We Keep Coding

Check if user is logged in and make page unreachable

What is the best way to check if a user is logged in and if its not make the page unreachable for him?
What does this code need to make it complete and safe:
if (isset($_SESSION['USER_ID']))

Kill the script
if (!isset($_SESSION['USER_ID']))
die();
Or print a friendly message, redirect to login page, or whatever you think is an appropriate response. Just kill the page before showing your premium content.

In Login page Add
$_SESSION['user_id'] = $user['id'];
In page which you want to make unreachable if not loggedin, Add at top
include ("auth.php");
auth.php
<?php
session_start();
if(!$_SESSION['user_id']){
header("location:index.php"); //page you want to redirect
}
?>
Now you can add auth.php in any page which you want to make unreachable if not logged in...

First of all you need -before any page output (even warnings and errors):
session_start();
So your code would be complete as follow:
session_start();
if (!isset($_SESSION['USER_ID'])) {
header ("Location: login.php");
die;
}

if USER_ID could not be blank it is better to check this too:
if (isset($_SESSION['USER_ID'] && $_SESSION['USER_ID'] != ''))
As a personal method for more complex login check: generate a random token when user did login and store it in database and put in an extra session. Then check if user_id session name and random session match together by a database check. This will prevent attacks by any type of fraud in session and cookies name.

PHP- How can I restrict access to a page?

I have multiple pages that needs to be protected depending on the user privilege. I have a php to check the current session variable upon page load.
page being tested; the php code is placed above the !DOCTYPE. this code is suppose to check for unlogged in customers. if not logged in or no session variable set redirect to error page otherwise do nothing and load page normally
<?php
if (!isset($_SESSION["username"])){
header("location: error.php");
}
?>
my session variables are only set after logging in, after logging in the user is redirected to the page referred to above:
if (mysqli_num_rows($results6) < 1) { //$results6 is a query to check if the user exits in the users database
$logInMsg = "invalid log in";
} else {
session_start();
$_SESSION["username"] = $uName; //$uName is a user input user name
header("location: pageabove.php");
}
the problem is that even after logging in I still get redirected to the error page

That would be because you haven't started the session yet. You need to specify a session start on each page that you intend to use sessions in (Read more about session_start()):
<?php
session_start(); // start session
// do check
if (!isset($_SESSION["username"])) {
header("location: error.php");
exit; // prevent further execution, should there be more code that follows
}
This is for everything. On your login page and all. Anywhere you want to harness the sessions, you need to start it, otherwise it's "lost in the wind".

How to secure my PHP webpage from unauthorized Users

I am new in PHP and facing a problem with security.
I use this to redirect unauthorized users if they not logged in.
<?php
session_start();
if(!isset($_SESSION['user_id'])) {
header('Location: login.php');
}
?>
It is on every top of my page but when I log in and click my protected page it will redirect to login page instead of original/protected page open and my session variable is set on my login page how to include this session variable in my protected page from login page.

If when, you log in, it sends you to login page, then $_SESSION['user_id'] may not be set, or you aren't including session in your file, to check it, do:
var_dump($_SESSION['user_id'])
on the page, and temporally leave out the header if the var_dump returns NULL, it means, $_SESSION['user_id'] is not set

Try this:
if(!isset($_SESSION['user_id']))
{
// The user id variable is not set. Therefore, the user is most likely a guest.
$_SESSION['user_id'] == 0;
}
if($_SESSION['user_id'] == 0)
{
// The user does not have a user id set. We assume, therefore, that they are a guest.
header("Location: login.php");
}
Also, in your login script, ensure that you are setting $_SESSION['user_id'] to anything other than 0.

Login Page in PHP

I created a login page in php named as index.php. Now when the user logs in it redirects to mypage.php. The login works fine. But also mypage.php gets open when I type the url of mypage.php even without login. I want the user must logged in to see mypage.php and incase if he changes the url in browser then an error message should be triggered. What to do?
1.localhost/index.php
2.localhost/mypage.php

In index.php, once the user gets logged in successfully, set an session. like $_SESSION['login'] = true; before redirect. If invalid login, use $_SESSION['login'] = false; Don't forget to start the session on the top of the page. session_start();
In mypage.php, check if that session is set or not. If not set, throw error, else show the page.
session_start();
if(isset($_SESSION['login']) && $_SESSION['login'] == true) {
echo 'You are welcome';
} else {
echo 'redirecting to login page';
header('Location: index.php');
exit;
}

How are you storing the state of being 'logged in'?
You'll need to have your mypage.php check a variable that has been set by the index.php's successful login process.
Can you paste your code here and I can take a look

In order for a login to work correctly, your "secure" page (I use that term relatively because nothing is truly secure) needs to have some sort of validation conditional. In other words you need to have some way of determining if the user is logged in.
A simple way to do this in PHP is to set a session variable when you process the user's credentials. For example:
When the user successfully logs in set a session variable like so:
$_SESSION['isLoggedIn'] = true;
Then on the mypage.php check to see if the variable is set:
if(!isset($_SESSION['isLoggedIn']) || $_SESSION['isLoggedIn'] != true) {
header("Location: index.php");
exit;
}
Please also note, it is imperative if you are using sessions that you have session_start(); as the first line of all of your files. This allows $_SESSION variables that were set on a separate page to be able to be read on the current page.
Hope this helps.

Displaying pages for only signed in users

I have created a membership system and only signed in users can enter comments. But, without signing in, everyone can access every pages by typing the name of the PHP file in the link bar.How can i redirect non-registered users to the homepage?
Thanks

You have to create a session if a user has succesfully logged in:
session_start(); // best to put this at the top of the first php file that's called, preferably on every page
// check user credentials
if (!valid credentials) {
header('Location: login.php');
exit();
}
$_SESSION['user'] = 'username';
And in the php file where you want to check:
session_start(); // best to put this at the top of the first php file that's called, preferably on every page
if (!isset($_SESSION['user'])) {
header('Location: login.php');
exit();
}

That's just as easy as an if statement :
if(login_check())
{
// Show the page
}
else
{
header('Location: adresse');
exit();
}

That depends on how you identify logged in users, is it a session? a cookie? You should use those methods to test for the logged in status. If the user is not logged in, you should send a Location header to redirect him to the home page.
header('Location: index.php'); die();
You die(); afterwards to prevent the rest of the code from running.
Note: You must send it BEFORE any output is sent, otherwise it won't work.