authentication
Moderator: General Moderators
authentication
I have just started studying Php.I have a problem concerning authentication like this!I have two files "login.php ","member.php".In login.php i use the code "header" to redirect the user to "member.php " if he gives the correct password!But the problem is that if the user know that i have two files like this ,he would come directly to "member.php" without complete the procedure in "login.php"!How can i solve this problem?I know i have to put some code in the head of member.php to connect to login.php but I don't know exactly about this!Can you help me?
-
1veedo
- Forum Commoner
- Posts: 31
- Joined: Thu Feb 19, 2004 3:59 pm
- Location: With my computer wherever that may be.
- Contact:
First of, this doesn't go in General Discusion. I'd do it in the same file but it looks like your going to to have to sind hiden variables - like in forms. I cant help you past that..
The probablem [obviously] is that the user has to select go or continue. I'm sure there's a way to foward with javascript and include hiden values.
Code: Select all
<form action=".......php" method="post">
<input type="hidden" value="true" name="authentication">....One simple solution for php scripts which you don't want to be directly addressed is to put them in a directory protected with .htaccess:
Order deny,allow
deny from all
Better still, store them outside the web root altogether. Php can include these scripts but you can't point a browser at them.
You must still check user privileges in scripts before granting access to restricted data. For example, sessions are commonly used to store user data set at login. You could add something in member.php to test for that.
Order deny,allow
deny from all
Better still, store them outside the web root altogether. Php can include these scripts but you can't point a browser at them.
You must still check user privileges in scripts before granting access to restricted data. For example, sessions are commonly used to store user data set at login. You could add something in member.php to test for that.
Well there's another solution:
In login.php you set a session variable (through $_SESSION, look it up in php reference and look up the function session_start() too) as soon as the member inserts the right username and password, then in member.php at the top of all you check if the session variable is set, if it is not you redirect the user to login.php!
Ciao from Italy!
In login.php you set a session variable (through $_SESSION, look it up in php reference and look up the function session_start() too) as soon as the member inserts the right username and password, then in member.php at the top of all you check if the session variable is set, if it is not you redirect the user to login.php!
Ciao from Italy!
perhaps something like this would suite ya fancy (using the session, i use cookies):
Code: Select all
<?php
if (isset($_SESSION['user'])) {
// show your page
} else {
//show the login screen
}
?>Creating a check.php
Hi Kurumi,
I used to have the same problem as you. I am not sure how you code the authentication system but I would assume you have a Login ID, Login Pass and a file that stores these values.
What you can do is:
Step 1: Login.php
Asks user to enter ID and Pass -> authentiate against the values stored in the password file. If values match, start session with 2 session variables (ID & Pass) and forward the user to member.php.
If aunthentication fails, do not start session and return to login.php.
Step 2: check.php
Create a check.php that will check the 2 session variables against the file. If the check fails, forward the user to login.php.
Step 3: Include check.php
use 'include check.php' infront of all the codes of your protected pages. This way, the ID and pass of the user will always be checked whenever he enters a protected page. If the check fails, the user will be forwarded to login.php (nature of check.php) even before the rest of the code of the page is loaded. This will protect the page.
This works because of the nature of session. Session variables will only be destroyed when browser is closed or manual destroyed by the user. So the users are only required to log in once. But the server will always check whenever a protected page is loaded.
Im not sure if this has any other flaws but it has worked for me so far.
Regards
I used to have the same problem as you. I am not sure how you code the authentication system but I would assume you have a Login ID, Login Pass and a file that stores these values.
What you can do is:
Step 1: Login.php
Asks user to enter ID and Pass -> authentiate against the values stored in the password file. If values match, start session with 2 session variables (ID & Pass) and forward the user to member.php.
If aunthentication fails, do not start session and return to login.php.
Step 2: check.php
Create a check.php that will check the 2 session variables against the file. If the check fails, forward the user to login.php.
Step 3: Include check.php
use 'include check.php' infront of all the codes of your protected pages. This way, the ID and pass of the user will always be checked whenever he enters a protected page. If the check fails, the user will be forwarded to login.php (nature of check.php) even before the rest of the code of the page is loaded. This will protect the page.
This works because of the nature of session. Session variables will only be destroyed when browser is closed or manual destroyed by the user. So the users are only required to log in once. But the server will always check whenever a protected page is loaded.
Im not sure if this has any other flaws but it has worked for me so far.
Regards