3

I am creating a content management website with a login page at the back end.

I have created a working login page for the main menu of the content management system.

The below images show my code.

1st Step - User visits the URL of main menu for content management system: Code shown below. 

<?php
session_start();

echo $_SESSION['valid_user'];

if(!isset($_SESSION['valid_user']))
{
$URL="error.php";
header("Location: $URL");
}
  ?>

Two things can happen. 1 if they have not logged in before they will be directed to an error page. They can then select to visit the login page and login using their user name and pswd.

i have declared ?php start_session();? at the top

<?php

$login = $_POST['name'];
$loginpass =$_POST['password'];

 if((isset($login)) || (isset($loginpass))){

    //echo "<p> form has been submitted</p>";

    include("connect.php");

    $query = "select * from logins where 
        username='$login' and pswd=MD5('$loginpass')";
      $result = mysql_query($query) or die($query."<br/><br/>".mysql_error());

    $count=mysql_num_rows($result);
    echo $count;

if($count > 0){

   echo "<p>you are logged in as $login please 
   go to <a href='home2.php'>edt     home</a>.</p>";
    echo "<p><a href='logout.php'>log out</a> $login?</p>";
    $_SESSION['valid_user'] = $login;

}else{

    echo "<p>sorry login failed</p>";

}

  }else{

    //echo "<p> form  hasn't been submitted</p>";
    //Visitor needs to enter a name and password                
    echo "<h1>Please Log In</h1> <form method='post' action='index2.php'>";
    echo "<p>Username: <input type='text'name='name'></p>";
    echo "<p>Password: <input type='password' name='password'></p>";
    echo "<p><input type='submit' name='submit' value='Log In'></p></form>";        
 }


 ?>

So far all of that functionality works fine for me.

However, I want to make sure that if the user bypasses the home url and decides to jump straight to a section within the edit menu, they will be either forced to login, if they have not already, or, the php will check their credentials if they have logged in.

This is an example of the code I have at the top of the page I want to place my validation ont. I'm not sure if already have a database table connection at the top will affect the session variable. 

 <?php

include("connect.php");
//echo "all good here";


//grab the data from the table 'designs'
$query ="SELECT * FROM designs ORDER BY id";


//send SQL statement to MySQL server
$display = mysql_query($query);
$num = mysql_numrows($display);


 mysql_close();
 ?>

I know i want to place php scripts on all of the php pages that check the 'vaild_user' session variable is set and also give the user the ability to logout by pointing to the logout.php file. Im just not sure how to go about doing it at this point.

I am very new to all this and generally understand following a clear guide, like most people I'm sure.

Any help anyone could give would be greatly appreciated

Thanks again!.

Improve this question
1
  • 1
    Please sanitize your database inputs before doing anything else: roshanbh.com.np/2007/12/… Commented Dec 13, 2012 at 14:54

3 Answers 3

Reset to default
5

Basically you'd just have something like this snippet on each of your "protected" pages:

<?php

session_start();
if (!isset($_SESSION['valid_user'])) {
   header("Location: login.php");
   exit();
}
?>
<a href="logout.php">Logout</a>

if they're logged in, they get a logout link and the rest of the page. If they haven't logged in, they get redirected to the login page.

Sessions are not affected by database connections, or ANY OTHER code. They ARE affected by having performed output before you start the session, or try to do a redirect. That'd trigger the "cannot modify headers - output started at line XXX" warning and disable the redirect.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thank-you for your reply, the code you provided makes sense and I'm placing it at the very top of a protected page, however i still trigger my cannot modify header - output started error. it is confusing me because I have not done anything before i start the session. :/
ANYTHING outside of a php <? ... ?> code block, including a unicode BOM, can trigger output
Do you mean anything outside that is above the <?,.?> Because myline of my code literally starts, nothing else behind it. Its at line 1 in my editor. ...<?php session_start(); if (!isset($_SESSION['valid_user'])) { header("Location: login.php"); exit(); } ?>
there can still be warnings issued by php and whatnot. use something like httpfox or firebug's next tab to look at the raw response.
1

You should only need to validate the user's credentials after they submit their information to the login page. You can then set a session variable (here it seems you are using $valid_user and if that variable exists, then they have already authenticated.

You should in fact never be storing their password anywhere on your system for security reasons. You should be hashing their password input on the login page and then comparing that to the hashed database value.

You can have a user log in more than once for added security (phpbb does this when you move from registered user content to admin content for example) though it not necessary for general purpose security.

Does that answer your question?

Improve this answer

1 Comment

how would i set the session variable for a $valid_user on each page? Apologizes, I'm new to all this. Thankyou for your reply though.
0

Use the global variable on top of every page after session_start()

$_SESSION['username'];
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.