Sessions? How to secure pages for only logged in users

[FatesCall]

 

#continue from above *CHROMIUM AHHHHHH*

 

process.php

 

<?php //no whitespace, no BOM must come before this line.
session_start();  //start the session.
define('MYSITE' , $_SERVER['SERVER_NAME']); //define what our site is.
$_SESSION['login'] = false; //we are NOT logged in.
if($_SERVER['REQUEST_METHOD'] == 'POST') { //if a POST request has been made.
$_POST = array_map('trim',$_POST); //trim the data.
if(!empty($_POST['user']) && !empty($_POST['password'])) { //if the user and password are NOT empty.
$users = ["User1" => "123", "User2" => "1234", "User3" => "1235"]; //list our users in array.
if(isset($users[$_POST['user']]) && $users[$_POST['user']] == $_POST['password']) { //if the password matches for the user entered.
$_SESSION['login'] = true; //log the user in.
header('Location: http://' . MYSITE . '/login.php'); //send the user to panel.php
exit(); //stop further execution of script.
} else { //if the username and/or password is wrong.
header('Location: http://' . MYSITE .'/error.php?reason=wp'); //send them to login_error.php with a reason code.
exit(); //stop the script.
}
}
header('Location: http://' . MYSITE . '/error.php?reason=nv'); //if the user or password was empty, send to login_error.php with reason code.
exit(); //exit the script.
}

 

error.php

 

<?php
if(isset($_GET['reason'])) { //if there is a reason to be here (should be the only reason we are here).
switch($_GET['reason']) { //run a switch.
case 'nv': //if the reason is nv (not valid).
$message = 'You must enter a username and a password.'; //set the message.
break; //break the switch to keep it from going further.
case 'wp': //wp (wrong password/username).
$message = 'You entered a wrong username and/or password.';
break;
}
}
//echo the message, redirect in 5 seconds.
echo '<html><head><meta http-equiv="refresh" content="5;URL=login.php"></head><body><div>' . $message . '</div></body></html>';

 

THANK YOU SO MUCH IT WORKS PERFECTLY LIKE I WANT IT TOO :D :D  

[FatesCall]

FatesCall, here is something to play with, fully commented, and working.

Maybe this will help you understand flow

 

login.php

<?php //No white space or BOM before this tag.
session_start(); //start the sesson.
if(isset($_SESSION['login']) && $_SESSION['login'] == true) { //if the session is set, and session login is set to true.
echo 'Thank you for logging in!'; //tell them that they are logged in.
$_SESSION['login'] = false; //for testing purposes, I then disable the login.
} else { //if we haven't logged in, then show the form.
?><form method="post" id="login-form" name="login-form" action="process.php"><div class="login">
            <input type="text" placeholder="username" name="user" required><br>
            <input type="password" placeholder="password" name="password" required><br>
            <input type="submit" name="login" id="login" value="login" />
        </div></form>
<?php 
}
?>  

Although, is there a way to force them to log in every time instead of the auto login?

 

EDIT: and also to prevent people from directly going to www.mysite.com/panel.php and getting in

Edited June 7, 2015 by FatesCall

[FatesCall]

Never mind figured it out