Password Protect Page

[likelylad]

I have a page that asks the user for a username and password. This is then checked against a mysql database.

If the username and password are verified then you are redirected to a page.(lets call it page1.php)

If the username and password are not verified then you are redirected to another page.(lets call it page2.php)

My question is, how do I stop the user from going directly to page1.php and bypassing the username/password page.(i.e. the only way for a user to use page1.php is to go through the username/password page)

 

[Bastien]

set a session vairable in the page the does the log in...then check for the variable on the next page...if it exists then allow the user to see the page, if not then redirect them back to the login page Bastien

There are many ways to skin this cat,
but it still tastes like chicken

 

[DaveShaw]

You Could also use an include file that checks the session variables against the ones in the mysql database. Each time they view a page the user will have thier data authenticated. If the user is not valid re-direct them to the login page, else show them the rest of the document.

P.S. Only store encrypted passwords in Sessions Thanx Dave Shaw!

 

[sleipnir214]

Viper1777,

The actual data of a session is stored only on the server. The only thing stored on the browser is a cookie which tells PHP where the session data was stored. Using encrypted passwords makes no difference whatsoever. ______________________________________________________________________

http://www.tuxedo.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[DaveShaw]

sleipnir214,
Depends Who Owns The Server... Thanx Dave Shaw!

 

[likelylad]

Is this what I should do??
On the username/password page, before the redirection of the page I should place the following code
<?PHP
session_start();
session_register(“mystring”);
$mystring = “testing for a string”;
?>

On page1.php I should have the following
<?PHP
If ($_get[mystring]=&quot;testing for a string&quot{
code here }
Else {
Code Here }
?>

 

[danielhozac]

Not

$_get[mystring]

but

$_SESSION['mystring']

//Daniel

 

[likelylad]

On Page1.php I put the following
<?PHP
If ($_SESSION['mystring']=&quot;testing for a string&quot{
echo &quot;it works&quot;;
}
else
{
echo &quot;it doesn't work&quot;;
}
?>

When I go directly to page1.php it gives me the &quot;it works&quot; result, and it shouldn't.

When I was looking for more information on this problem I came across the following function

session_is_registered
How do I use this????

 

[danielhozac]

If ($_SESSION['mystring']="testing for a string"){

should be

If ($_SESSION['mystring']=="testing for a string"){

And

http://www.php.net/manual/en/function.session-is-registered.php

tells you all about the function, though this is part of the &quot;old&quot; session functions. Now you can just use isset($_SESSION['variable']) instead. //Daniel

 

[likelylad]

Hi Daniel

Still no joy.
Have you any more ideas how to approach this problem.

I also tried the following (based on the hyperlink you supplied)
On Username/Password Page
session_start();
$_SESSION['mystring']=&quot;testing for a string&quot;;

On Page1.php
If (isset($_SESSION['mystring']=&quot;testing for a string&quot){

 

[mweinstock]

If (isset($_SESSION['mystring']="testing for a string")){

You're still setting the variable here, rather than comparing. Use a double =, as in == to compare. --
How can you be in two places at once when you're not anywhere at all?

 

[sleipnir214]

That whole line is cockeyed.

The line should either read:

If (isset($_SESSION['mystring'])) {

or

if ($_SESSION['mystring'] == &quot;testing for a string&quot{


But not both at once. I recommend that you perform the first test to insure the variable is there, then perform the second inside the first to see if it contains the value you need. ______________________________________________________________________

http://www.tuxedo.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[likelylad]

Sorry lads none of that worked.

When I opened up the session file it contained the following.
mystring|s:20:&quot;testing for a string&quot;;

The problem appears that I am not reading the information in the file.
Is there any settings within the php.ini file that I can double check???????

 

[sleipnir214]

Here's the test to see whether your system is opening and parsing the session store:

Create a file called &quot;a.php&quot; which reads:

<?php
$a = &quot;exists&quot;;
session_start();
session_register(&quot;a&quot;);
print &quot;set&quot;;
?>

If your version of PHP is 4.1.0 or newer, create a file called &quot;b.php&quot; which reads:

<?php
session_start();
print &quot;<pre>&quot;;
print_r($_SESSION);
?>

otherwise, create the file to read:

<?php
session_start();
print &quot;<pre>&quot;;
print_r($HTTP_SESSION_VARS);
?>

Point your browser to a.php on your web site. You should see just the word &quot;set&quot;. Then point your browser to b.php. You should see something like:

Array
(
    [a] => exists
)

______________________________________________________________________

http://www.tuxedo.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[LTeeple]

How about on the logon page - set a variable, like $allowed to 1 (if the authorization was successful).
the have something like

if ($authorized) {
echo &quot;<form name=authorized action=newpage.php method=post>&quot;;
echo &quot;<input type=hidden name=allowed value=yes>&quot;;
echo &quot;</form&quot;;
echo &quot;<script language=javascript type=text/javascript>&quot;;
echo &quot;document.authorized.submit();&quot;;
echo &quot;</script&quot;;

then check for the value on newpage.php
$allowed=$HTTP_POST_VARS['allowed'];
if ($allowed != 'yes'){
 header (&quot;Location: [URL unfurl="true"]http://loginpage.php&quot;);[/URL]
else {
  new page stuff
}

If anyone things something's wrong with this, lemme know! I was thinking about doing it for a page of my own, and I'd like to hear from you. (it does work, I'm curious of security concerns)

Cheers!
Laura

 

[LTeeple]

Geez, sorry about that, I got my variables mixed up! I'm usually more careful...

if ($allowed) {
echo &quot;<form name=authorized action=newpage.php method=post>&quot;;
echo &quot;<input type=hidden name=allowed value=yes>&quot;;
echo &quot;</form>&quot;;
echo &quot;<script language=javascript type=text/javascript>&quot;;
echo &quot;document.authorized.submit();&quot;;
echo &quot;</script>&quot;;
}
then check for the value on newpage.php

$allowed=$HTTP_POST_VARS['allowed'];
if ($allowed != 'yes'){
 header (&quot;Location: [URL unfurl="true"]http://loginpage.php&quot;);[/URL] //redirects back to login page
else {
  new page stuff
}

Cheers!
Laura

 

[likelylad]

Hi sleipnir214

When opening both files, I seen exactly what you said I should see.

 

[sleipnir214]

Then PHP is opening and parsing the session store correctly. It must be an error in your code. ______________________________________________________________________

http://www.tuxedo.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[likelylad]

Hi All

I eventually came up with the solution that works for me

On the username/password page
<?PHP
session_start();
session_register('first_name');
$_SESSION['first_name'] = &quot;hello&quot;;
?>

On the second page
<?PHP
session_start();
If ($_SESSION['first_name']== 'hello'){
echo &quot;it works&quot;;
}
else
{
echo &quot;it doesn't work&quot;;
}
?>