I'm creating a website and I'd like to prevent the user from logging in twice. How would I do that?
Sorry for not being specific. I meant that I don't want to show the login page once the user has logged in. It looks like the answer about using the $_SESSION is the best option.
I'm using PHP by the way.
You will have to use the session eg $_SESSION. Store user info first on logon and then check if that is set and redirect him to some other page you like like profile, panel or even home page.
See the manual for more information:
http://php.net/manual/en/features.sessions.php
On your login page put a bit of logic that detects if they are logged in. If so, redirect them to their profile page or wherever else you want them to go.
Im not exactly sure how you would do that, but you would have to restrict logins to 1 for every ip address. Is that what you are asking? Please be more clear about what you are trying to ask
What language are you using?
I would create a cookie for the user or set a session if php, then you can just check if the session is set in the header of each page.
Create two cookie one for logged in and other for redirection . use session to find the user login activity ..if user try's for the index.php redirect him to home.php or anyother page
Yes use the isset session feature to check if the user is logged in. If they are logged in then use a header location redirect to redirect the user to whatever page you want them to view.
if(isset($_SESSION['username']) && isset($_SESSION['password'])){
header("Location: members.php");
}
Here is an example of how to do it with sessions using DALMP - Database Abstraction Layer for MySQL using PHP
Related
I have recently started web development on my WAMP server and was trying to build a simple login page using php and MySQL. What I simply did was on successful authentication I redirected the user to a new page using : header("Location: locahost/redirect.php"); in my php script.
redirect.php is a simple page which shows that you have successfully logged in.
What I want to ask is that I can simply go to redirect.php by typing localhost/redirect.php in my address bar. Is there any way in which only the user who have been authenticated can visit the page...just like it works on facebook and other websites, we cannot enter into someone's profile by just typing a URL in our address bar.
It is called URL Manipulation.
Validate the information like session in the profile page.
+
do NOT use header('Location: ...') without exit; after it. Always do exit after redirect.
header("Location: locahost/redirect.php");
exit;
Otherwise it'll load the page content and redirects. If somebody avoid the redirect he can see page contents there.
Well, you could add create a Cookie if a user was logged in successfully.
(and maybe set the value to an md5 hash of the date, username and password for example, and also write that to your database so you can check later of somebody "cheated" that Cookie or not)
Then on your redict.php you just have to look if that Cookie exists (and maybe check the value with your database?).
Also if you set your cookie expire value you can control if the user should be logged in only in that session or for example a full month.
I'm sorry I have not done that before, but maybe I could help you with that idea
You can make a PHP code inside the redirect.php page, and make a conditional statement:
If the user is logged in, keep him in the page.
If the user is not logged in, redirect him to the login page.
You have to add this function to redirect.php
function logged_in(){
return (isset($_SESSION['user_id'])) ? true :false;
}
Then add this
if (logged_in()===false){
header('Location: whateverpageyouwant.php');
exit();
}
You can create session on successfully authentication and check this on redirect.php page.
If you dont find session on this page then redirect user back to the login page.
In this way you can restrict direct access to the redirect.php page
Thanks
I am still new in session
Is it good to wipe $_SESSION before using it?
example:
$_SESSION = array();
$_SESSION['id'] = 1;
$_SESSION['name'] = 'Someone';
I am asking opinion from you guys.
Because I don't have many experience in session.
In my awkward logic,
Maybe I will forgot to logout from admin session
and login to member session
So maybe some $_SESSION value from admin will still in $_SESSION array
Additional:
1. I was admin user and not logout yet from admin page.
2. Now I go from admin page to member login page
What should I do here?
Kick admin to the admin page because he is not member?
Nope. In fact, its really bad and your example code will render your sessions useless.
When you call session_start() you are either given an empty $_SESSION or you get back the data you saved to $_SESSION on a previous page load. For more information on sessions check out the PHP docs:
http://php.net/manual/en/book.session.php
http://php.net/manual/en/function.session-start.php
About logging in and out: Your logout process has to destroy whatever session data identifies the user (probably their ID). Typically this is done by using unset, i.e. unset($_SESSION['user_id']).
I can't imagine any other way to log out a user, maybe if you provided more information I could give you a better answer about this.
Regarding your addition it looks like your authentication system could use some work. You shouldn't be able to get to a login page when you are already logged in (even as admin, since its just another user with higher privileges, right?). If you manually type in the login url after you're logged in, then it should redirect you to the homepage.
Here's Fantastic write-up on this topic, I shoulda done some research! Thanks #HamZa
The definitive guide to form-based website authentication
And here's my super basic pseudo code auth process:
Does current page require authentication
Yes:
Is the user logged in?
Yes:
Does the user have the correct privilages to view the page?
Yes:
AUTHENTICATED! Show page
No:
Print a message that says something like, "You're in the wrong place amigo"
No:
Redirect to login
No:
Show the page
I bought a responsive admin panel template built with bootstrap. I have a question:
I am using jquery on all the admin panel files to get data from a web service.
What is the best way to disallow people from accessing files of the admin panel if they are not logged in ? Let us say I have checklogin.php ? Do I have to call it on every page and then redirect them to a different login page ? And change the format of my files from .html to .php ?
Regards
A simple solution is, to add a field to your users table (e.g. isAdmin) and make it default to 0 for all new accounts. Then give yourself a isAdmin value of 1. Then you can simply redirect the user away before displaying the page contents if he doesn't meet certain criteria. For example..
// If they are not an admin (!= not equal to), kick them to the curb!
if(($_SESSION['isAdmin']) != "1") {
header("Location: getoutofmyadminarea.php");
die("Redirecting to getoutofmyadminarea.php");
}
To use this method you will need to initialize a user session.
You could have a seperate login page, possibly even on a subdomain if you value security, but better keep it simple if you're learning.
What is the best way to disallow people from accessing files of the admin panel if they are not logged in ?
You need to use a server side authentication system. OR
You can use an HTTP authentication method,
but then you might have difficulty logging out.
Let us say I have checklogin.php ?
What will your checklogin.php file do?
Yes, you can create a server side authentication system.
Do I have to call it on every page and then redirect them to a different login page ?
No. Not necessarily on every page.
You can create a PHP session when authenticated,
and check the session to validate a user.
And change the format of my files from .html to .php ?
Well, yes. You'll need to change them to .php if you want to detect PHP sessions.
A simple solution for you:
Use Htaccess Authentication to password protect your admin directory.
That way you wont need any server side scripting. But be warned, there are no efficient methods to signout a user.
Hope this helps!
You can use $_SESSION to check if user is logged in , if not ..redirect to other page or display an error message.
You have to check the session on every page you want.
<?php
session_start();
if($_SESSION["logged"] != true) {
echo("Access is denied!");
}else{
echo "Welcome admin";
}
?>
I have a website where members have to login but I noticed after logging out they can simply enter any page url in browser and go back in without using the login form, how do I prevent this.
What I mean is I believe there is a way for me to check if the session is valid on all pages. Even non users can put the url in their browsers and enter without logging in.
Use the SESSION variable in PHP.
session_start();
$_SESSION['login'] = true;
This basically creates a SESSION variable called 'login' which can be used to verify whether a user is logged in.
Now, all you have to do is check the variable like this :
if($_SESSION['login'] == true){
/*GOTO USER PAGE*/
}else{
/*REDIRECT SOMEWHERE ELSE */
}
To create a logout button, to ensure users can't copy-paste the URL again and enter,
session_destroy();
will work just fine.
What you need to do is create a proper login system using something like a session. There are countless tutorials you'll find about this by googling "php login tutorial with session". Here is one of those results.
At the heart of all of these are PHP Sessions, which allow you to store information for a specific client throughout their browser session. To understand sessions in php, here's a basic tutorial
Let me know if these make sense or if you have any questions :)
I have a few links on my page. Most of them will redirect to the homepage if the user is not logged in. Instead of doing that, I want to direct the user to the login page, then direct them to the page they originally wanted to go.
So, for example, if the user is on index.php, and clicks on page10.php without being logged in. S/he should get directed to login.php. After logging in, the website should remember that the user originally wanted to go to page10.php.
How do I do that remembering part? I understand I can use cookies and/or php sessions, but are those the most appropriate ways (in this scenario) of remembering that the user wanted to go to page10.php?
No need to use sessions or get variables, simply access the HTTP_REFERER from the $_SERVER array on your login page, set it to a hidden element in your form then after submission redirect back to that URI
Append desired URL as part of the link. So if a user is not logged in redirect him:
login.php?url=<desired_url>
read the variable on login page, and upon success direct it there instead of index.
To get the URL on the server side look at $_SERVER['REQUEST_URI']
$_SERVER manual
First, redirect to login.php?return=ORIGINAL_URL
In login.php set $_SESSION['return'] = $_GET['return'];.
After a successful login, check if there is a $_SESSION['return'], if there is, and is a valid URL, redirect to it and unset $_SESSION['return'].
That's it.
PS: The reason why you should use session is because the user may not login successfully on the first try. Or may not have an account, he may want to register first. This way he will be redirected to the appropriate page even after creating an account.
Logging a user in implies that you will be using sessions. Sessions usually use a cookie, but they can be implemented by passing a session id around in the request if you don't want to or can't use cookies.
The appropriate way to do this is to use sessions as follows:
1) The authentication check redirects to the login page
2) the login pages checks if the target page is set in the session and if it is not it sets it to the referrer
3) if the login form is valid the target page is removed from the session and the user is redirected to the original page
4) otherwise the form is redisplayed.