hello everybody
i have been asked to design a general login page (and others) for a website. what i need is when any user simply clicks on the website's name; the user is directly taken to the login page. the site is designed so that one cannot enter without being logged in. any help will be appreciated.
thanks in advance
Not 100% sure what you are asking for here. From a quick read of the OP question, it appears you are wanting to direct people to the login page if they visit the main page and are not logged in.
To do this, all you need do is, in the main page, test whether the user is logged in. If they are not, then you redirect them to the login page.
<?php
// Within the INDEX.PHP file, at the very top
// - nothing can be infront of the opening tag for this PHP section.
session_start();
if( $_SESSION['loggedIn']!=true ){
header( 'Location: login.php' );
die();
}
This will redirect anyone viewing index.php to the login.php page, if they are not logged in. So long as, when they are logged in, you set $_SESSION['loggedIn'] to true (otherwise everyone, everytime, will be sent to the login page).
Related
I have recently started web development on my WAMP server and was trying to build a simple login page using php and MySQL. What I simply did was on successful authentication I redirected the user to a new page using : header("Location: locahost/redirect.php"); in my php script.
redirect.php is a simple page which shows that you have successfully logged in.
What I want to ask is that I can simply go to redirect.php by typing localhost/redirect.php in my address bar. Is there any way in which only the user who have been authenticated can visit the page...just like it works on facebook and other websites, we cannot enter into someone's profile by just typing a URL in our address bar.
It is called URL Manipulation.
Validate the information like session in the profile page.
+
do NOT use header('Location: ...') without exit; after it. Always do exit after redirect.
header("Location: locahost/redirect.php");
exit;
Otherwise it'll load the page content and redirects. If somebody avoid the redirect he can see page contents there.
Well, you could add create a Cookie if a user was logged in successfully.
(and maybe set the value to an md5 hash of the date, username and password for example, and also write that to your database so you can check later of somebody "cheated" that Cookie or not)
Then on your redict.php you just have to look if that Cookie exists (and maybe check the value with your database?).
Also if you set your cookie expire value you can control if the user should be logged in only in that session or for example a full month.
I'm sorry I have not done that before, but maybe I could help you with that idea
You can make a PHP code inside the redirect.php page, and make a conditional statement:
If the user is logged in, keep him in the page.
If the user is not logged in, redirect him to the login page.
You have to add this function to redirect.php
function logged_in(){
return (isset($_SESSION['user_id'])) ? true :false;
}
Then add this
if (logged_in()===false){
header('Location: whateverpageyouwant.php');
exit();
}
You can create session on successfully authentication and check this on redirect.php page.
If you dont find session on this page then redirect user back to the login page.
In this way you can restrict direct access to the redirect.php page
Thanks
I am currently working on a project where I have two pages: a login page and a home page. The home page is after the login page, whenever the user inputs his username and password correctly in the login page he will be directed to the home page. Here is the problem, if i input the url of the home page in the browser, it will open even if i did not go through the login page. How do i put restrictions in the home page? How do i put a message saying "you are restricted to access this page, please go back to login page" and then it redirects the user to the login page. If you know some website with tutorials or vidoes of tutorials please include them, it will be a great help. Thank you
This is what sessions are for. You need to validate/authenticate your user before allowing them access to the home page.
On both your login and home pages, you need to start a session with this being at the very top of both scripts:
session_start();
Now when your user logs in successfully, you need to add a session value:
$_SESSION['username'] = $username;
Now in your home page, you need to authenticate that session.
session_start();
if(!isset($_SESSION['username']) || empty($_SESSION['username'])) {
die(header("Location: login.php"));
}
The above code essentially says: IF user session not set OR user session is empty -> KILL THE SCRIPT & GO TO THE LOGIN Page
when your password and username is correct you must set a session.. in my case the session['logged_in'] = 1.
if(!$_SESSION['logged_in'] == '1'){
header('location:login.php');
}else{
//your home page..
}
you must have a session... depending on your need.. I've used the mysql procedural... it's deprecated though.. just giving you the idea. =) you can either use PDO or mysqli... btw, put that code in your home.php page.
I'm making a site with WordPress as the CMS (installed on our server, not WordPress.com). I want the account page to redirect to the login page if the user isn't logged in. There's a custom template for the account page (account.php) and at the top I've placed this code:
if(!is_user_logged_in()){
wp_redirect('www.mypage.com/login');
die();
}
When I update and save the account.php page, I go into the WordPress dashboard and update the page there too. When I go to view the account page (either by refreshing the page or clicking "view page") it usually redirects the first time to the login page. Yay! All seems well, except when I click the account link, I expect it to take me to the login page as I'm still not logged in, but it takes me to the account page anyway... I've tried in InCognito mode to be sure I'm not logged in. I put an echo inside that if statement, and it reaches it just fine, so I know that it's correctly detecting that I'm not logged in.
Does anyone know why it's redirecting on first load but not again when navigating back to that page? How can I make it so it's impossible to view account.php until logged in?
the above should be like
if(!is_user_logged_in()){
wp_redirect('www.mypage.com/login');
die();
}
you are missing out the is_user_logged_in*()*.
check those bracks its a function ;)
I am currently working on developing a simple web system, so an user first will be directed to a login page, then a processing page. If its account data provided is correct, it will be directed to the main page, so it can carry out some actions, at last it can logout.
So what I want to ask is: how can I prevent user to access the processing, main or logout page before they login, I mean, if I do not limit it, the login action is by some means useless. I am using wamp to develop the web system.
I have considered making use of the session variable, however, I have no idea how to check the value of the variable. If I start a session at the login page, so if I skip the login page but directed go to the main page, do I have those session variable present in the main page?
1) Add session_start(); at the top of the php page to initialize sessions.
2) Add if statement
if($_SESSION['logged_in'] == 1) { ..show page.. } else { show login page }
3) Create a login form which validates data, if data is correct then it adds $_SESSION['logged_in'] = 1; and redirects to profile page with logout button.
That's all :)!
I suggest that you check some tutorials, since it will give you some more information how to do that - http://www.intechgrity.com/create-login-admin-logout-page-in-php-w/ or any other link via google - "How to create login/logout functions with SESSIONS".
About your question, in each page you will put session_start(); at the start of the file, they will have all sessions you have specified for user.
EDIT:
Added few useful links -
http://www.php.net/manual/en/book.session.php
http://www.tizag.com/phpT/phpsessions.php/
http://www.w3schools.com/php/php_sessions.asp
well,this is what i will do. Check with an if statement if a session variable that holds, for example, the username from the login page exists, then if it doesn't show an error 404 page, or redirect the user to any error page...you might want to create that yourself anyway (so that it redirects them back to the login page).
<?
session_start();
if(!$_SESSION['username']){
header("Location: HTTP/1.1 404 File Not Found", 404);
exit;}
?>
You could also create a new file and place this code there so that you call it on everypage that will require a user to login before accessing it....
but try to access non login page for the first time then you will be redirected to login page then try to access the same non login page for the second time you'll have the access already even you didn't log-in.
When a user tries to access our website via a link (for instance going to www.website.com/privatepage) they are redirected to a login page. Once they login, we want to redirect them to that intended URL - how do you do this?
Also we have a use case where a user logs in from the homepage, or goes directly to the login page with no intended URL - in this case we'd like to redirect them to a default page.
Can anyone help me figure this out?
in your login page:
if you go to www.example.com/private_page
using CodeIgniter (on private page)
// if user is not logged in...
$_SESSION['redirect'] = $this->uri->segment(1);
redirect('login');
on login page
// successfully logged in..
if (isset($_SESSION['redirect'])) {
redirect($_SESSION['redirect']);
} else {
// redirect to default page
}
It might be a good idea to have a whitelist of accepted urls when redirecting in this fashion - otherwise, an attacker could send someone a link like example.com/login?attacker.com/fake_examplecom and the user will be redirected to the attacker's site while thinking they have just logged in to your site. The original url pointed to your site, so it looks trustworthy. There's a lot of nasty things that can be done with this, as you can imagine.
How are they redirected to the login page? Whichever method with which you do that, you can append a GET variable on the end of the login page URL, and then reference that variable on the login page.
So, user wants to access www.example.com/privatepage, but you need them to login at www.example.com/login first. Redirect them to www.example.com/login?targetpage=/privatepage, then in the code for your login page, you can access the targetpage variable.
I usually store the page in a PHP session before I redirect to the login page. After logging in, see if the session value is set, if it is then redirect back to that page.