I have a website where members have to login but I noticed after logging out they can simply enter any page url in browser and go back in without using the login form, how do I prevent this.
What I mean is I believe there is a way for me to check if the session is valid on all pages. Even non users can put the url in their browsers and enter without logging in.
Use the SESSION variable in PHP.
session_start();
$_SESSION['login'] = true;
This basically creates a SESSION variable called 'login' which can be used to verify whether a user is logged in.
Now, all you have to do is check the variable like this :
if($_SESSION['login'] == true){
/*GOTO USER PAGE*/
}else{
/*REDIRECT SOMEWHERE ELSE */
}
To create a logout button, to ensure users can't copy-paste the URL again and enter,
session_destroy();
will work just fine.
What you need to do is create a proper login system using something like a session. There are countless tutorials you'll find about this by googling "php login tutorial with session". Here is one of those results.
At the heart of all of these are PHP Sessions, which allow you to store information for a specific client throughout their browser session. To understand sessions in php, here's a basic tutorial
Let me know if these make sense or if you have any questions :)
Related
I have recently started web development on my WAMP server and was trying to build a simple login page using php and MySQL. What I simply did was on successful authentication I redirected the user to a new page using : header("Location: locahost/redirect.php"); in my php script.
redirect.php is a simple page which shows that you have successfully logged in.
What I want to ask is that I can simply go to redirect.php by typing localhost/redirect.php in my address bar. Is there any way in which only the user who have been authenticated can visit the page...just like it works on facebook and other websites, we cannot enter into someone's profile by just typing a URL in our address bar.
It is called URL Manipulation.
Validate the information like session in the profile page.
+
do NOT use header('Location: ...') without exit; after it. Always do exit after redirect.
header("Location: locahost/redirect.php");
exit;
Otherwise it'll load the page content and redirects. If somebody avoid the redirect he can see page contents there.
Well, you could add create a Cookie if a user was logged in successfully.
(and maybe set the value to an md5 hash of the date, username and password for example, and also write that to your database so you can check later of somebody "cheated" that Cookie or not)
Then on your redict.php you just have to look if that Cookie exists (and maybe check the value with your database?).
Also if you set your cookie expire value you can control if the user should be logged in only in that session or for example a full month.
I'm sorry I have not done that before, but maybe I could help you with that idea
You can make a PHP code inside the redirect.php page, and make a conditional statement:
If the user is logged in, keep him in the page.
If the user is not logged in, redirect him to the login page.
You have to add this function to redirect.php
function logged_in(){
return (isset($_SESSION['user_id'])) ? true :false;
}
Then add this
if (logged_in()===false){
header('Location: whateverpageyouwant.php');
exit();
}
You can create session on successfully authentication and check this on redirect.php page.
If you dont find session on this page then redirect user back to the login page.
In this way you can restrict direct access to the redirect.php page
Thanks
I have made a registration form and a login form using PHP.The registration form saves user's information to a database.
But as I am pretty new to PHP I want to achieve this think. I have also made a whole template/theme of an e-commerce website but I want as an entrance page to be this registration form and when I grant them access to be able to see the whole content of my e-commerce website.While i say grant them access when they give me the fields of the registration form,they wont be able to enter the website until I send them a password.So my question is how can i achieve not be able to see the entire website?What I need to do to protect it? i mean I need to add code on the registration form? on the login form or the template/theme?
Thanks!
try using a $_SESSION variable. For example, create a $_SESSION['loggedIN'] variable that is initally false. The page would always verify that variable to allow or deny access to the content.
I'm guessing there is also a log-in form, right?
So, you would only allow acces ($_SESSION['loggedIN']=TRUE) once the log-in form action allows it. Of course there is all the verification and database access process, but that is a simple idea to solve your problem.
You would need to add code at the login page.
The code should handle the follwing:
Create $_SESSION[]
Create $_COOKIE[]
Create some secret way (databse) to know sessions and cookies are not forged.
At the time or page access is restricted to those who are logged in,
Check $_SESSION, $_COOKIE against the secret way (database)
you need to track the registration process, for example track
has been the email sended to user?
when was the email sended to user?
has user confirmed registration?
then set a column value verified=(boolean) to the main users table to check with a query if user is verified
then use sessions to store data after successful login, you need to make simple IFs after session_start() to restrict access or disable view of content.
if(USER_HAS_ROLE){
// display_content
}else{
// don't display content
}
//----------------
if(USER_IS_LOGGED_IN){
// access website
}else{
// redirect to login page
}
One thing that doesn't seem to have been mentioned is that if the session loggedIn variable is false, after the header() redirect, the script should die() in case the user's browser ignores the Location: header.
Been reading a bit to find the answer with not too much luck.
I have a site where members can browse the site anonymously but some pages are restricted. I have the members redirected to a login page once they click a link that needs them to be logged in to view.
The problem I'm facing is I don't know how to redirect the member to the page they were trying to get to once logged in.
They tried to to get to /profile.phtml , it sent them to /login.phtml , now when they log in, I want them to be sent to /profile.phtml because that's where they clicked to get to. If they clicked /album.phtml, I want them to be sent to /album.phtml after login.
Can anyone help? Do I somehow store the URL in a session?
Much appreciated.
Just before making the header("Location:") call to redirect, store the page they're currently on in $_SESSION['redirect_to']. Upon successful login, make another header() call to redirect back to the original page and unset the session variable so it doesn't get accidentally reused anywhere.
$_SESSION['redirect_to'] = $_SERVER['REQUEST_URI'];
header("Location: http://example.com/login.php");
exit();
// On successful login
$redirect = $_SESSION['redirect_to'];
// unset the session var
unset($_SESSION['redirect_to']);
header("Location: http://example.com/$redirect");
exit();
You could very well use a session variable like other people are suggesting. However, I'd rather rely on HTTP_REFFERER. The drawback here is not every browser sends a referrer, but most major browsers do. It's a part of the HTTP standard and I think it's good enough. Stick this in your login script.
if(!empty($_SERVER['HTTP_REFERER'])) { header('Location: '.$_SERVER['HTTP_REFERER']); }
Is there an option to set Duplicate user login in PHP? When im logged in one tab and if i open another tab. It must display duplicate user or user already logged in. Kindly send me suggestions or the ways in which i can handle Duplicate user Login.
Well, store the user info in _SESSION vars
And at the top of page
<?php
check_login();
And on check_login() function
function check_login()
{
session_start();
if(isset($_SESSION['is_logged']))
{
echo "user is already logged";
}
else
{
echo "user is not logged";
}
}
I am sure if you put this on top of every page, you will be able to do it so.
This will work for same browser. But for different browser, it will not work.
I'm afraid you can't do it since (as far as i see) e.g. Google's dupe login can't do the trick too. When you switch account within Google they actually switch the user but you can't login with two different identities in the same browser. Maybe somehow you can trick the browser but probably that will come with a security issue.
Btw, have you tried tricking cookies to do it?
Update:
build a database backend for manage (dupe) logins
use cookies beside sessions (store a unique value to differentiate each login)
on every page request compare your cookie > session > database to decide who requested the page
Note: this is a rough outline for the task, you'll need to take care of unique session_id's, etc.
I've scrapped all the tutorials that have never worked for one reason or another, and decided to roll out my own registration/login feature on my own, and to my surprise it actually works!
But what I don't get is how the logic behind keeping somebody logged in works! Like, once they've logged in, do I just $_POST their data to whatever other page they visit and once they're on the new page $_REQUEST that post data from the URL and display a message like: "yeah, you're still logged in"?
I'm a bit confused atm, so I hope this question doesn't confuse you too.
Let us have we have pages like login.php after_login_page1.php after_login_page2.php
You can follow these simple steps
Set $_SESSION['id'] = $userid //userid from db in login.php
always have session_start() in the successive pages like after_login_page1.php, after_login_page2.php
Check if(! isset($_SESSION['id'])){
header("Location: login.php");
}
at the logout.php page give $_SESSION['id']=''; and do a session_destroy()
The easiest imo is to use a session.
Basically this is PHP automatically setting a cookie (or adding a piece to the url, depending your configuration) on the user system and automatically loading it on each pageview. You can then add data to the session and as long as the cookie didn't expire (or was deleted) and/or you don't destroy the session, you will have that data at your disposal on each pageview the user does.
Take a look here for a small intro to sessions: http://www.htmlgoodies.com/beyond/php/article.php/3472581/PHP-Tutorial-Sessions.htm
Once they have logged in you generally have two options. Store their details or an authentication token (something that will help the PHP on the server know who is who) in a session or store it in a cookie. Both have their perks, but you will need to choose the one that works for you.
If you store data in a session, the user cannot access what you have stored, only your code can. This is helpful if you want to store say, their id or username. You can trust that it would always be their id and username, because they cannot modify it.
With cookies, the user can access and modify them because they are stored on their local machines. Because of this, you need to be a bit more sneaky and hash the users details, then verify who it is with some server-side logic. It's a little more complex.
A session implementation might look like this:
session_start(); //Make sure you call this at the top of EVERY page
if($passwordsMatch){
$_SESSION['user'] = $_POST['username'];
}
//Now we have access to $_SESSION['user'] on every page.
On another unrelated page:
session_start();
print "Welcome, ".$_SESSION['user'];
Easiest way is to "keep users logged in" is to use PHP sessions. When you run session_start();, PHP sets cookie with SESSION_ID in users browser so it can identify this user. After that, you can set any data in $_SESSION array which will be saved in session between page requests.