How to restrict some links without valid login

[vishalonne]

Dear All
I already have the php code for login and varification done using mysql database.
I have some links which should not work if user click them without VALID LOGIN.
My index.html page contain menu -
Home Computer Science Informatics Practices Take Test (login required) Software Register Get Together (login required)
Structure of my web site
index.html---- Login Box and Register Page Link
Computer Science (Menu)
XI (Sub Menu)
Unsolved Question Papers (Link) login not required
Project Samples (Link) login not required
Solved Materials (Link) login required
Forum (Link) login required
XI I (Sub Menu)
Unsolved Question Papers (Link) login not required
Project Samples (Link) login not required
Solved Materials (Link) login required
Forum (Link) login required
Here is the code - login.php (login form)

<script type="text/javascript" src="sha512.js"></script>  // contain encryption code
<script type="text/javascript">
function formhash(form, password) {
   // Create a new element input, this will be out hashed password field.
   var p = document.createElement("input");
   // Add the new element to our form.
   
   p.name = "p";
   p.type = "hidden"
   p.value = hex_sha512(password.value);
   // Make sure the plaintext password doesn't get sent.
   password.value = "";
   // Finally submit the form.
   form.appendChild(p);
   form.submit();
}
</script>
<?php
if(isset($_GET['error'])) { 
   echo 'Error Logging In!';
}
?>
</head>
<body><form action="process_login.php" method="post" name="login_form">
   Email: <input type="text" name="email" /><br />
   Password: <input type="password" name="password" id="password"/><br />
   <input type="button" value="Login" onclick="formhash(this.form, this.form.password);" />
</form>
</body>

process_login.php (checking validity)

<?php
define("HOST", "localhost"); // The host you want to connect to.
define("USER", "root"); // The database username.
define("PASSWORD", ""); // The database password. 
define("DATABASE", "check1"); // The database name.
 
$mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE);
echo "Process Login";
include 'functions.php';
sec_session_start(); // Our custom secure way of starting a php session. 
 
if(isset($_POST['email'], $_POST['p'])) { 
   $email = $_POST['email'];
   $password = $_POST['p']; // The hashed password.
   if(login($email, $password, $mysqli) == true) {
      // Login success
      echo 'Success: You have been logged in!';
   } else {
      // Login failed
      header('Location: ./login.php?error=1');
   }
} else { 
   // The correct POST variables were not sent to this page.
   echo 'Invalid Request';
}
?>

You can see the site which in development phase cbsecsnip

 

[ChrisHirst]

Set a flag in a cookie or a session and test for it

if($loggedin) {
     echo('link for logged in user');
}

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

 

[vishalonne]

Hello
Thank you for looking into my problem. Since yesterday I'm fighting with this. Somehow I manage to display the links on the pages when user logged in with id and password or without giving id and password.
This is code the page which contain links -

<?php
include "functions.php";
sec_session_start();
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "[URL unfurl="true"]http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html[/URL] xmlns="[URL unfurl="true"]http://www.w3.org/1999/xhtml"><head>[/URL]    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />    <title>cbse cs n ip - Anything regarding CBSE XI and XII Computer Subjects</title>
    <meta name="description" content="Portal For CBSE India, CBSE Guess Sample Questions Papers" />
    <meta name="keywords" content="cbse cs and ip,11 cbse,11 cbse sample papers" />
    <link href="css/other.css" rel="stylesheet" type="text/css" />  
    <link href="css/other2.css" rel="stylesheet" type="text/css" />
    <link rel="stylesheet" type="text/css" href="csshorizontalmenu.css" />
    <script type="text/javascript" src="csshorizontalmenu.js"></script>
    <script type="text/javascript">
        var _gaq = _gaq || [];
        _gaq.push(['_setAccount', 'UA-34001071-1']);
        _gaq.push(['_trackPageview']);
        (function() {
            var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
            ga.src = ('https:' == document.location.protocol ? '[URL unfurl="true"]https://ssl'[/URL] : '[URL unfurl="true"]http://www')[/URL] + '.google-analytics.com/ga.js';
            var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
        })();
    </script>
    <script src="//ajax.googleapis.com/ajax/libs/jquery/1.7.0/jquery.min.js" type="text/javascript"></script>
<script type="text/javascript">
 /*$(document).ready(function() {
  $('#ul1 li a').click(function(e) {
   e.preventDefault();
   $('#content').load($(this).attr('href'));
  });
 });*/
 $(function(){
    $('#ul1 li a').on('click', function(e){
        e.preventDefault();
        var page_url=$(this).prop('href');
        $('#content').load(page_url);
    });
});
</script>
    <style type="text/css">
        .style1
        {
            color: #FFFF99;
        }                        
        .ul
        {
            margin-left: 15px;
        }                        
    </style>
    </head>
<body>
    <div id="main_container">
        <div id="container">
            <div id="banner_container">    
                <div id="login_container>    
                    <span class="style1" >Email or Phonee</span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;                    <span class="style1" >Password</span>&nbsp;&nbsp;<br />                    <input type="text" id="Text1" class="box" />                    <input type="password" id="Password1" class="box" />                    <input id="Submit1" type="submit" value="Log In" /><br />                    <span class="style1" >Forgot your password?</span>                </div>
            <div class="horizontalcssmenu">                <ul id="cssmenu1">                    <li style="border-left: 1px solid #202020;"><a href="[URL unfurl="true"]http://www.cbsecsnip.in">Home</a></li>[/URL]                    <li><a href="#">Computer Science</a>                        
<ul>                            
<li><a href="[URL unfurl="true"]http://www.cbsecsnip.in/csnip/XICS.php">XI</a></li>[/URL]                            
<li><a href="[URL unfurl="true"]http://www.cbsecsnip.in/csnip/XIICS.php">XII</a></li>[/URL]                        
</ul>                    
</li>                    
<li><a href="#">Informatics Practices</a>                        
<ul>                            
<li><a href="[URL unfurl="true"]http://www.cbsecsnip.in/csnip/XIIP.php">XI</a></li>[/URL]                            
<li><a href="[URL unfurl="true"]http://www.cbsecsnip.in/csnip/XIIIP.php">XII</a></li>[/URL]                        
</ul>                    
</li>                    
<li><a href="[URL unfurl="true"]http://www.cbsecsnip.in">Take[/URL] Test</a></li>                    
<li><a href="[URL unfurl="true"]http://www.cbsecsnip.in">Software</a></li>[/URL]                    
<li><a href="[URL unfurl="true"]http://www.cbsecsnip.in">Register</a></li>[/URL]                    
<li><a href="[URL unfurl="true"]http://www.cbsecsnip.in">Get[/URL] Together</a></li>    
                </ul>    
                <br style="clear: left;" />
            </div>
        </div>   
        </div>
        <div class="panel_container">        
<?php
include 'dbconnection.php';
if(login_check($mysqli) == true){ ?>
<div id="nav" class="image002-03">
        <span id="smalltext" 
            style="bottom: 0px; margin-bottom: 0px; padding-bottom: 0px; font-family: Calibri; font-size: large; text-align: center;">Service Menu</span>
        <ul id="ul1" class="serviceul">
            <li class="serviceli"><a href="unsolvedCSQPXI.php">Unsolved Question Papers</a></li>
            <li class="serviceli"><a href="unsolvedCSSPXI.php">Unsolved Sample Paper</a></li>
            <li class="serviceli"><a href="#">Notes</a></li>
            <li class="serviceli"><a href="prosamCSXI.php">Projects Samples</a></li>
            <li class="serviceli"><a href="#">Presentations</a></li>
            <li class="serviceli"><a href="#">Uploads</a></li>
            <li class="serviceli"><a href="downloads.php">Solved Materials</a></li>
            <li class="serviceli"><a href="forum.php">Forum</a></li>
            <li class="serviceli"><a href="#">Live Chat</a></li>        </ul>
</div>
<?php
}
else{        ?>
<div id="nav" class="image002-03">
        <span id="smalltext" 
            style="bottom: 0px; margin-bottom: 0px; padding-bottom: 0px; font-family: Calibri; font-size: large; text-align: center;">Service Menu</span>
        <ul id="ul1" class="serviceul">
            <li class="serviceli"><a href="unsolvedCSQPXI.php">Unsolved Question Papers</a></li>
            <li class="serviceli"><a href="unsolvedCSSPXI.php">Unsolved Sample Paper</a></li>
            <li class="serviceli"><a href="#">Notes</a></li>
            <li class="serviceli"><a href="prosamCSXI.php">Projects Samples</a></li>
            <li class="serviceli"><a href="#">Presentations</a></li>
            <li class="serviceli"><a href="login.php">Uploads</a></li>
            <li class="serviceli"><a href="login.php">Solved Materials</a></li>
            <li class="serviceli"><a href="login.php">Forum</a></li>
            <li class="serviceli"><a href="#">Live Chat</a></li>        </ul>
</div>
<?php } ?>
    <div class="image002-07">
        Site Map</div>
    <div class="image002-08">
        Advertisement
        </div>
    <div class="image002-09">
        Advertisement</div>
    <div id="content" class="image002-10">
    </div>
    <div class="image002-11">
    Advertisement
        </div>
    <div class="image002-13">
        Footer</div>
      </div>
    </div>
</body>    
</html>

If I try to see this page after login then page displayed
Fatal error: Cannot redeclare sec_session_start() (previously declared in C:\xampp\htdocs\secure\functions.php:5) in C:\xampp\htdocs\secure\functions.php on line 15
And url in address bar is

http://localhost/secure/process_login.php

And if I directly give page URL in address bar

http://localhost/secure/XICS.php

Then every thing work fine till now.

Why I getting Error when sec_session_start() function is declare only once in functions.php file.

 

[IPGuru]

Hiding or disabling the links is not enough to secure these pages from unwanted users.
You will need to set a cookie or session variable for logged in users & check for this what they arrive at the secured page.

Remember any page request is from an untrusted source until you have taken steps to validate it server side.

Trust No-one

A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear

 

[vishalonne]

Thank you for consideration.

Yes I have already taken steps towards validating user through cookies, session and database. Encrypting their password and other methods also.
Well my issue is solved and working fine.

Thank you again