Smee Posted June 4, 2010 Share Posted June 4, 2010 Hey, I have a working site but realise i have not added enough security because users who are not logged in, if they know that /attending.php is a page to the site then they can access it even though they cannot use the functions of the page. I cant find a lot on redirecting for non logged in users on the net so thought i would try here, has anyone got a tutorial or suggestions on how this can be implemented where if they try access these restricted pages they get taken to the /login.php. Thanks in advance! Quote Link to comment Share on other sites More sharing options...
Zagga Posted June 4, 2010 Share Posted June 4, 2010 If you use sessions to manage your users, you could add this to the very top of each page. <?php session_start(); if (!isset($_SESSION['username'])){ header("location:login.php"); } ?> It checks if there is a $_SESSION variable called 'username' and if there isn't, it redirects the user to login.php Zagga Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted June 4, 2010 Share Posted June 4, 2010 You need an exit; statement after your header() redirect. All anyone needs to do is ignore the redirect and they can still access the remainder of the content on the 'protected' page. Quote Link to comment Share on other sites More sharing options...
Smee Posted June 4, 2010 Author Share Posted June 4, 2010 Awesome thanks for the help. It's working but is this what you meant by the exit(); command? if (!isset($_SESSION['user_id'])){ header("location:login.php"); exit(); } Quote Link to comment Share on other sites More sharing options...
Zagga Posted June 4, 2010 Share Posted June 4, 2010 Yes, that is where the exit statement should go. I wasn't aware that you could ignore redirects, so thanks for the heads up on that one too Zagga Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted June 4, 2010 Share Posted June 4, 2010 A header() redirect tells a browser (or a script that has been told to follow redirects) to request the URL that is in the header statement. Without an exit; statement to stop the php script, the rest of the html/php code on the 'protected' page is still processed and output by the web server. Most hackers use scripts to access your web pages. They have to specifically configure such a script to follow any header() redirect. If you don't and ignore the redirect and there is no exit; statement, the result is the same as if a logged in user accessed the 'protected' page. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.