PHP and MySQL Members Section

[DeltaIotaKappa]

Ok here is my problem. I am looking to create a members section to my Web site and require the user to log in, I only want the membership section to be viewable by those that have successfully logged in with a username and password. I want to use a MySQL database to hold the usernames and passwords.

So far I have everything done up to the point where the user can go to the login page and enter their info, if the info is correct it will use JavaScript to send them to the members section page, if it is incorrect for any number of reasons it will return the reason to the user. Basically what I want to happen is when they enter correct info additional options are available to them on the left navigation column. I want the server to know that they logged in correctly and let the user be able to browse the members section freely. I've never done this before so I don't know how to make it happen, right now what I was trying to mess with was the hope that after they logged in, either the variables or the superglobals would be remembered on the server and I could do something like:

if("some variable showing the user logged in before")
{
//display the members section
}
else
{
//send the user back to home page
}

I have tried a few things and it's apparent that either the variables aren't in memory or I am trying to access them wrong.

How do I make it so that once the user logs in they can view the members info but no one else can view it unless they have logged in? If you want I can give you a link to the page I am working on and/or my php code.

Thank You!

[XenoPhage]

<shameless plug>

If you take a look at the security code I wrote for [a href=\"http://sf.net/projects/phptodo\" target=\"_blank\"]phpTodo[/a], you can see how I handled this. Basically, you use php sessions. If the user has a session, and the parameters match what you have in the database, you let them in. Using the sec_check.php file from phpTodo, you can check authentication on each page using the following code :

[code]

   // If the user is not authenticated, jump them to the login page
   if (! $user_obj = authenticate()) {
      login_redirect();
      exit;
   }

[/code]

$user_obj is an object that can contain anything you need to know about a user.

[Caesar]

You want to use sessions. Do your login validation via another file/script. Then, include that file in the header of all the member's area...so that no matter where in the member's area they go..it will check authorization.

Example-1 (header.php):

[code]include'auth.php';
[/code]

Example-2 (auth.php):
[code]
session_start();

if(isset($username))

{///----Member's Area Content Here---///}

else

{

header("Location: $_SERVER['SERVER_NAME']index.php?error=nologin");

}[/code]

Edit: Be sure not only to check if the login variables are set, but that they match username/password from the database.

[DeltaIotaKappa]

[!--quoteo(post=350482:date=Feb 28 2006, 09:50 PM:name=XenoPhage)--][div class=\'quotetop\']QUOTE(XenoPhage @ Feb 28 2006, 09:50 PM) [snapback]350482[/snapback][/div][div class=\'quotemain\'][!--quotec--]
<shameless plug>

If you take a look at the security code I wrote for [a href=\"http://sf.net/projects/phptodo\" target=\"_blank\"]phpTodo[/a], you can see how I handled this. Basically, you use php sessions. If the user has a session, and the parameters match what you have in the database, you let them in. Using the sec_check.php file from phpTodo, you can check authentication on each page using the following code :

[code]

   // If the user is not authenticated, jump them to the login page
   if (! $user_obj = authenticate()) {
      login_redirect();
      exit;
   }

[/code]

$user_obj is an object that can contain anything you need to know about a user.
[/quote]



Xeno - What is the link to your security code? I couldn't find it on that site.

[XenoPhage]

[!--quoteo(post=350489:date=Feb 28 2006, 10:14 PM:name=DeltaIotaKappa)--][div class=\'quotetop\']QUOTE(DeltaIotaKappa @ Feb 28 2006, 10:14 PM) [snapback]350489[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Xeno - What is the link to your security code? I couldn't find it on that site.
[/quote]

You need to download the phpTodo distro.. Unpack the archive and it's in there. I'll see if I can find a place to put just the 2 files you would be interested in ...

Here's a link to the code : [a href=\"http://www.godshell.com/oss/secure-login.tar.gz\" target=\"_blank\"]http://www.godshell.com/oss/secure-login.tar.gz[/a]

[DeltaIotaKappa]

[!--quoteo(post=350580:date=Mar 1 2006, 07:46 AM:name=XenoPhage)--][div class=\'quotetop\']QUOTE(XenoPhage @ Mar 1 2006, 07:46 AM) [snapback]350580[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Here's a link to the code : [a href=\"http://www.godshell.com/oss/secure-login.tar.gz\" target=\"_blank\"]http://www.godshell.com/oss/secure-login.tar.gz[/a]
[/quote]

Got the code and unpacked it, thank you. I am gonna play around with it some and report back on if I run into anymore problems.