anita999 Posted March 20, 2007 Share Posted March 20, 2007 I am new to PHP and need to create a Login/Register page. I've completed the Registration part i.e. it will store user, email and password info and it sends a validation email to the user. The user needs to click on this URL to activate the account. For the Login, I will verify that the user and password exist in the DB and then store the user, password, etc variables in the _SESSION variable. From what I can tell, is that these session variables are used to pass around session information from page to page for a user that is logged on the web site. Now, if the user successfully logs in, I want to redirect that user to a page where he/she can do some searches or see a list of information. However, I am concerned that someone could actually access this page directly by typing in the URL plus the PHP. What are ways to prevent a user from doing this kind of direct access? Any good tips or URLs that describes this would be appreciated. Thank you in advance. Anita Quote Link to comment Share on other sites More sharing options...
jcbarr Posted March 20, 2007 Share Posted March 20, 2007 If you are checking the session variables on every page then that will fix the problem. If the user does not log in successfully and establish a session then they cannot access the page. There are a ton of good tutorials on the web about this. Basically in every page you need to have session_start() at the top of every page before any other code or lines. Then verfiy the session variables and if they don't match use the die() function to kill the page and display an error message. Quote Link to comment Share on other sites More sharing options...
The Little Guy Posted March 20, 2007 Share Posted March 20, 2007 http://snippets.tzfiles.com/snippet.php?id=4 Quote Link to comment Share on other sites More sharing options...
anita999 Posted March 20, 2007 Author Share Posted March 20, 2007 So essentially when I verify the session variables on each page, I will need to do a dbaccess to a users DB table...? Thanks Quote Link to comment Share on other sites More sharing options...
jcbarr Posted March 20, 2007 Share Posted March 20, 2007 No just once, and if the information is correct you set the session variable to a certain value. Then on every subsequent page you check the value of that session variable. If it does not match what you initially set it to then you either kill the script or redirect the user via the header function. Quote Link to comment Share on other sites More sharing options...
marukochan Posted March 21, 2007 Share Posted March 21, 2007 Hei Anita999, Why don't you have a look at this tutorial at http://php.about.com/od/finishedphp1/ss/php_login_code.htm Look at the script for Members Area. Members Area could only be accessed after you have login. Hope this will help. Quote Link to comment Share on other sites More sharing options...
jitesh Posted March 21, 2007 Share Posted March 21, 2007 This is the Example When login set a sesion variable like this $_SESSION['user_id'] = "12"; Now in each page where you want to restict mantion below scrips session_start() if(!isset($_SESSION['user_id'])){ ....... Through out somewhwere } In logout script unset($_SESSION['user_id']); Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.