Redirecting.

[Braveheartt]

Hello.

 

I have a page which requires a password to continue to the other pages with a menu etc. How could I make sure no one could access ANY of the other pages (for example, a link or typing the link into their browsers) unless they enter a correct password into the password field first? Would I need some code on every page?

 

 

I tried using:

 

if (stristr($_SERVER['PHP_SELF'], "mainmenu.php")) 
{  Header("Location: start.php"); }

 

on each page, but it doesn't work. Please help!

[lemmin]

You should use a session and just check if a certain session variable has been defined on every secure page.

[bobinindia]

I would set a $_SESSION['password'] that must be met before any of the password protected  pages can be opened.

if ($_SESSION['password'] == $password) {//ok
show page!
}else{
exit;}

Something along those lines

1

[Braveheartt]

So I create the session array on the password auth page if the password is correct, then each page there after I retrieve the data from that session array? Do I need to redefine what the session array is on each page or...?

 

For example, can I just do on the password auth page:

 

 

$_SESSION['password'] = $_POST['pass'];
&password = "pass1";

 

then there on each page do:

 

if($_SESSION['password'] = $password))
   //Begin protected code

 

 

Does it work like that? Or do I need to define the $_SESSION on each page?

[lemmin]

The $_SESSION array is a predefined server variable. You use it when you have created a session with session_start(). Here is more information:

http://us3.php.net/manual/en/ref.session.php

[bobinindia]

On the page that has authorised your guest put:

session_start();
$_SESSION['password'] = 'somedifficultword';
//Now it is set. You must put session_start() at the top of every page.

 

On the pages that need to be verified put:

session_start();
if ($_SESSION['password'] == 'somedifficultword'){
//ok. Load page
}else{
exit;
}
//not authorised

Good Luck

[Braveheartt]

Password input:

<?php session_start(); 
$_SESSION['password'] = "password";
echo "<html><center><body bgcolor='black'><img src='headert.jpg'><br />
     <br />	
     <font color='red' size ='5'>Password required for access:</font>
     <form method='POST' action='auth.php'><input type='password' maxlength='20' name='pass'><br />
     <br />	
     <input type='submit' value='Login!' name='login'></form></body></center></html>";

?>

 

Password auth:

<?php    
session_start;
$_SESSION['password'] = "password";
$passwordd = $_POST['pass'];

if($passwordd == $_SESSION['password'])
  { require("mainmenu.php"); 
    echo "<center><font color='green' size='5'>Successfully logged in, welcome tester!</font></center>"; 
        header("Location: main.php"); }
     
elseif($passwordd != $_SESSION['password'])
   { echo "<center><body bgcolor='black'><font color='red' size='5'>Incorrect password!</font></body></center>";
      header("Location: start.php"); }   
      
else
   { header("Location: start.php"); }

        ?> 
</body></html>

 

Included mainmenu:

<?php 
session_start(); 
   if($_SESSION['password'] != "password")
    { header("Location: start.php"); } 
    else ?>
<html>
<body bgcolor="black">
<title>ZDay Bugs</title> 
<center><img border="0" src="headert.jpg" width="700" height="190" ALT="ZDay Testers' System"><br />
<br />	
<center><font face="Verdana, ariel" color="#33CCCC" size=3>Testers' system custom coded and designed by Braveheart</font></center><br />		
<br />	
<a href="main.php"><img border="0" src="home.gif" width="70" height="30"></a> -
<a href="../testers/bugs/bugs_main.php"><img border="0" src="bugs_home.gif" width="70" height="30"></a> -
</a> 
<br />
<br /></center>

 

Why isn't the above working? No matter what I do (nothing in the field, incorrect password or even the correct password) is just keeps refreshing start.php...

 

[BlueSkyIS]

first i would figure out which header("Location: start.php"); is getting executed by adding a GET parameter on each instance:

 

header("Location: start.php?location=1");



header("Location: start.php?location=2");



etc.

 

also, you can't echo before header(); you can't output anything to the browser before header.

[Braveheartt]

first i would figure out which header("Location: start.php"); is getting executed by adding a GET parameter on each instance:

 

header("Location: start.php?location=1");



header("Location: start.php?location=2");



etc.

 

I don't understand what you mean... What about using echos instead?

 

 

also, you can't echo before header(); you can't output anything to the browser before header.

 

You can't!? So how can I make the browser redirect if someone just happens to type the link into their address bar without going through the password stage...?

 

 

Do you mean a header on its own and not part of an if/elseif/else statement?

[BlueSkyIS]

I don't understand what you mean... What about using echos instead?

 

sure, anything.

 

you can not, ever, echo anything before a header();

 

to protect pages:

 

if ($_SESSION['password'] == $password) {//user is logged in
   // Show the contents of the protected page

} else { // user is not logged in, send them to index.php
    header("location: index.php");
    exit;
}

[Braveheartt]

if ($_SESSION['password'] == $password) {//user is logged in
   // Show the contents of the protected page

} else { // user is not logged in, send them to index.php
    header("location: index.php");
    exit;
}

 

So "$_SESSION['password']" I store the password in, and I don't have to redefine that on every page, what should I put into $password? And what about getting the user's input? Shoudl I use the POST method?

[bobinindia]

On the page where you are giving permission put:

<?php
session_start();
//NOTHING AT ALL CAN GO BEFORE session_start();
//if logged in successfully
$_SESSION['password'] = 'potatotheimaginarypassword';
?>

That is the same as setting the $password variable which is not needed in this case.

 

 

Every page needing password protection. NOTHING AT ALL CAN GO BEFORE THIS:

<?php
session_start();
if ($_SESSION['password'] == 'potatotheimaginarypassword') {//user is logged in
   // Show the contents of the protected pageπ

} else { // user is not logged in, send them to index.php
    header("location: index.php");
    exit;
}
?>

[Braveheartt]

On the page where you are giving permission put:

<?php
session_start();
//NOTHING AT ALL CAN GO BEFORE session_start();
//if logged in successfully
$_SESSION['password'] = 'potatotheimaginarypassword';
?>

That is the same as setting the $password variable which is not needed in this case.

 

 

Every page needing password protection. NOTHING AT ALL CAN GO BEFORE THIS:

<?php
session_start();
if ($_SESSION['password'] == 'potatotheimaginarypassword') {//user is logged in
   // Show the contents of the protected pageπ

} else { // user is not logged in, send them to index.php
    header("location: index.php");
    exit;
}
?>

 

It doesn't work... I can simply type the URL of a "protected" page into the address bar and it will load up.

 

Do I need to start a new session on every page? And shouldn't I be using a $_POST to get what actually was typed into the password box?

 

DAMN this frustrates me .

[sqlnoob]

why are you so hellbend on doing that?

 

just check if a session, or cookie for that matter is present at the start of the script, if it is not present, then just echo an error message, else show what you normally be showing on the page.

 

It's php remember the server is only spitting out raw html, not the php in the source, so you should be relatively safe.

[Braveheartt]

why are you so hellbend on doing that?

 

just check if a session, or cookie for that matter is present at the start of the script, if it is not present, then just echo an error message, else show what you normally be showing on the page.

 

It's php remember the server is only spitting out raw html, not the php in the source, so you should be relatively safe.

 

I don't quite understand...

[sqlnoob]

I don't think, I quite understand what you're trying to do too  ???

 

why use a header and then be hellbend on not displaying a page

 

aah nevermind, this is giving me too much a headache. I'm sorry but I can't seem to help you there.

[MadTechie]

try this

 

<?php
//VERY START of the page
session_start();
if(isset($_POST['pass']))
{
$_SESSION['access'] = false;
$passwordd = $_POST['pass'];
if($passwordd == "SecurePassword")//your password 
{
$_SESSION['access'] = true;
header("Location: access.php");
}
echo "Invalid password";
}
?>

echo "<html><center><body bgcolor='black'><img src='headert.jpg'><br />
     <br />	
     <font color='red' size ='5'>Password required for access:</font>
     <form method='POST'><input type='password' maxlength='20' name='pass'><br />
     <br />	
     <input type='submit' value='Login!' name='login'></form></body></center></html>";

 

<?php
//VERY START of the page
session_start();
if(!$_SESSION['access'])
{
header("Location: start.php");
}
echo "your in ";
//reset of the page 
?>

 

[bobinindia]

It doesn't work... I can simply type the URL of a "protected" page into the address bar and it will load up.

 

Do I need to start a new session on every page? And shouldn't I be using a $_POST to get what actually was typed into the password box?

 

DAMN this frustrates me .

You must still be logged in.

you need to log out and when doing that unset $_SESSION['password'];

 

GOOD LUCK