Hamish Posted April 27, 2007 Share Posted April 27, 2007 Hi All, Just starting to learn a bit about sessions and I am using the following bit of code to check that the user has logged in through the login page. <?php session_start (); //this code checks to see if the user is logged in, if yes allowed to continue //If not redirected to the login page if (@$login |= "yes") { header ("location: login.php"); exit(); } session_destroy(); ?> However the protected page can be still accessed from the Browser window by using the page URL bypassing login. Any help would be much appreciated. Regards Hamish Quote Link to comment Share on other sites More sharing options...
Hughesy1986 Posted April 27, 2007 Share Posted April 27, 2007 How are you checking the login? Is it from a mysql table or is this built into the script. A real simple login would work like this. Login.php <?php session_start(); ?> <h1>Please Login</h1> <form action="" name="login" method="post"> <p>Username <input type="text" name="username"/></p> <p>Password <input type="password" name="password"/></p> <p><input type="submit" name="login" value="Login"/></p> </form> <?php $username = "username"; $password = "password"; if ($_POST['login']) { $user = addslashes(strip_tags($_POST['username'])); $pass = addslashes(strip_tags($_POST['password'])); // error check if (!$user || !$pass) { echo "Please make sure all fields are complete<br />"; }else{ if ($username == $user and $password == $pass) { $_SESSION['logged'] = $username; echo "Login complete thankyou.."; echo "<meta http-equiv='refresh' content='2; url=index.php'>"; }else{ echo "Wrong username or password<br />"; } } } ?> check.php <?php session_start(); $logged = $_SESSION['logged']; if (!$logged) { echo "<meta http-equiv='refresh' content='0; url=login.php'>"; exit; } ?> I havent tested this but it should work, you may need to edit your php.ini file to set register_globals = on If you need to do this, open a new text file place this in there register_globals = on save it as php.ini Glen Quote Link to comment Share on other sites More sharing options...
Hamish Posted April 27, 2007 Author Share Posted April 27, 2007 Hi, It checks the details in a MySql table. Quote Link to comment Share on other sites More sharing options...
Hamish Posted April 27, 2007 Author Share Posted April 27, 2007 This is the code from the three pages Login <?php echo("<form action = \"check_login_details.php\" method = \"post\">"); echo("User ID <input type = \"text\" name = \"ID\"/><br />"); echo("Password <input type = \"text\"name = \"pass\"/><br />"); echo("<input type = \"submit\" value = \"submit\"/>"); echo("</form>"); ?> This is the code that checks the db <?php session_start(); if (!isset($ID)) header ("Location: login.php"); include ("opendbinclude.php"); function isvalid($ID, $password) { //get user details from database $result=mysql_query("SELECT * FROM User WHERE id=\"$ID\" AND password=\"$password\""); $rows=mysql_num_rows($result); if ($rows>0) { return("True"); } else { return("False"); } } if ( isvalid($ID, $pass)=="False" ) { header ("Location: login.php"); exit; } else { $result=mysql_query("SELECT * FROM User WHERE id=\"$ID\""); $rec=mysql_fetch_array($result); $permission=$rec["permission"]; //register a session variable name and assign the value returned from the //database query above $_SESSION["name"]=$rec["name"]; header ("Location: ControlPanel.php"); exit; } ?> ?> This is the code from the top of the page to be accessed <?php session_start (); //this code checks to see if the user is logged in, if yes allowed to continue //If not redirected to the login page if (@$login |= "yes") { header ("location: login.php"); exit(); } //session_destroy(); ?> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.