p>
          <p><a href="index.php?page=update"><img src="http://www.runningprofiles.com/images/editprofile.jpg"  alt="editprofile" border="0" /></a></p>
          <p><? //if($id == 1){ echo "<a href=\"admin/index.php\">Admin Index</a>\n";}?></p>        </td>
    </tr>
    <tr>
            <td height="361" colspan="2" align="center" valign="top" bgcolor="#D6E0E0"><p><a href="http://www.runningprofiles.com/logout.php">Logout</a> </p>
            <p><a href="http://www.runningprofiles.com/members">Home</p></td>
    </tr>         
</table></td>
<td width="80%" align="left" valign="top">
<? $page = $_GET['page'];
                    if (ereg('[A-Za-z0-9]',$page) ) {
                        if (file_exists('include/'.$page.'.php')) {
                            include('include/'.$page.'.php');
                        } else {
                            include('include/main.php');
                        }
                   } else {
                            include('include/main.php');
                    }?></td>
<td width="9%" align="center" valign="top" bgcolor="#D6E0E0"> online</td>
  </tr>      
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
<?php

ob_end_flush();

?>

TheShaner · 05-09-2008, 06:56 PM

Quote:

Originally Posted by runnerjp

ok i tried it but it redirects me to my error page if im logged in or not :S

PHP Code:


			
<?php if(!isset($_SESSION['id'])) header("Location: http://www.runningprofiles.com/error.php");?><?php  

session_start(); 

...

session_start(); should always be the first line of your page.
It's redirecting you to your error page because that's what you set in your header. You put http://www.runningprofiles.com/error.php as the redirect address. Instead, redirect to your login.

If your page is supposed to display alternate data rather than redirect, you should use what you were doing before:

PHP Code:


			
if(isset($_SESSION['id']))

{

    // Logged in users see this

}

else

{

    // Not logged in users see this

}

-Shane