Log on script

[deemarcus]

Hi, i have the following script which allows users to log in (via a form on a previous page), this works perfectly fine but how can i stop users from accessing an htm page directly without logging on?

Here is my validation code...

<?
/* Check User Script */
include 'db.php';
// Convert to simple variables
$serialnumber = $_POST['serialnumber'];
$password = $_POST['password'];

if((!$serialnumber) || (!$password)){
//if either or both fields are null then go back to userlogin.htm
include 'userlogin.htm';
exit();
}

// check if the user info validates the db
$sql = mysql_query("select * from users where serialnumber='$serialnumber' and password='$password'");
$login_check = mysql_num_rows($sql);

if($login_check > 0){
while($row = mysql_fetch_array($sql)){
foreach( $row AS $key => $val ){
$$key = stripslashes( $val );
}
//if the login is correct then set the cookie
$cookie_val=crypt($serialnumber);
//set the cookie so it dies when the browser is closed
setcookie ("this_cookie", $cookie_val, 0);
print($cookie_val);

//goto relevent page
if ($row['type'] == "Standard"){
include 'userareastandard.htm';
}elseif ($row['type'] == "Supplier"){
include 'userareasupplier.htm';
}elseif ($row['type'] == "Customer"){
include 'userareacustomer.htm';
}
}
} else {
include 'userlogin.htm';
}
?>

Please can someone advise?

Kindest regards,

Dee

 

[AdaHacker]

It depends on what you want to do. One way would be to change the .htm pages into .php pages and insert an authentication test at the top. A better way would probably be to configure your server to deny direct requests for the .htm pages. I'm pretty sure Apache has .htaccess rules that can do this, but I couldn't tell you what they are.

 

[deemarcus]

Thanks for that, have added a validation script to the top of each page and turned them into php pages, works a treat!

Kindest thanks,

Dee

 

[deemarcus]

This is working fine now, how can i setup directory security so no-one can access files unless they have logged on via the above method. (without using .htaccess)

Regards,

Dee

 

[BabyJeffy]

When the user has successfully logged in, set a session variable. Test for that session variable at the very start of each and every php page (that you want to protect) and redirect to the login page should the session variable not be set.

Cheers,
Jeff

[tt]Jeff's Page [/tt][tt]@[/tt][tt] Code Couch

http://www.codecouch.com/jeff/

[/tt]

 

[BabyJeffy]

Ah, don't check for the session variable if the user is requesting the login page (otherwise you will be redirecting the user in a loop).

Jeff

[tt]Jeff's Page [/tt][tt]@[/tt][tt] Code Couch

http://www.codecouch.com/jeff/

[/tt]

 

[deemarcus]

Thanks for replying, what happens if someone is trying to access a file directly (like a software upgrade file)?

Regards,

Dee

 

[BabyJeffy]

If the upgrade file is not a php file (.zip for instance), and you had no .htaccess, then you could write a "wrapper" php page that accepted some input parameter (to determine the "software upgrade file" that you want to deliver) and then returned the requested file only if the session variable was set correctly. The user would never know where the REAL .zip lives... they have to request it via your php wrapper.

Jeff


[tt]Jeff's Page [/tt][tt]@[/tt][tt] Code Couch

http://www.codecouch.com/jeff/

[/tt]