Page redirect based on refering page 1

[SteweGriffin]

Hello,

I have a page ( UploadFile.php ) that is access via another page ( LogIn.html ) which uses, at the moment, a predefined access code and password.

That works great.

What I would like to do is restrict access to UploadFile.php so that it will only open if the last / refering page is LogIn.html, thus stopping people from saving the UploadFile.php into the favorites and bypassing the LogIn.html page everytime.

I've been trying to do this and found some PHP code which uses $HTTP_REFERER, but I seem to be getting a NULL value from this, and end up going round in a loop

See Code ---
<?
$ref = $HTTP_REFERER;
$desired = '

http://www.mydomain.co.uk/LogIn.html';

if ($ref != $desired)
{
header('Location:

http://www.mydomain.co.uk/LogIn.html');

}
else
{
header('Location:

http://www.mydomain.co.uk/UploadFile.php');

}
?>
-----

I do not have access to my .htaccess file. Mt ISP will not allow me to.

Please can someone either point out where I am going wrong, or point me in the direction of a better way of doing this?

feherke and BigRed1212 on the html forum pointed out that if I stored the login info in $_SESSION and redirect the to the login page if is not logged in or the login expired, but I am VERY nex wo php and do not know how to do this.

My login page code is VERY simple, and could definately be better

code ---
<p class="style3" style="width: 460px; height: 31px;">Access Code       :
<input type="text" name="text2" style="width: 235px">
</p>
<p class="style1" style="width: 458px; height: 38px;"> Access Password :
<input type="password" name="text1" style="width: 233px"></p>
<p class="style2" style="width: 357px; height: 26px;">  <input type="button" value="Check In" name="Submit" style="color: #FFFFFF; background-color: #000000; background-image: url('images/btnbck.gif'); border-color: #000000"; onclick=javascript:validate(text2.value,"USERCODE",text1.value,"PASSWORDCODE") >
</p>
-----
I my defense, I was planing on encryping the page once I got it to work.

So any Advice will be great to get me going.

Thanks

 

[feherke]

Hi

I my defense, I was planing on encryping the page once I got it to work.

Do not mention this anywhere else. This is a very bad joke.

Here is a basic skeleton of how a simple authentication is usually done :

[teal]<?php[/teal]

[COLOR=darkgoldenrod]session_start[/color][teal]();[/teal]

[teal]?>[/teal]

[gray]<!-- ... -->[/gray]

[teal]<[/teal]form action[teal]=[/teal][green][i]"enter.php"[/i][/green] method[teal]=[/teal][green][i]"post"[/i][/green][teal]>[/teal]
User [teal]:[/teal] [teal]<[/teal]input type[teal]=[/teal][green][i]"text"[/i][/green] name[teal]=[/teal][green][i]"user"[/i][/green][teal]><[/teal]br[teal]>[/teal]
Pass [teal]:[/teal] [teal]<[/teal]input type[teal]=[/teal][green][i]"password"[/i][/green] name[teal]=[/teal][green][i]"pass"[/i][/green][teal]><[/teal]br[teal]>[/teal]
[teal]<[/teal]input type[teal]=[/teal][green][i]"submit"[/i][/green] value[teal]=[/teal][green][i]"Log in"[/i][/green][teal]>[/teal]
[teal]</[/teal]form[teal]>[/teal]

[teal]<?php[/teal]

[COLOR=darkgoldenrod]session_start[/color][teal]();[/teal]

[b]if[/b] [teal](![/teal][navy]$_POST[/navy][teal][[/teal][green][i]'user'[/i][/green][teal]][/teal] [teal]||[/teal] [teal]![/teal][navy]$_POST[/navy][teal][[/teal][green][i]'pass'[/i][/green][teal]])[/teal] [teal]{[/teal]
  [COLOR=darkgoldenrod]header[/color][teal]([/teal][green][i]'Location: login.php'[/i][/green][teal]);[/teal]
  [b]exit[/b][teal];[/teal]
[teal]}[/teal]

[b]if[/b] [teal]([/teal][navy]$_POST[/navy][teal][[/teal][green][i]'user'[/i][/green][teal]]==[/teal][green][i]'USERCODE'[/i][/green] [teal]&&[/teal] [navy]$_POST[/navy][teal][[/teal][green][i]'pass'[/i][/green][teal]]==[/teal][green][i]'PASSWORDCODE'[/i][/green][teal])[/teal] [navy]$_SESSION[/navy][teal][[/teal][green][i]'user'[/i][/green][teal]]=[/teal][navy]$_POST[/navy][teal][[/teal][green][i]'user'[/i][/green][teal]];[/teal]

[teal]?>[/teal]

[gray]<!-- ... -->[/gray]

[teal]<?php[/teal] [b]if[/b] [teal]([/teal][navy]$_SESSION[/navy][teal][[/teal][green][i]'user'[/i][/green][teal]])[/teal] [teal]{[/teal] [teal]?>[/teal]

Now you are logged in [b]as[/b] user [teal]<?php[/teal] [b]echo[/b] [navy]$_SESSION[/navy][teal][[/teal][green][i]'user'[/i][/green][teal]];[/teal] [teal]?>.[/teal]

[teal]<?php[/teal] [teal]}[/teal] [b]else[/b] [teal]{[/teal] [teal]?>[/teal]

Login failed[teal].[/teal] Go back to the [teal]<[/teal]a href[teal]=[/teal][green][i]"login.php"[/i][/green][teal]>[/teal]login page[teal]</[/teal]a[teal]>[/teal] [b]and[/b] try again[teal].[/teal]

[teal]<?php[/teal] [teal]}[/teal] [teal]?>[/teal]

[teal]<?php[/teal]

[COLOR=darkgoldenrod]session_start[/color][teal]();[/teal]

[b]if[/b] [teal](![/teal] [navy]$_SESSION[/navy][teal][[/teal][green][i]'user'[/i][/green][teal]])[/teal] [teal]{[/teal]
  [COLOR=darkgoldenrod]header[/color][teal]([/teal][green][i]'Location: login.php'[/i][/green][teal]);[/teal]
  [b]exit[/b][teal];[/teal]
[teal]}[/teal]

[teal]?>[/teal]

[gray]<!-- ... -->[/gray]

Hello user [teal]<?php[/teal] [b]echo[/b] [navy]$_SESSION[/navy][teal][[/teal][green][i]'user'[/i][/green][teal]];[/teal] [teal]?>,[/teal] feel free to upload[teal].[/teal]

[teal]<?php[/teal]

[COLOR=darkgoldenrod]session_start[/color][teal]();[/teal]

[b]unset[/b][teal]([/teal][navy]$_SESSION[/navy][teal][[/teal][green][i]'user'[/i][/green][teal]]);[/teal]

[teal]?>[/teal]

[gray]<!-- ... -->[/gray]

You are now logged out[teal].[/teal]

Feherke.

http://free.rootshell.be/~feherke/

 

[SteweGriffin]

Hi feherke,
Thank again for the help and the very comprehensive code.
I cut and pasted them into my code, but I have a problem with the login script.

It dosn't matter what i put in as the usercode and passwordcode section, enter.php always tells me that i'm , logged in as USERCODE.

Can you advise please?

Thanks again

 

[feherke]

Hi

Can you advise please?

Yes. Post your enter.php so we can see what you combined there.

And please post your code between [tt][ignore]

[/ignore][/tt] and [tt][ignore]

[/ignore][/tt] TGML tags.

Feherke.

http://free.rootshell.be/~feherke/

 

[SteweGriffin]

Sure, thanks.

ENTER.php

<?php

session_start();

if (!$_POST['user'] || !$_POST['pass']) {
  header('Location: login.php');
  exit;
}

if ($_POST['user']=='USERCODE' && $_POST['pass']=='PASSWORDCODE') $_SESSION['user']=$_POST['user'];

?>

<!-- ... -->

<?php if ($_SESSION['user']) { ?>

Now you are logged in as user <?php echo $_SESSION['user']; ?>.

<?php } else { ?>

Login failed. Go back to the <a href="login.php">login page</a> and try again.

<?php } ?>

The <Form> code from my login page

<form action="enter.php" method="post">
<p class="style3" style="width: 460px; height: 31px;">Access Code&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 
  <input type="text" name="user">
</p>
<p class="style1" style="width: 458px; height: 38px;"> Access Password : 
<input type="password" name="pass"></p>
	<p class="style2" style="width: 357px; height: 26px;"> &nbsp;<input type="submit" value="Log in" value="Check In" name="Submit"  style="color: #FFFFFF; background-color: #000000; background-image: url('images/btnbck.gif'); border-color: #000000"; >
</p>
</form>

Chears

 

[feherke]

Hi

It dosn't matter what i put in as the usercode and passwordcode section, enter.php always tells me that i'm , logged in as USERCODE.

Oops. Your above quoted sentence made me think that you changed something in enter.php.

But finally I understood what you meant : I forgot the [tt]else[/tt] part to handle the authentication failure.

[teal]<?php[/teal]

[COLOR=darkgoldenrod]session_start[/color][teal]();[/teal]

[b]if[/b] [teal](![/teal][navy]$_POST[/navy][teal][[/teal][green][i]'user'[/i][/green][teal]][/teal] [teal]||[/teal] [teal]![/teal][navy]$_POST[/navy][teal][[/teal][green][i]'pass'[/i][/green][teal]])[/teal] [teal]{[/teal]
  [COLOR=darkgoldenrod]header[/color][teal]([/teal][green][i]'Location: login.php'[/i][/green][teal]);[/teal]
  [b]exit[/b][teal];[/teal]
[teal]}[/teal]

[navy]$allowed[/navy][teal]=[/teal][b]array[/b][teal]([/teal]
  [green][i]'USERCODE'[/i][/green][teal]=>[/teal][green][i]'PASSWORDCODE'[/i][/green][teal],[/teal]
  [green][i]'foo'[/i][/green][teal]=>[/teal][green][i]'bar'[/i][/green][teal],[/teal]
  [green][i]'SteweGriffin'[/i][/green][teal]=>[/teal][green][i]'secret unguessable password'[/i][/green]
[teal]);[/teal]

[b]if[/b] [teal]([/teal][navy]$allowed[/navy][teal][[/teal][navy]$_POST[/navy][teal][[/teal][green][i]'user'[/i][/green][teal]]]==[/teal][navy]$_POST[/navy][teal][[/teal][green][i]'pass'[/i][/green][teal]])[/teal] [navy]$_SESSION[/navy][teal][[/teal][green][i]'user'[/i][/green][teal]]=[/teal][navy]$_POST[/navy][teal][[/teal][green][i]'user'[/i][/green][teal]];[/teal]
[highlight][b]else[/b] [b]unset[/b][teal]([/teal][navy]$_SESSION[/navy][teal][[/teal][green][i]'user'[/i][/green][teal]]);[/teal][/highlight]

[teal]?>[/teal]

[teal]<?php[/teal] [b]if[/b] [teal]([/teal][navy]$_SESSION[/navy][teal][[/teal][green][i]'user'[/i][/green][teal]])[/teal] [teal]{[/teal] [teal]?>[/teal]

Now you are logged in [b]as[/b] user [teal]<?php[/teal] [b]echo[/b] [navy]$_SESSION[/navy][teal][[/teal][green][i]'user'[/i][/green][teal]];[/teal] [teal]?>.[/teal]

[teal]<?php[/teal] [teal]}[/teal] [b]else[/b] [teal]{[/teal] [teal]?>[/teal]

Login failed[teal].[/teal] Go back to the [teal]<[/teal]a href[teal]=[/teal][green][i]"login.php"[/i][/green][teal]>[/teal]login page[teal]</[/teal]a[teal]>[/teal] [b]and[/b] try again[teal].[/teal]

[teal]<?php[/teal] [teal]}[/teal] [teal]?>[/teal]

By the way, I changed it abit during the testing for flexibility and to handle multiple user/password pairs. So the related [tt]if[/tt]'s condition also changed. But the highlighted [tt]else[/tt] code can be used with the original [tt]if[/tt] too.

Feherke.

http://free.rootshell.be/~feherke/

 

[SteweGriffin]

FANTASTIC.

Thanks Again Feherke.
I added the Logout php code to the successfull upload page to that ther automatically logged out on each upload.
Works like a charm.

Chears

 

[feherke]

Hi

I added the Logout php code to the successfull upload page to that ther automatically logged out on each upload.

Is that really necessary ?

If you mean that
[ul]
[li]each entered user/password pair is valid for only one upload[/li]
[li]the user/password pair has to be specified only for the upload and no other functionality uses it[/li]
[/ul]
then why are you using separate login and upload pages ? Just put all three [tt]input[/tt]s ( user, password, file ) on the same page. That would make both your and your visitor's life easier.

Feherke.

http://free.rootshell.be/~feherke/

 

[SteweGriffin]

The person that wanted this website done was specific on how they wanted it to work, which is why its done this way, however, I'll revist the design and see if I can incorporate your suggestion into it and sell the idea / design to them by showing them a working version.

Thanks