Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Creating a new HTML page on the fly

Status
Not open for further replies.

MuadDubby

Programmer
Sep 23, 1999
236
CA
Hello

I've got a form that basically asks for a user login, and if the authentication works, the user is just redirected to a page with info that you should not be able to see without the userid/pw combo. The authenticaiton is, btw, just a SELECT statement on a Users table in MySQL.

Problem is - once logged in, the user can always just copy the URL of the new page, and always go straight there. Any way around this? I thought of creating the second page dynamically as a result of the authentication (instead of redirecting the user to an existing page), but I don't know how to do it. Any ideas?

If you have any other ideas on how to ensure the user always goes through the login page, please let me know.

Thx.
 
There are as many different ways to accomplish this as there are websites out there, I would imagine. But the most common approach would be to have each page "behind" the login page require that certain stuff is set in the session which can only get set if the login succeeds.

The basics of this would be that every page needs to call session_start() at the beginning of the script (first line after the opening <?php tag). Then, the login processor (which could be the same login script/page that presents the login box if that's what you choose) would do the SELECT as you said, and if the login succeeds, it first does a $_SESSION["username"] = $username or something like that to set a session variable before it does the redirect. Then, the beginning of each "logged in only" page would need to simply call the session_start() (to restart the previously started session), and then do a statement like:

Code:
if (!isset($_SESSION["username"])) {
	// not logged in, so redirect back to login page, etc
}

hope this helps... good luck.
 
Thx bud. I had trouble sleeping last night and so started thinking about this, and it occured to me that I'd have to do authentication on pretty much all the pages.

So two things came out of this - my thoughts have just been confirmed, and I got very little sleep. At least one good thing come of this :)

Thx again,
 
don't really need to do "authentication" on every page which is commonly the term referred to the process of looking up credentials in a source and verifying the match.

more strictly speaking, what your "if" statement on every page is doing in my example above would be to simply verify that the match had already been made (like setting a boolean flag, for instance) and that it was still valid (ie, the session hadn't expired or been killed artificially).

you would most likely not want to actually "authenticate" someone (look up their records in the DB) every page call, as this would be highly inefficient.

a lot of transactional projects i've worked on like this follow the model that each page does a call to a function called "bounce()" for instance, which has in it the logic to check and make sure the person is correctly and validly logged in, and moreover, in more sophisticated schemes, it can check to make sure they have ACCESS rights, meaning some users can only go to a smaller subset of the authenticated pages, etc. One function call at the top of each page to check all these details is pretty clean, and is very standard in this realm. Good luck!
 
Yes, checking that one variable at the top of every page is what I had in mind. Way more efficient than re-validating the login on all pages.

Thx,
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top