Braveheartt Posted March 19, 2008 Share Posted March 19, 2008 Hello. I have a page which requires a password to continue to the other pages with a menu etc. How could I make sure no one could access ANY of the other pages (for example, a link or typing the link into their browsers) unless they enter a correct password into the password field first? Would I need some code on every page? I tried using: if (stristr($_SERVER['PHP_SELF'], "mainmenu.php")) { Header("Location: start.php"); } on each page, but it doesn't work. Please help! Quote Link to comment Share on other sites More sharing options...
lemmin Posted March 19, 2008 Share Posted March 19, 2008 You should use a session and just check if a certain session variable has been defined on every secure page. Quote Link to comment Share on other sites More sharing options...
bobinindia Posted March 19, 2008 Share Posted March 19, 2008 I would set a $_SESSION['password'] that must be met before any of the password protected pages can be opened. if ($_SESSION['password'] == $password) {//ok show page! }else{ exit;} Something along those lines 1 Quote Link to comment Share on other sites More sharing options...
Braveheartt Posted March 19, 2008 Author Share Posted March 19, 2008 So I create the session array on the password auth page if the password is correct, then each page there after I retrieve the data from that session array? Do I need to redefine what the session array is on each page or...? For example, can I just do on the password auth page: $_SESSION['password'] = $_POST['pass']; &password = "pass1"; then there on each page do: if($_SESSION['password'] = $password)) //Begin protected code Does it work like that? Or do I need to define the $_SESSION on each page? Quote Link to comment Share on other sites More sharing options...
lemmin Posted March 19, 2008 Share Posted March 19, 2008 The $_SESSION array is a predefined server variable. You use it when you have created a session with session_start(). Here is more information: http://us3.php.net/manual/en/ref.session.php Quote Link to comment Share on other sites More sharing options...
bobinindia Posted March 19, 2008 Share Posted March 19, 2008 On the page that has authorised your guest put: session_start(); $_SESSION['password'] = 'somedifficultword'; //Now it is set. You must put session_start() at the top of every page. On the pages that need to be verified put: session_start(); if ($_SESSION['password'] == 'somedifficultword'){ //ok. Load page }else{ exit; } //not authorised Good Luck Quote Link to comment Share on other sites More sharing options...
Braveheartt Posted March 19, 2008 Author Share Posted March 19, 2008 Password input: <?php session_start(); $_SESSION['password'] = "password"; echo "<html><center><body bgcolor='black'><img src='headert.jpg'><br /> <br /> <font color='red' size ='5'>Password required for access:</font> <form method='POST' action='auth.php'><input type='password' maxlength='20' name='pass'><br /> <br /> <input type='submit' value='Login!' name='login'></form></body></center></html>"; ?> Password auth: <?php session_start; $_SESSION['password'] = "password"; $passwordd = $_POST['pass']; if($passwordd == $_SESSION['password']) { require("mainmenu.php"); echo "<center><font color='green' size='5'>Successfully logged in, welcome tester!</font></center>"; header("Location: main.php"); } elseif($passwordd != $_SESSION['password']) { echo "<center><body bgcolor='black'><font color='red' size='5'>Incorrect password!</font></body></center>"; header("Location: start.php"); } else { header("Location: start.php"); } ?> </body></html> Included mainmenu: <?php session_start(); if($_SESSION['password'] != "password") { header("Location: start.php"); } else ?> <html> <body bgcolor="black"> <title>ZDay Bugs</title> <center><img border="0" src="headert.jpg" width="700" height="190" ALT="ZDay Testers' System"><br /> <br /> <center><font face="Verdana, ariel" color="#33CCCC" size=3>Testers' system custom coded and designed by Braveheart</font></center><br /> <br /> <a href="main.php"><img border="0" src="home.gif" width="70" height="30"></a> - <a href="../testers/bugs/bugs_main.php"><img border="0" src="bugs_home.gif" width="70" height="30"></a> - </a> <br /> <br /></center> Why isn't the above working? No matter what I do (nothing in the field, incorrect password or even the correct password) is just keeps refreshing start.php... Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted March 19, 2008 Share Posted March 19, 2008 first i would figure out which header("Location: start.php"); is getting executed by adding a GET parameter on each instance: header("Location: start.php?location=1"); header("Location: start.php?location=2"); etc. also, you can't echo before header(); you can't output anything to the browser before header. Quote Link to comment Share on other sites More sharing options...
Braveheartt Posted March 19, 2008 Author Share Posted March 19, 2008 first i would figure out which header("Location: start.php"); is getting executed by adding a GET parameter on each instance: header("Location: start.php?location=1"); header("Location: start.php?location=2"); etc. I don't understand what you mean... What about using echos instead? also, you can't echo before header(); you can't output anything to the browser before header. You can't!? So how can I make the browser redirect if someone just happens to type the link into their address bar without going through the password stage...? Do you mean a header on its own and not part of an if/elseif/else statement? Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted March 19, 2008 Share Posted March 19, 2008 I don't understand what you mean... What about using echos instead? sure, anything. you can not, ever, echo anything before a header(); to protect pages: if ($_SESSION['password'] == $password) {//user is logged in // Show the contents of the protected page } else { // user is not logged in, send them to index.php header("location: index.php"); exit; } Quote Link to comment Share on other sites More sharing options...
Braveheartt Posted March 19, 2008 Author Share Posted March 19, 2008 if ($_SESSION['password'] == $password) {//user is logged in // Show the contents of the protected page } else { // user is not logged in, send them to index.php header("location: index.php"); exit; } So "$_SESSION['password']" I store the password in, and I don't have to redefine that on every page, what should I put into $password? And what about getting the user's input? Shoudl I use the POST method? Quote Link to comment Share on other sites More sharing options...
bobinindia Posted March 20, 2008 Share Posted March 20, 2008 On the page where you are giving permission put: <?php session_start(); //NOTHING AT ALL CAN GO BEFORE session_start(); //if logged in successfully $_SESSION['password'] = 'potatotheimaginarypassword'; ?> That is the same as setting the $password variable which is not needed in this case. Every page needing password protection. NOTHING AT ALL CAN GO BEFORE THIS: <?php session_start(); if ($_SESSION['password'] == 'potatotheimaginarypassword') {//user is logged in // Show the contents of the protected pageπ } else { // user is not logged in, send them to index.php header("location: index.php"); exit; } ?> Quote Link to comment Share on other sites More sharing options...
Braveheartt Posted March 23, 2008 Author Share Posted March 23, 2008 On the page where you are giving permission put: <?php session_start(); //NOTHING AT ALL CAN GO BEFORE session_start(); //if logged in successfully $_SESSION['password'] = 'potatotheimaginarypassword'; ?> That is the same as setting the $password variable which is not needed in this case. Every page needing password protection. NOTHING AT ALL CAN GO BEFORE THIS: <?php session_start(); if ($_SESSION['password'] == 'potatotheimaginarypassword') {//user is logged in // Show the contents of the protected pageπ } else { // user is not logged in, send them to index.php header("location: index.php"); exit; } ?> It doesn't work... I can simply type the URL of a "protected" page into the address bar and it will load up. Do I need to start a new session on every page? And shouldn't I be using a $_POST to get what actually was typed into the password box? DAMN this frustrates me . Quote Link to comment Share on other sites More sharing options...
sqlnoob Posted March 23, 2008 Share Posted March 23, 2008 why are you so hellbend on doing that? just check if a session, or cookie for that matter is present at the start of the script, if it is not present, then just echo an error message, else show what you normally be showing on the page. It's php remember the server is only spitting out raw html, not the php in the source, so you should be relatively safe. Quote Link to comment Share on other sites More sharing options...
Braveheartt Posted March 23, 2008 Author Share Posted March 23, 2008 why are you so hellbend on doing that? just check if a session, or cookie for that matter is present at the start of the script, if it is not present, then just echo an error message, else show what you normally be showing on the page. It's php remember the server is only spitting out raw html, not the php in the source, so you should be relatively safe. I don't quite understand... Quote Link to comment Share on other sites More sharing options...
sqlnoob Posted March 23, 2008 Share Posted March 23, 2008 I don't think, I quite understand what you're trying to do too ??? why use a header and then be hellbend on not displaying a page aah nevermind, this is giving me too much a headache. I'm sorry but I can't seem to help you there. Quote Link to comment Share on other sites More sharing options...
MadTechie Posted March 24, 2008 Share Posted March 24, 2008 try this <?php //VERY START of the page session_start(); if(isset($_POST['pass'])) { $_SESSION['access'] = false; $passwordd = $_POST['pass']; if($passwordd == "SecurePassword")//your password { $_SESSION['access'] = true; header("Location: access.php"); } echo "Invalid password"; } ?> echo "<html><center><body bgcolor='black'><img src='headert.jpg'><br /> <br /> <font color='red' size ='5'>Password required for access:</font> <form method='POST'><input type='password' maxlength='20' name='pass'><br /> <br /> <input type='submit' value='Login!' name='login'></form></body></center></html>"; <?php //VERY START of the page session_start(); if(!$_SESSION['access']) { header("Location: start.php"); } echo "your in "; //reset of the page ?> Quote Link to comment Share on other sites More sharing options...
bobinindia Posted March 25, 2008 Share Posted March 25, 2008 It doesn't work... I can simply type the URL of a "protected" page into the address bar and it will load up. Do I need to start a new session on every page? And shouldn't I be using a $_POST to get what actually was typed into the password box? DAMN this frustrates me . You must still be logged in. you need to log out and when doing that unset $_SESSION['password']; GOOD LUCK Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.