Verifying user has logged in.

[Hamish]

Hi All,

 

Just starting to learn a bit about sessions and I am using the following bit of code to check that the user has logged in through the login page.

<?php
session_start ();
//this code checks to see if the user is logged in, if yes allowed to continue
//If not redirected to the login page
if (@$login |= "yes")
{
header ("location: login.php");
exit();
}
session_destroy();
?>

 

However the protected page can be still accessed from the Browser window by using the page URL bypassing login.

 

Any help would be much appreciated.

 

Regards

 

Hamish

 

[Hughesy1986]

How are you checking the login?

 

Is it from a mysql table or is this built into the script.

 

A real simple login would work like this.

 

Login.php

 

<?php session_start(); ?>

<h1>Please Login</h1>
<form action="" name="login" method="post">
<p>Username <input type="text" name="username"/></p>
<p>Password <input type="password" name="password"/></p>
<p><input type="submit" name="login" value="Login"/></p>
</form>

<?php
$username = "username";
$password = "password";

if ($_POST['login'])
{
$user = addslashes(strip_tags($_POST['username']));
$pass = addslashes(strip_tags($_POST['password']));

// error check

if (!$user || !$pass)
{
echo "Please make sure all fields are complete<br />";
}else{
if ($username == $user and $password == $pass)
{
$_SESSION['logged'] = $username;
echo "Login complete thankyou..";
echo "<meta http-equiv='refresh' content='2; url=index.php'>";
}else{
echo "Wrong username or password<br />";
  }
}
}
?>

 

check.php

 

<?php session_start();

$logged = $_SESSION['logged'];

if (!$logged)
{
echo "<meta http-equiv='refresh' content='0; url=login.php'>";
exit;
}
?>

 

I havent tested this but it should work, you may need to edit your php.ini file to set register_globals = on

 

If you need to do this, open a new text file place this in there

 

register_globals = on

 

save it as php.ini

 

Glen

[Hamish]

Hi,

 

It checks the details in a MySql table.

 

[Hamish]

This is the code from the three pages

 

Login

<?php


echo("<form action = \"check_login_details.php\" method = \"post\">");
echo("User ID <input type = \"text\" name = \"ID\"/><br />");
echo("Password <input type = \"text\"name = \"pass\"/><br />");
echo("<input type = \"submit\" value = \"submit\"/>");
echo("</form>");

?>

 

This is the code that checks the db

<?php

session_start();
if (!isset($ID))
header ("Location: login.php");

include ("opendbinclude.php");

function isvalid($ID, $password)
{
//get user details from database
$result=mysql_query("SELECT * FROM User WHERE id=\"$ID\" AND password=\"$password\"");
$rows=mysql_num_rows($result);
if ($rows>0) {
	return("True");
} else
{ return("False"); }

}

if ( isvalid($ID, $pass)=="False" )
{

header ("Location: login.php");
exit;
}
else
{

$result=mysql_query("SELECT * FROM User WHERE id=\"$ID\"");
$rec=mysql_fetch_array($result);

$permission=$rec["permission"];

//register a session variable name and assign the value returned from the
//database query above
$_SESSION["name"]=$rec["name"];


	header ("Location: ControlPanel.php");
	exit;

}
?>

?>

 

This is the code from the top of the page to be accessed

<?php
session_start ();
//this code checks to see if the user is logged in, if yes allowed to continue
//If not redirected to the login page
if (@$login |= "yes")
{
header ("location: login.php");
exit();
}
//session_destroy();
?>