I am currently working on developing a simple web system, so an user first will be directed to a login page, then a processing page. If its account data provided is correct, it will be directed to the main page, so it can carry out some actions, at last it can logout.
So what I want to ask is: how can I prevent user to access the processing, main or logout page before they login, I mean, if I do not limit it, the login action is by some means useless. I am using wamp to develop the web system.
I have considered making use of the session variable, however, I have no idea how to check the value of the variable. If I start a session at the login page, so if I skip the login page but directed go to the main page, do I have those session variable present in the main page?
1) Add session_start(); at the top of the php page to initialize sessions.
2) Add if statement
if($_SESSION['logged_in'] == 1) { ..show page.. } else { show login page }
3) Create a login form which validates data, if data is correct then it adds $_SESSION['logged_in'] = 1; and redirects to profile page with logout button.
That's all :)!
I suggest that you check some tutorials, since it will give you some more information how to do that - http://www.intechgrity.com/create-login-admin-logout-page-in-php-w/ or any other link via google - "How to create login/logout functions with SESSIONS".
About your question, in each page you will put session_start(); at the start of the file, they will have all sessions you have specified for user.
EDIT:
Added few useful links -
http://www.php.net/manual/en/book.session.php
http://www.tizag.com/phpT/phpsessions.php/
http://www.w3schools.com/php/php_sessions.asp
well,this is what i will do. Check with an if statement if a session variable that holds, for example, the username from the login page exists, then if it doesn't show an error 404 page, or redirect the user to any error page...you might want to create that yourself anyway (so that it redirects them back to the login page).
<?
session_start();
if(!$_SESSION['username']){
header("Location: HTTP/1.1 404 File Not Found", 404);
exit;}
?>
You could also create a new file and place this code there so that you call it on everypage that will require a user to login before accessing it....
but try to access non login page for the first time then you will be redirected to login page then try to access the same non login page for the second time you'll have the access already even you didn't log-in.
Related
I have recently started web development on my WAMP server and was trying to build a simple login page using php and MySQL. What I simply did was on successful authentication I redirected the user to a new page using : header("Location: locahost/redirect.php"); in my php script.
redirect.php is a simple page which shows that you have successfully logged in.
What I want to ask is that I can simply go to redirect.php by typing localhost/redirect.php in my address bar. Is there any way in which only the user who have been authenticated can visit the page...just like it works on facebook and other websites, we cannot enter into someone's profile by just typing a URL in our address bar.
It is called URL Manipulation.
Validate the information like session in the profile page.
+
do NOT use header('Location: ...') without exit; after it. Always do exit after redirect.
header("Location: locahost/redirect.php");
exit;
Otherwise it'll load the page content and redirects. If somebody avoid the redirect he can see page contents there.
Well, you could add create a Cookie if a user was logged in successfully.
(and maybe set the value to an md5 hash of the date, username and password for example, and also write that to your database so you can check later of somebody "cheated" that Cookie or not)
Then on your redict.php you just have to look if that Cookie exists (and maybe check the value with your database?).
Also if you set your cookie expire value you can control if the user should be logged in only in that session or for example a full month.
I'm sorry I have not done that before, but maybe I could help you with that idea
You can make a PHP code inside the redirect.php page, and make a conditional statement:
If the user is logged in, keep him in the page.
If the user is not logged in, redirect him to the login page.
You have to add this function to redirect.php
function logged_in(){
return (isset($_SESSION['user_id'])) ? true :false;
}
Then add this
if (logged_in()===false){
header('Location: whateverpageyouwant.php');
exit();
}
You can create session on successfully authentication and check this on redirect.php page.
If you dont find session on this page then redirect user back to the login page.
In this way you can restrict direct access to the redirect.php page
Thanks
I am currently working on a project where I have two pages: a login page and a home page. The home page is after the login page, whenever the user inputs his username and password correctly in the login page he will be directed to the home page. Here is the problem, if i input the url of the home page in the browser, it will open even if i did not go through the login page. How do i put restrictions in the home page? How do i put a message saying "you are restricted to access this page, please go back to login page" and then it redirects the user to the login page. If you know some website with tutorials or vidoes of tutorials please include them, it will be a great help. Thank you
This is what sessions are for. You need to validate/authenticate your user before allowing them access to the home page.
On both your login and home pages, you need to start a session with this being at the very top of both scripts:
session_start();
Now when your user logs in successfully, you need to add a session value:
$_SESSION['username'] = $username;
Now in your home page, you need to authenticate that session.
session_start();
if(!isset($_SESSION['username']) || empty($_SESSION['username'])) {
die(header("Location: login.php"));
}
The above code essentially says: IF user session not set OR user session is empty -> KILL THE SCRIPT & GO TO THE LOGIN Page
when your password and username is correct you must set a session.. in my case the session['logged_in'] = 1.
if(!$_SESSION['logged_in'] == '1'){
header('location:login.php');
}else{
//your home page..
}
you must have a session... depending on your need.. I've used the mysql procedural... it's deprecated though.. just giving you the idea. =) you can either use PDO or mysqli... btw, put that code in your home.php page.
I just want to now the script for redirecting after logging in on my webpage and the script that i put on all the webpages on my website for redirecting to member's page if you are already logged in, like in Facebook if i refresh the page I am still connected.
There are a hundred ways of doing it, but you can start by setting a session value right after a successful login attempt, such as:
$_SESSION["loggedin"] = true;
Now in your member pages you can check if the user is authenticated like so:
if(!isset($_SESSION["loggedin"]))
{
//redirect user to login form
}
//Member page
In the example above, if the user is not logged in, you must redirect him to the login form.
Every place in your app where you desire to use $_SESSION, you must have session_start(); at the beginning of your script. If you don't have, it won't work.
I have a few links on my page. Most of them will redirect to the homepage if the user is not logged in. Instead of doing that, I want to direct the user to the login page, then direct them to the page they originally wanted to go.
So, for example, if the user is on index.php, and clicks on page10.php without being logged in. S/he should get directed to login.php. After logging in, the website should remember that the user originally wanted to go to page10.php.
How do I do that remembering part? I understand I can use cookies and/or php sessions, but are those the most appropriate ways (in this scenario) of remembering that the user wanted to go to page10.php?
No need to use sessions or get variables, simply access the HTTP_REFERER from the $_SERVER array on your login page, set it to a hidden element in your form then after submission redirect back to that URI
Append desired URL as part of the link. So if a user is not logged in redirect him:
login.php?url=<desired_url>
read the variable on login page, and upon success direct it there instead of index.
To get the URL on the server side look at $_SERVER['REQUEST_URI']
$_SERVER manual
First, redirect to login.php?return=ORIGINAL_URL
In login.php set $_SESSION['return'] = $_GET['return'];.
After a successful login, check if there is a $_SESSION['return'], if there is, and is a valid URL, redirect to it and unset $_SESSION['return'].
That's it.
PS: The reason why you should use session is because the user may not login successfully on the first try. Or may not have an account, he may want to register first. This way he will be redirected to the appropriate page even after creating an account.
Logging a user in implies that you will be using sessions. Sessions usually use a cookie, but they can be implemented by passing a session id around in the request if you don't want to or can't use cookies.
The appropriate way to do this is to use sessions as follows:
1) The authentication check redirects to the login page
2) the login pages checks if the target page is set in the session and if it is not it sets it to the referrer
3) if the login form is valid the target page is removed from the session and the user is redirected to the original page
4) otherwise the form is redisplayed.
When a user tries to access our website via a link (for instance going to www.website.com/privatepage) they are redirected to a login page. Once they login, we want to redirect them to that intended URL - how do you do this?
Also we have a use case where a user logs in from the homepage, or goes directly to the login page with no intended URL - in this case we'd like to redirect them to a default page.
Can anyone help me figure this out?
in your login page:
if you go to www.example.com/private_page
using CodeIgniter (on private page)
// if user is not logged in...
$_SESSION['redirect'] = $this->uri->segment(1);
redirect('login');
on login page
// successfully logged in..
if (isset($_SESSION['redirect'])) {
redirect($_SESSION['redirect']);
} else {
// redirect to default page
}
It might be a good idea to have a whitelist of accepted urls when redirecting in this fashion - otherwise, an attacker could send someone a link like example.com/login?attacker.com/fake_examplecom and the user will be redirected to the attacker's site while thinking they have just logged in to your site. The original url pointed to your site, so it looks trustworthy. There's a lot of nasty things that can be done with this, as you can imagine.
How are they redirected to the login page? Whichever method with which you do that, you can append a GET variable on the end of the login page URL, and then reference that variable on the login page.
So, user wants to access www.example.com/privatepage, but you need them to login at www.example.com/login first. Redirect them to www.example.com/login?targetpage=/privatepage, then in the code for your login page, you can access the targetpage variable.
I usually store the page in a PHP session before I redirect to the login page. After logging in, see if the session value is set, if it is then redirect back to that page.