setting security session

[andybriggs]

Hi guys, 

 

I would like to have a security measure in place to prevent unauthorized access to my site without a valid log on. 

 

 

At the moment, it would let anyone in without destroying the session and redirecting to index page. 

 

 

What would i "use" that's created in the session? what's the "best" practice 

 

My understanding is that the session variable is stored in the browser, after a successful log in, that session variable is like baton or a key that's "passed" onto the next page. 

- if someone tried to bypass the log on with the session then access is denied or redirected away. 

 

 

So on my index page to start i have: 

<?php
session_start();


/* clear all session variable */
$_SESSION = array();

/* set a session variable for later use */
$_SESSION['what_page'] = "admin00";
?>

What do i need to have to use the session against unauthorized access? 

 

my guess is: 

if(!isset($_SESSION['what_page']) || $_SESSION['what_page'] != "index.php") {
	$_SESSION = array();
	session_destroy();
	header("Location: index.php");	
	exit();
}

So to me that means; 

 

- if 'what_page' is not set from the index page, don't go any further, re-direct (back to index)

 

 

 

If i remove this and use a known username and password, i am able to log into the correct page, but this session validation is the bit that's not working

 

please could you help?