I have made a registration form and a login form using PHP.The registration form saves user's information to a database.
But as I am pretty new to PHP I want to achieve this think. I have also made a whole template/theme of an e-commerce website but I want as an entrance page to be this registration form and when I grant them access to be able to see the whole content of my e-commerce website.While i say grant them access when they give me the fields of the registration form,they wont be able to enter the website until I send them a password.So my question is how can i achieve not be able to see the entire website?What I need to do to protect it? i mean I need to add code on the registration form? on the login form or the template/theme?
Thanks!
try using a $_SESSION variable. For example, create a $_SESSION['loggedIN'] variable that is initally false. The page would always verify that variable to allow or deny access to the content.
I'm guessing there is also a log-in form, right?
So, you would only allow acces ($_SESSION['loggedIN']=TRUE) once the log-in form action allows it. Of course there is all the verification and database access process, but that is a simple idea to solve your problem.
You would need to add code at the login page.
The code should handle the follwing:
Create $_SESSION[]
Create $_COOKIE[]
Create some secret way (databse) to know sessions and cookies are not forged.
At the time or page access is restricted to those who are logged in,
Check $_SESSION, $_COOKIE against the secret way (database)
you need to track the registration process, for example track
has been the email sended to user?
when was the email sended to user?
has user confirmed registration?
then set a column value verified=(boolean) to the main users table to check with a query if user is verified
then use sessions to store data after successful login, you need to make simple IFs after session_start() to restrict access or disable view of content.
if(USER_HAS_ROLE){
// display_content
}else{
// don't display content
}
//----------------
if(USER_IS_LOGGED_IN){
// access website
}else{
// redirect to login page
}
One thing that doesn't seem to have been mentioned is that if the session loggedIn variable is false, after the header() redirect, the script should die() in case the user's browser ignores the Location: header.
Related
I have a few scripts all linked to the same SQL database, but each one has its own admin.php
I have created links to the other admin.php(s) in the one I would consider the main admin panel.
as it is the same user name and ID how can I get the links to fill and submit the login details so I only have to login on the first admin panel and not each time a click a link to a new one
any help appreciated
You probably want to store some kind of authentication information in session data. Each time you access a script, it will check the session variables for some kind of security token. If it's there, it can use that to determine who has logged-in.
At the top of each PHP script (before you've output any HTML), include a call to session_start(). This will enable session information. You can then read/write elements in the $_SESSION superglobal array.
If you want the browser to remember the login for subsequent visits, you could also use cookie data. Just be aware that cookies are not particularly secure, so don't store usernames and passwords in them directly. Use some a unique encrypted/hashed token instead.
I have a website where members have to login but I noticed after logging out they can simply enter any page url in browser and go back in without using the login form, how do I prevent this.
What I mean is I believe there is a way for me to check if the session is valid on all pages. Even non users can put the url in their browsers and enter without logging in.
Use the SESSION variable in PHP.
session_start();
$_SESSION['login'] = true;
This basically creates a SESSION variable called 'login' which can be used to verify whether a user is logged in.
Now, all you have to do is check the variable like this :
if($_SESSION['login'] == true){
/*GOTO USER PAGE*/
}else{
/*REDIRECT SOMEWHERE ELSE */
}
To create a logout button, to ensure users can't copy-paste the URL again and enter,
session_destroy();
will work just fine.
What you need to do is create a proper login system using something like a session. There are countless tutorials you'll find about this by googling "php login tutorial with session". Here is one of those results.
At the heart of all of these are PHP Sessions, which allow you to store information for a specific client throughout their browser session. To understand sessions in php, here's a basic tutorial
Let me know if these make sense or if you have any questions :)
I've searched on this and I'm still not sure. In asp.net, I can programmatically login a user on the server side...and I'm not talking about a client-side script that fills in the forms automatically when they pull up the site. I can check something server-side and, if true, log them into the site. If false I can redirect to a user name/password form and make them type in the user name and password.
Is it possible to do something similar in PHP?
I have something I would like to do, but it sure would be nice not to waste time on something if it isn't even possible to begin with
Thanks!
-=-=-=
In asp.net the process works like this:
call uservalidate method to see if the credentials are correct
call formsauthentication.setauthcookie to set the authentication cookie
redirect user to predetermined page
e.g.,
Response.Cookies.Remove(FormsAuthentication.FormsCookieName);
FormsAuthentication.SetAuthCookie("username", false);
Response.Redirect("samepage.aspx");
Only on the redirect does the ticket get processed.
Sure it can - you need to read up on PHP Sessions.
You accept the user's credentials via a standard POST request sent from a form.
Take the credentials and check if they match (usually by querying a DB).
If they do, set a session variable to indicate the user has authenticated ($_SESSION['user_is_authenticated'] = true);
Check in your subsequent pages that needs to be secured if the user is authenticated or not - if he's not, redirect to login page: if (!$_SESSION['user_is_authenticated']) header('location:login.php');
I don't know ASP, but you'd simply just set the session in PHP. For example, if your login scripts looks for a user object in the session, you'd just load that user from your datasource and load it into the session. You'd also need to set whatever other flags you might be checking.
This is a common requirement when you want to give admins the ability to login as a user in your site.
I'm directing users to a page on my site from email (possibly an email client). When they reach the site they are presented with login screen and the address where they were headed is lost.
How can I capture the entire address that they were trying to visit, so that I can redirect them to it once they log in?
You need to capture the address as you redirect them to the login page, (ie when you check if they are logged in) I'd recommend storing it in a session. A very quick method would be to redirect to /login.php?from=store.php for example, however this is not the best way as the $_GET['from'] could be hijacked to redirect the user somewhere else, which is why I use $_SESSION to store this value.
First of all, I don't know much about Symfony so I will let you know what I do in PHP.
There are a few techniques I use depending on the app.
Option 1: I send the user to the page they are to log into, e.g. mydomain.com/landing.php and set a SESSION variable with the URL before redirecting to the login form. When the login is performed successfully there is a header function that will redirect to the originating page where the logged in user can now interact with the page.
Option 2: I create a login function and where there is no login SESSION or COOKIE the form is called, upon submitting the form using action="<? echo $_SERVER['PHP_SELF']; ?> I set a POST variable and before any HTML tag is called I have something like
if(isset($_POST['run_login'])) {
include('my_login_handler.php');
}
This takes care of the login activity and doesn't require any redirection to the target page as it is handled inline.
Option 3: Like option 2, I create a login function here there is no login SESSION or COOKIE, but this time I POST the data to my_login_handler.php rather than including it. Upon successful authentication to the site I call header('Location: '.$_SERVER['HTTP_REFERER']); that will redirect to the referring page meaning I don't need to set any special COOKIES or SESSION variables to handle to redirect back to the target page.
The right option, regardless if it is here or not, is going to depend on your application and what you can/need to do. So have a play with the various suggestions and see what works best in the application you're currently working on.
Good luck!
I want to log in the user after he registrered.
So, you login in a form with POST method. Now i was thinking about doing it this way:
header("index.php?doLogin=Login&user_email=$usr_email&pass=$data[pwd]");
But then, when you login its POST and not GET,
// Log in
if (isset($_POST['doLogin']) && $_POST['doLogin'] == 'Login')...
So what do I do? Another idea doing this maybe?
When user logging in you check the user credentials against DB then save state to session, right?
Just do that after user register, no need to send user to some page. Just do it on the same file, the registration takes place.
Its not really good to send the password over the URL. Send it over POST. Do you set a SESSION variable in your Login functions?
When you set the SESSION variable its easier to set the same variable direct after the registration and then redirect to the index.php.