I have created a membership system and only signed in users can enter comments. But, without signing in, everyone can access every pages by typing the name of the PHP file in the link bar.How can i redirect non-registered users to the homepage?
Thanks
You have to create a session if a user has succesfully logged in:
session_start(); // best to put this at the top of the first php file that's called, preferably on every page
// check user credentials
if (!valid credentials) {
header('Location: login.php');
exit();
}
$_SESSION['user'] = 'username';
And in the php file where you want to check:
session_start(); // best to put this at the top of the first php file that's called, preferably on every page
if (!isset($_SESSION['user'])) {
header('Location: login.php');
exit();
}
That's just as easy as an if statement :
if(login_check())
{
// Show the page
}
else
{
header('Location: adresse');
exit();
}
That depends on how you identify logged in users, is it a session? a cookie? You should use those methods to test for the logged in status. If the user is not logged in, you should send a Location header to redirect him to the home page.
header('Location: index.php'); die();
You die(); afterwards to prevent the rest of the code from running.
Note: You must send it BEFORE any output is sent, otherwise it won't work.
Related
I have multiple pages that needs to be protected depending on the user privilege. I have a php to check the current session variable upon page load.
page being tested; the php code is placed above the !DOCTYPE. this code is suppose to check for unlogged in customers. if not logged in or no session variable set redirect to error page otherwise do nothing and load page normally
<?php
if (!isset($_SESSION["username"])){
header("location: error.php");
}
?>
my session variables are only set after logging in, after logging in the user is redirected to the page referred to above:
if (mysqli_num_rows($results6) < 1) { //$results6 is a query to check if the user exits in the users database
$logInMsg = "invalid log in";
} else {
session_start();
$_SESSION["username"] = $uName; //$uName is a user input user name
header("location: pageabove.php");
}
the problem is that even after logging in I still get redirected to the error page
That would be because you haven't started the session yet. You need to specify a session start on each page that you intend to use sessions in (Read more about session_start()):
<?php
session_start(); // start session
// do check
if (!isset($_SESSION["username"])) {
header("location: error.php");
exit; // prevent further execution, should there be more code that follows
}
This is for everything. On your login page and all. Anywhere you want to harness the sessions, you need to start it, otherwise it's "lost in the wind".
I've got a user login field that sets the session after they're validated on the login page:
$_SESSION['user'] = $user;
$_SESSION['id'] = $id;
And on this PHP page I only want logged in users to access I have at the top:
<?php session_start();
if (!isset($_SESSION['id']) && !isset($_SESSION['user']))
{
header('Location: http://--back to home page--');
exit(); <-- Added thanks to comments
}
?>
Is this enough to keep user who have not logged in off the page?
It's redirecting me back to the home page when I'm not logged in, but could people get around it?
Edit: I've added the exit(); now.
Users can bypass the HTTP Location header. Add a die(); (Which is equivalent to exit();) right after to prevent any other content from being sent to the browser.
if (!isset($_SESSION['id']) && !isset($_SESSION['user'])){
header('Location: http://--back to home page--');
die();
}
Other than that, note that a user can change the PHPSESSID cookie. If they find the id of an active session with the variables in question set, they will gain access to the page.
I have the website pages for visitors and the pages for the client manage it on /admin
I created a login system at admin/index.php and it's working fine. But, if I type the url of an admin page in the browser (e.g admin/carro_admin.php) I get access even without been loged. So I'm trying to put some session check on this page (carro_admin) to block visitors and allow just login access.
I trying to do that with:
if (isset($_SESSION)) {
header("location:carro_admin.php");
}
else {
header("location:index.php");
}
exit();
It's blocking the access and sending me to index.php (and that's right). But now the login system doesn't work. When I type my username and password I'm redirected to index.php again.
Is something wrong with my session code?
Ps.: I already read this question: How to set and check a session after login? but it didn't work too.
Add this to login process i.e is when entered username/password and clicked on submit button.
<?php session_start();
/*authenticate the username &^ password*/
if($result) {
$_SESSION['logged_in']=1;
}
?>
now on the admin page
<?php session_start();
if(isset($_SESSION['logged_in'])) {
header("location:carro_admin.php");
} else {
header("location:index.php");
}
?>
Do you have session_start () at the top of the page where your redirect is? If not, it won't set the session. I can hit the page from a non-browser, and get all of the contents of your admin page without being redirected. You need to have the script die after the redirect in the case that the user is not logged in. Also, you shouldn't use isset ($_SESSION). You should use something like #$_SESSION["loggedIn"] === TRUE.
I created a login page in php named as index.php. Now when the user logs in it redirects to mypage.php. The login works fine. But also mypage.php gets open when I type the url of mypage.php even without login. I want the user must logged in to see mypage.php and incase if he changes the url in browser then an error message should be triggered. What to do?
1.localhost/index.php
2.localhost/mypage.php
In index.php, once the user gets logged in successfully, set an session. like $_SESSION['login'] = true; before redirect. If invalid login, use $_SESSION['login'] = false; Don't forget to start the session on the top of the page. session_start();
In mypage.php, check if that session is set or not. If not set, throw error, else show the page.
session_start();
if(isset($_SESSION['login']) && $_SESSION['login'] == true) {
echo 'You are welcome';
} else {
echo 'redirecting to login page';
header('Location: index.php');
exit;
}
How are you storing the state of being 'logged in'?
You'll need to have your mypage.php check a variable that has been set by the index.php's successful login process.
Can you paste your code here and I can take a look
In order for a login to work correctly, your "secure" page (I use that term relatively because nothing is truly secure) needs to have some sort of validation conditional. In other words you need to have some way of determining if the user is logged in.
A simple way to do this in PHP is to set a session variable when you process the user's credentials. For example:
When the user successfully logs in set a session variable like so:
$_SESSION['isLoggedIn'] = true;
Then on the mypage.php check to see if the variable is set:
if(!isset($_SESSION['isLoggedIn']) || $_SESSION['isLoggedIn'] != true) {
header("Location: index.php");
exit;
}
Please also note, it is imperative if you are using sessions that you have session_start(); as the first line of all of your files. This allows $_SESSION variables that were set on a separate page to be able to be read on the current page.
Hope this helps.
I am new to php. I am trying to allow users to log in a website. Here are the steps: the php script checks if the $_POST['submit'] is set, if it is set it check if the user input match data in the database, if inputs are correct it redirects users to a log in page. I am trying to stop users from accessing the page that the php script redirect them when their input are correct but I can't. I already try the empty and the isset function but they don't work. How does facebook manage to have users log in without redirecting them to other pages. When you log in facebook the url is http://facebook.com. Thank you for your answers
Upon successful login:
$_SESSION['logged_in'] = true;
At the top of every page:
session_start();
if (!$_SESSION['logged_in'])
{
header('Location: login.php');
die();
}
At the top of your login page:
session_start();
if ($_SESSION['logged_in'])
{
header('Location: other_page_here.php');
die();
}
More on sessions here.