Page 1 of 1

how to make the logged in pages safe?

Posted: Wed Aug 19, 2009 4:48 pm
by fredelius
pickle | Please use [ code=php ], [ code=text ], etc tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: :arrow: Posting Code in the Forums to learn how to do it too.


I have this php code on the log in page. Then I want to keep a session to the next page so the visitors only can get to that page by log in. Right now the visitors can write the adress for the logged in page and they get there. I want them to get back to the log in page instead. I would be glad if someone could help me :)

Code: Select all

<?php
session_start();
 
$data=array("client1"=>array("url"=>"client1.php","password"=>"client1"),
"client2"=>array("url"=>"client2.php","password"=>"client2"));
 
if(isset($_POST['username']) && isset($_POST['password'])) {
if($data[$_POST['username']]['password'] == $_POST['password']) {
$_SESSION['username'] = $_POST['username'] . " " . $_POST['password'];
header('Location: ' . $data[$_POST['username']]['url']);
} else {
login('Wrong user name or password. <br>');
}
} else {
login();
}
?><?php
 
function login($response='Här loggar du in.') {
 
?>

pickle | Please use [ code=php ], [ code=text ], etc tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: :arrow: Posting Code in the Forums to learn how to do it too.

Re: how to make the logged in pages safe?

Posted: Thu Aug 20, 2009 4:02 am
by robnet
If you create a new session var (eg $_SESSION['loggedin']) during the login script you can check for this on other pages:

Code: Select all

If (isset(loggedin var)){
//logged in
}else {
//header redirect to login page
}
Don't forget to unset it (or destroy the session) when the user logs out!

Re: how to make the logged in pages safe?

Posted: Thu Aug 20, 2009 1:02 pm
by post_phobic
robnet wrote: Don't forget to unset it (or destroy the session) when the user logs out!
Hopefully not threadjacking too much, but would this be an appropriate way to destroy all of the users session variables?

Code: Select all

 
    function logOut() {
        session_destroy();
        $_SESSION = array();
    }
 

Re: how to make the logged in pages safe?

Posted: Thu Aug 20, 2009 1:15 pm
by jackpf
I don't think you need the second line.

session_destroy() should wipe all data from the current session. The only thing it doesn't do is unset the cookie. If you wanted to, you'd have to do it manually:

Code: Select all

setcookie('cookie_name', null, -1000, '/', 'yourdomain.com');

Re: how to make the logged in pages safe?

Posted: Thu Aug 20, 2009 3:59 pm
by post_phobic
jackpf wrote:

Code: Select all

setcookie('cookie_name', null, -1000, '/', 'yourdomain.com');
Good to know, thanks for the code!

Re: how to make the logged in pages safe?

Posted: Mon Aug 24, 2009 5:00 am
by Mordred
Important correction:
robnet wrote:If you create a new session var (eg $_SESSION['loggedin']) during the login script you can check for this on other pages:

Code: Select all

If (isset(loggedin var)){
//logged in
}else {
//header redirect to login page
[b]exit();[/b] //[color=#FF0000]otherwise the script below will continue executing![/color]
}
Don't forget to unset it (or destroy the session) when the user logs out!

Re: how to make the logged in pages safe?

Posted: Sun Aug 30, 2009 2:46 am
by kaisellgren
session_destroy() will destroy the session data. However, the data will remain on the memory for the rest of the execution, but that is not a problem.