dazzathedrummer Posted March 11, 2010 Share Posted March 11, 2010 Hi, I have a basic login system that I've created (with help from this forum!), I can get a user to register, updating a MySQL db and then set a cookie when they log in. My next step is to create some pages that only the logged in users can get access to. I'm just wondering where to start with that - what's the best way of doing that and where shall I start reading? thanks, Darren Quote Link to comment https://forums.phpfreaks.com/topic/194896-2nd-dumb-newbie-question-restricting-pages-to-un-registered-users/ Share on other sites More sharing options...
litebearer Posted March 11, 2010 Share Posted March 11, 2010 This may get you going... http://www.trap17.com/index.php/php-simple-login-tutorial_t7887.html Quote Link to comment https://forums.phpfreaks.com/topic/194896-2nd-dumb-newbie-question-restricting-pages-to-un-registered-users/#findComment-1024752 Share on other sites More sharing options...
dazzathedrummer Posted March 11, 2010 Author Share Posted March 11, 2010 That looks good! So presumably the 'members only' content has a cookie/session check at the top to redirect back to 'login' if no cookie/login is set. Is a session better for this than a cookie? Quote Link to comment https://forums.phpfreaks.com/topic/194896-2nd-dumb-newbie-question-restricting-pages-to-un-registered-users/#findComment-1024765 Share on other sites More sharing options...
PFMaBiSmAd Posted March 11, 2010 Share Posted March 11, 2010 The members.php code at that link is not secure because the 'protected' content and code on the remainder of the page is still processed while the browser performs the redirect. All a hacker needs to do is ignore the header and he can access the rest of the 'protected' page. You must use an exit/die statement following a header() redirect so that the remainder of the code and content on the page is not processed. Quote Link to comment https://forums.phpfreaks.com/topic/194896-2nd-dumb-newbie-question-restricting-pages-to-un-registered-users/#findComment-1024767 Share on other sites More sharing options...
dazzathedrummer Posted March 11, 2010 Author Share Posted March 11, 2010 The members.php code at that link is not secure because the 'protected' content and code on the remainder of the page is still processed while the browser performs the redirect. All a hacker needs to do is ignore the header and he can access the rest of the 'protected' page. You must use an exit/die statement following a header() redirect so that the remainder of the code and content on the page is not processed. That makes sense thanks! How do I protect the content of the 'members' pages, surely, even though you have to be logged in to access them, eventually any static html on those pages would be picked up by, say, google and therefore be visible?? Quote Link to comment https://forums.phpfreaks.com/topic/194896-2nd-dumb-newbie-question-restricting-pages-to-un-registered-users/#findComment-1024772 Share on other sites More sharing options...
dazzathedrummer Posted March 12, 2010 Author Share Posted March 12, 2010 Ok, slightly different question. I've created a cookie system so that if the cookie is not present, the browser redirects to the login page - i'm happy that that is enough security for the 'members only' pages. My question now is, assuming my restricted content contains an include that generates a list of users, if the page itself is restricted by cookie access - this doesn't stop the include file being run if the url was guessed - is there a way to protect the include file apart from hard coding it in the content page itself? Quote Link to comment https://forums.phpfreaks.com/topic/194896-2nd-dumb-newbie-question-restricting-pages-to-un-registered-users/#findComment-1025195 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.