Page 1 of 1

Authenticating

Posted: Wed Mar 29, 2006 5:17 pm
by Bonzol
I have the code

validation page

Code: Select all

if('bob' == $_POST['user_name'] and 'milk' == $_POST['password']) 
{   
    header('Location: authenticated.php');  
} 
elseif('larry' == $_POST['user_name'] and 'juice' == $_POST['password']) 
{ 
  header('Location: http://forums.devnetwork.net'); 
}
exit;
Authentication page

Code: Select all

<?php 
session_start(); 
$_SESSION['authenticated'] = TRUE;
    header('Location: site.php');
?>
final site

Code: Select all

<?php 
if(!$_SESSION['authenticated']) 
{ 
    header('Location: http://www.telstra.com'); 
} 
else
{ 
    header('Location: http://www.google.com.au'); 
}

?>
Now,

All I want to do is make sure that the 'final site' functions cannot be access unless the user is authenticated, everything else works fine, except that the final site always thinks that the user is not authenticated. I know I'm not passing something correctly or something, can someone just give me a quick helping hand. When that page is access even with the correct login the end result will always link to 'http://www.telstra.com' instead of http://www.google.com.au, as I have put these links in for testing, just to see if it works. the correct result should link to google

thanx, a quick response would be most appreciated

thanx in advanced

Posted: Wed Mar 29, 2006 5:18 pm
by malcolmboston
try?

Code: Select all

<?php
session_start
if(!$_SESSION['authenticated']) 
{ 
    header('Location: http://www.telstra.com'); 
} 
else
{ 
    header('Location: http://www.google.com.au'); 
}

?>
also putting

Code: Select all

error_reporting('E_ALL')
may show a problem

Posted: Wed Mar 29, 2006 5:22 pm
by Bonzol
sweet, I think that worked


Can you please explain to me why moving the session start there made it work? what is the purpose of starting a session

thanx heaps

Posted: Wed Mar 29, 2006 5:25 pm
by feyd
ahem

Code: Select all

error_reporting(E_ALL);
;)

As for Bonzol's problem, redirection with starting sessions can backfire (the session may not be created) due to a shortcircuit that happens with the redirection.

So long as the session is created prior to the redirection page it will be fine, but if it's not, session_write_close() should be used.

Remember to use full URL's 100% of the time with a redirection. Relative redirection is non-standard and will cause problems for clients that do not support anything but the standards.

Posted: Wed Mar 29, 2006 5:32 pm
by Bonzol
sweet, thanx guys

one last quick question,,

once someone has been authenticated,, how do I make it time out,, say after 10 mins, so after they time out they then have to log in again?

Posted: Wed Mar 29, 2006 6:22 pm
by feyd
The artificial way is to store a last call variable in the session. Calculate the difference between that time and the when the script is called. When it happens, I trash the session, regenerate their ID and send them to the login screen.

Posted: Wed Mar 29, 2006 6:57 pm
by Christopher
Did anyone notice that you can be authenticated with the code above WITHOUT signing in, just by going to authenticated.php.

Posted: Wed Mar 29, 2006 7:02 pm
by Bonzol
is there anyway to fix that? I was assuming maybe It would be put in a secure folder on the webserver