securing folders php -ooops!

[frodiggs]

i have created a basic php login script that connects to mssql and takes users to a specific path/url on my IIS5 box if the password and username match.

i now realized that once you get to the url you can easily bookmark it and avoid the login page alltogether. how would i restrict access to the folder without using NTFS and conflicting with the php login.

i would like any access to the folder/files to revert the user to the login page. do i use sessions?

any help would be great!

 

[Guest_imported]

Set up a session variable that gets set when someone successfully logs in. At the beginning of each page, check that the variable has been set, if not take them to the login page.

 

[frodiggs]

right that makes sense. my login form is login.htm and POSTS to login.php. i would create the session in the php page i assume.

also when you say 'At the beginning of each page, check that the variable has been set, if not take them to the login page.' you mean the pages in my 'secure' folder? you mean do a small php script at the beginning of each page to check to see if a session was set up.

lastly can you point me to the basic commands so i can get some basic direction?

thanks again mprogg!

 

[Guest_imported]

At the beginning of each page before your <html> tag you will want to check if variable has been set or not(depending on how you want to do it.) The logged_in variable should be global to that user.
<?php
session_start();
if(!logged_in){
include(&quot;your login page&quot;
}
?>
start html code here

 

[frodiggs]

thanks. i got really busy with other things. ill try this. i'm getting alot of code and a bit confused at the same time.

this is a snippet of the code from the login page->

if (($variable2 != $loginname) OR ($variable3 != $passwd))
{
echo &quot;<font size=4 color='fffff'><br>Login Failed. <br><br></font>&quot;;
echo &quot;<font size=2>Please check with your Account<br> Manager for the Account password. <br><br></font>&quot;;
echo &quot;<font size=2>Use your BACK button to try again. <br><br></font>&quot;;
exit;
}
else
{
session_start();
session_register('accesslogin');
echo &quot;<meta http-equiv='refresh' content='0; url=$variable4'>&quot;;
---------------------------------------------------
so with the
if(!logged_in) the 'logged_in' should be changed to my session name?

 

[frodiggs]

i think i need to check my php.ini. i can still pull up these pages without logging in.

like i mentioned i am basically taking your advice and creating a session for each login. (specific session name- not a variable though) and i presume checking for that session at the begining of each page.

 

[AnakinPt]

in ALL the pages in the restricted zone, just do this:

session_start();
if (!$_SESSION[login]) Header(&quot;Location: /&quot;

in the script where you validate the user:
if (user is ok){
...
$_SESSION[login]=user_login;
}

This way you avoid the user to go to restricted areas without doing login in your site. Anikin
Hugo Alexandre Dias
Web-Programmer
anikin_jedi@hotmail.com

 

[frodiggs]

i must be stupid or crazy or both. i know i am very new to php but i put this at the beginning of the HTML page

<?php
session_start();
if(!$_SESSION[accesslogin]) Header(&quot;login.php&quot;
?>
<html>
<head>

and nothing happens. am i doing this all wrong? could it be settings in php.ini? my login page does work.

also i was not quite sure of the code and which was varibles:

if (user is ok){
...
$_SESSION[login]=user_login;
}

can you place it in context with the code of the login page (May 2, 2002 post)thanks

 

[AnakinPt]

cause you are registering the var login and then you are checking the var accesslogin.

change the if to $_SESSION[login] Anikin
Hugo Alexandre Dias
Web-Programmer
anikin_jedi@hotmail.com

 

[frodiggs]

thanks. i can still access the restricted pages with no redirect. very odd.

if i place the code->

session_start();
if (!$_SESSION[login]) Header(&quot;Location: /&quot;

at the begining of a page, before the HTML should it not redirect the page to the var in the &quot;location:?

i have been given many similar examples to put at the beginning of each page but i can still ALWAYS acess the page. i get nothing, no error or anything. i think if i get a better understanding of why this is happening i can move forward.

i appreciate the help by the way!

 

[frodiggs]

Anikin you recent post to my other thread seems to make a bit more sense, thanks!

is the problem here becuase i do not have the file you mentioned session_restricted.php?

 

[AnakinPt]

the only thing the file will have will be these 2 lines:

session_start();
if (!$_SESSION[login]) Header(&quot;Location: /&quot;

you don't need more in that file.

Anikin
Hugo Alexandre Dias
Web-Programmer
anikin_jedi@hotmail.com

 

[Dronealone]

Remember to use $_SESSION[variablname] you must be using (I think) PHP version 4.2.0 and higher...older versions don't have the SUPERGlobals...

 

[AnakinPt]

the superglobals where introduced in version 4.1.0.

as he doesn't said witch was the version, i assumed the last one. Anikin
Hugo Alexandre Dias
Web-Programmer
anikin_jedi@hotmail.com