2

I am very new to php (started learning it 4 days ago) and I got many questions...

I hav a login page named index.php and after the login/verfication of username process, the user is taken to chat.php which has a link to some other php page called someOtherPage.php... My question is, how to prevent users from directly going to someOtherPage.php without logging in by typing this in the url like " www.nameOfMyWebsite.com/someOtherPage.php/ "

And after this question is answered, I wish to ask few more on php... Is it valid to ask a slightly unrelated question(with respect to the title) in the same thread?

BLOB
  • 364
  • 2
  • 7
  • 21
  • "And after this question is answered, I wish to ask few more on php... Is it valid to ask a slightly unrelated question(with respect to the title) in the same thread?" As far as I know it is usually 1 question per thread. Only if they are related to each other they are asked in one thread – Thomas Nov 29 '12 at 08:49
  • http://stackoverflow.com/questions/1142101/php-authentication-script http://stackoverflow.com/questions/2179520/whats-the-best-way-to-do-user-authentication-in-php – Shahrokhian Nov 29 '12 at 08:51

3 Answers3

7

You need to maintain a session for when users are logged in. At the point of login, set a session variable with their username or user ID. Then on the protected page, check if this session variable is present, before allowing them to view the page.

A basic example:

On successful login:

$_SESSION['userId'] = x;

On requesting the protected page:

if(!isset($_SESSION['userId']))
{
    // not logged in
    header('Location: login.php');
    exit();
}

More info about PHP Sessions.

MrCode
  • 63,975
  • 10
  • 90
  • 112
  • so i need to add session_start() function and the isset('userId') function to all of my pages to restrict access to them... That solves it.. I did not think of that.. – BLOB Nov 29 '12 at 08:57
  • @BLOB yes. Consider accepting this answer if it solved your problem. If you have other questions, ask a new question to keep them separate. – MrCode Nov 29 '12 at 08:59
  • and by the way... a simple list of security tips for a newbie like me would be useful.. – BLOB Nov 29 '12 at 08:59
  • Have a search for PHP Session Security, and have a look at the link I gave, there's lots of useful security info. – MrCode Nov 29 '12 at 09:01
  • doing it now... Thanx MrCode – BLOB Nov 29 '12 at 09:13
1

Most of the time sesssion variables are used to acomplish what you want to do. The session itself is initiated with session_start() at the beginning of each page.

The loginpage then sets a session variable after a successfull login: $_SESSION['userId']=$userId; //whatever the id is.

And the 2nd page uses an if to see if the session variable is set.

if (isset($_SESSION['userId']))
{
     .......//here is your page text
}
else
{
     echo 'Sorry please login first before visiting this page!'; //also a redirect can be made here instead.
}

And if you have a logout page you use session_destroy() there (after also using session_start() at the beginning of the page).

Thomas
  • 2,886
  • 3
  • 34
  • 78
1

Put it into top of your every page

if(!isset($_SESSION['xxx']))
{
   header('Location:index.php');
}
else
{
   header('Location:home.php');
}
//xxx indicate your session name which you had set after login
Echilon
  • 10,064
  • 33
  • 131
  • 217
Tapas Pal
  • 7,073
  • 8
  • 39
  • 86