Page 1 of 2

secring multiple pages

Posted: Sun Jan 16, 2011 4:02 am
by shehan31
Hello everyone;
I have devoloped a site and it contains multiple pages. Pages are listed in the home page. I am looking for a method which can be logged in for once and it has to be worked for other listed pages as well. Ex: if i logged into my home page by using my loging password, I would be able to veiw all athe pages listed in the home page. Yes that does not need any method but my question is if some one types in the address bar of webpage as lets say www.devnet.com/accounts.php, he will be able to view all the info in the accounts page which is under the home page. If i use <?php include ?> syntax, it will ask the user password and the name each time that a user wants to visit that page via home page.
I have found a piece of a code n the net and it does not contains what i wanted.

Code: Select all

// Check if login button has been pressed
if(isset($_POST['login'])){
// Define admin username and password
$a_username = "test";
$a_password = "pass";
// Define $_POST's from form text fields
$username = $_POST['username'];
$password = $_POST['password'];
// Add some stripslashes
$username = stripslashes($username);
$password = stripslashes($password);
// Check if username and password is good, if it is it will start session
if($username == $a_username && $password == $a_password){
session_start();
$_SESSION['s_logged_n'] = 'true';
$_SESSION['s_username'] = $username;
// Echo message for successfully login
echo "Congratulations $userame, you may now proceed to the <a href=\"admin.php\">admin area</a>!";
} else {
// If username and or pass is incorrect then output it
echo "Username $username or password $password is incorrect, please try again";
}
} else {
// If someone just open login.php tell them to use login form
echo "Please use <a href=\"form.php\">form</a> to login";
} 
I have found some thing called sessions and does it helps.
can some one help.
Regards
Shehan31

Re: secring multiple pages

Posted: Tue Jan 18, 2011 2:01 am
by Peter Kelly
Hi, Yes I believe what you are looking for is sessions but I have written a user system tutorial which I think is what you are ideally looking for. Its only simple but there are more additions coming in the further parts. The link is http://www.peter-kelly.me/tutorials/user-system-part-1/

I'm not sure if I am allowed to post the link but if a moderator removes it just pm me and I will send it you :).

Re: secring multiple pages

Posted: Tue Jan 18, 2011 11:59 am
by social_experiment
You create a page that checks whether certain conditions are met, if they are, your user is logged in, if not, redirect. Is this what you are refering to?

Re: secring multiple pages

Posted: Wed Jan 19, 2011 4:46 am
by shehan31
social_experiment wrote:You create a page that checks whether certain conditions are met, if they are, your user is logged in, if not, redirect. Is this what you are refering to?
hi social;
Thank you for the reply. The idea is the page has about 5 tabs. Ex : home,accounts, summary, refunds, stock control. each tab has five seperate php scripts. once the user logged in he should be able to see evert thing and it shoud not be accessed from outside.( Ex: if you type http//forums.devnet.net/accounts.php, then it shoud be redircted to the log in form ).

Re: secring multiple pages

Posted: Wed Jan 19, 2011 11:16 am
by social_experiment
Yes that is refered to as an 'auth' page (unofficialy probably). You set some session variables when you login and then the 'auth' page checks if these values are set each time a 'protected' page is accessed. If the conditions are not met, the user is probably NOT logged in and trying to access the pages incorrectly, and invalidly and they are redirected to a page of your choice.

Code: Select all

<?php
session_start();
		
		if ( !isset($_SESSION['member_id']) || trim($_SESSION['member_id'] == '') || !isset($_SESSION['member_name']) )  {
		    unset($_SESSION['member_id']);
			unset($_SESSION['member_name']);
			header("location: somepage.php");
			session_destroy();
			exit();
			}
			
			
?>
Hth

Re: secring multiple pages

Posted: Thu Jan 20, 2011 3:56 am
by shehan31
Hi Social;
Thank you for the reply. here is my code and I am trying to understand the functinality of both the sessions and the cookies.

Code: Select all

<?php

$connect = mysql_connect ("localhost","root","") or die ("error");
mysql_select_db ("guestbook") or die ("Error Connecting With The Database");

 if (isset($_POST['Login'])){
     
    $username = $_POST['username'];
    $password = $_POST['password'];
         
                		$sql = mysql_query("SELECT * FROM login WHERE user='$username' AND password='$password'")or die (" error with table");    
                $nr = mysql_num_rows($sql);
              if($nr==0){
                       
                        echo "you are not authorized";
                       
                  }else{
                    $info=mysql_fetch_array($sql);
                                 echo"you are authorized";        }
                 
                   

}
echo"
 <div id='second_table' style='float: left; width: 800px; position:absolute; top:250px; right:300px'>

 <form action = 'useradd.php' method='post'>
  
   <tr>
        <td>
               
         <font size='5' face='times new roman'>Username</font>
        </td>
        <td>
        <input type='text' name='username' maxlength='200'>
        </td>
   </tr>
    <tr>
        <td></br></br>
               
         <font size='5' face='times new roman'>Password</font>
        </td>
        <td>
        <input type='password' name='password' maxlength='200'>
        </td>
   </tr>
   <tr>
       <td align='center' valign='top' colspan='2'>
        <input type='submit' name='Login' value='Login'>
       </td>
           </tr>
   </form>";
?>
social_experiment wrote:Yes that is refered to as an 'auth' page (unofficialy probably). You set some session variables when you login and then the 'auth' page checks if these values are set each time a 'protected' page is accessed. If the conditions are not met, the user is probably NOT logged in and trying to access the pages incorrectly, and invalidly and they are redirected to a page of your choice.

Code: Select all

<?php
session_start();
		
		if ( !isset($_SESSION['member_id']) || trim($_SESSION['member_id'] == '') || !isset($_SESSION['member_name']) )  {
		    unset($_SESSION['member_id']);
			unset($_SESSION['member_name']);
			header("location: somepage.php");
			session_destroy();
			exit();
			}
			
			
?>
Hth

Re: secring multiple pages

Posted: Thu Jan 20, 2011 10:48 am
by social_experiment
shehan31 wrote:I am trying to understand the functinality of both the sessions and the cookies.
In the 'auth' page you use them to remember certain values. Cookies work on a similar principle (remembering information). Once you have logged in the user, regenerate the session id and redirect the user to a 'logged in' page. From there, your 'auth' page is included at the top of all the pages you want to protect. If you want to learn more about sessions and cookies try google. There are much information available than i can offer :) (Also try a search on the forum, sessions have been covered a lot)
Hth

Re: secring multiple pages

Posted: Fri Jan 21, 2011 12:19 pm
by shehan31
hi social ;
I have tried someting but it gives me a notice .
Notice: Undefined index: lia in C:\wamp\www\guestbook\test_session.php on line 3

First of all I have created a authentication page which has a seesion variable called $user.

Code: Select all

<?php

$connect = mysql_connect ("localhost","root","") or die ("error");
mysql_select_db ("guestbook") or die ("Error Connecting With The Database");

 if (isset($_POST['Login'])){
     
    $username = $_POST['username'];
    $password = $_POST['password'];
         
                		$sql = mysql_query("SELECT * FROM login WHERE user='$username' AND password='$password'")or die (" error with table"); 
				//the session starts from here.		   
                session_start();
				$_SESSION['lia'] = "$username";
				$nr = mysql_num_rows($sql);
              if($nr==0){
                       
                        echo "you are not authorized";
                       
                  }else{
                    $info=mysql_fetch_array($sql);
                                 echo"<a href='test_session.php'>go to home pahe</a>";        }
                 
                   

}
echo"
 <div id='second_table' style='float: left; width: 800px; position:absolute; top:250px; right:300px'>

 <form action = 'useradd.php' method='post'>
  
   <tr>
        <td>
               
         <font size='5' face='times new roman'>Username</font>
        </td>
        <td>
        <input type='text' name='username' maxlength='200'>
        </td>
   </tr>
    <tr>
        <td></br></br>
               
         <font size='5' face='times new roman'>Password</font>
        </td>
        <td>
        <input type='password' name='password' maxlength='200'>
        </td>
   </tr>
   <tr>
       <td align='center' valign='top' colspan='2'>
        <input type='submit' name='Login' value='Login'>
       </td>
           </tr>
   </form>";
?>

If the login is sucess then it will redirect you via a link to a page which consist the system. It also has a session with a variable which was defined ealier in the auth page. it works if i tried to access the page from the web pages address bar but with a notice.

Code: Select all

<?php
session_start();
$name = $_SESSION['lia'];

if(!$name ||$name ==''){
		die ("<a href='useradd.php'> you must log in </a>");
		}
		
echo"you have accessed the page";
 session_destroy();
?>
social_experiment wrote:Yes that is refered to as an 'auth' page (unofficialy probably). You set some session variables when you login and then the 'auth' page checks if these values are set each time a 'protected' page is accessed. If the conditions are not met, the user is probably NOT logged in and trying to access the pages incorrectly, and invalidly and they are redirected to a page of your choice.

Code: Select all

<?php
session_start();
		
		if ( !isset($_SESSION['member_id']) || trim($_SESSION['member_id'] == '') || !isset($_SESSION['member_name']) )  {
		    unset($_SESSION['member_id']);
			unset($_SESSION['member_name']);
			header("location: somepage.php");
			session_destroy();
			exit();
			}
			
			
?>
Hth

Re: secring multiple pages

Posted: Sat Jan 22, 2011 12:46 am
by social_experiment
When you work with sessions, you must always call session_start() to initialize the session.
shehan31 wrote:bar but with a notice.
Which notice to you get?

Re: secring multiple pages

Posted: Sat Jan 22, 2011 3:09 am
by shehan31
hi social;
thank you for the reply. Yes I have opend a seesion in both scripts and it was there.
the notice that i get is.
Notice: Undefined index: lia in C:\wamp\www\guestbook\test_session.php on line 3.
As i expected it cannot be accessed via the adressbar on the browser without loging. but the notice is the worry.
regards
Shehan31
social_experiment wrote:When you work with sessions, you must always call session_start() to initialize the session.
shehan31 wrote:bar but with a notice.
Which notice to you get?

Re: secring multiple pages

Posted: Sat Jan 22, 2011 4:31 am
by social_experiment
Im refering to this page, does this have session_start()?

Code: Select all

<?php
session_start();
//add session start
$connect = mysql_connect ("localhost","root","") or die ("error");
mysql_select_db ("guestbook") or die ("Error Connecting With The Database");

 if (isset($_POST['Login'])){
     
    $username = $_POST['username'];
    $password = $_POST['password'];
         
                                $sql = mysql_query("SELECT * FROM login WHERE user='$username' AND password='$password'")or die (" error with table"); 
                                //the session starts from here.            
                session_start();
                                $_SESSION['lia'] = "$username";
                                $nr = mysql_num_rows($sql);
              if($nr==0){
                       
                        echo "you are not authorized";
                       
                  }else{
                    $info=mysql_fetch_array($sql);
                                 echo"<a href='test_session.php'>go to home pahe</a>";        }
                 
                   

}
echo"
 <div id='second_table' style='float: left; width: 800px; position:absolute; top:250px; right:300px'>

 <form action = 'useradd.php' method='post'>
  
   <tr>
        <td>
               
         <font size='5' face='times new roman'>Username</font>
        </td>
        <td>
        <input type='text' name='username' maxlength='200'>
        </td>
   </tr>
    <tr>
        <td></br></br>
               
         <font size='5' face='times new roman'>Password</font>
        </td>
        <td>
        <input type='password' name='password' maxlength='200'>
        </td>
   </tr>
   <tr>
       <td align='center' valign='top' colspan='2'>
        <input type='submit' name='Login' value='Login'>
       </td>
           </tr>
   </form>";
?>

Re: secring multiple pages

Posted: Sat Jan 22, 2011 9:12 am
by shehan31
hi social_experiment;
yes it has but it is some where in the middle with a comment. Does it make any sense.
regards
Shehan31

social_experiment wrote:Im refering to this page, does this have session_start()?

Code: Select all

<?php
session_start();
//add session start
$connect = mysql_connect ("localhost","root","") or die ("error");
mysql_select_db ("guestbook") or die ("Error Connecting With The Database");

 if (isset($_POST['Login'])){
     
    $username = $_POST['username'];
    $password = $_POST['password'];
         
                                $sql = mysql_query("SELECT * FROM login WHERE user='$username' AND password='$password'")or die (" error with table"); 
                                //the session starts from here.            
                session_start();
                                $_SESSION['lia'] = "$username";
                                $nr = mysql_num_rows($sql);
              if($nr==0){
                       
                        echo "you are not authorized";
                       
                  }else{
                    $info=mysql_fetch_array($sql);
                                 echo"<a href='test_session.php'>go to home pahe</a>";        }
                 
                   

}
echo"
 <div id='second_table' style='float: left; width: 800px; position:absolute; top:250px; right:300px'>

 <form action = 'useradd.php' method='post'>
  
   <tr>
        <td>
               
         <font size='5' face='times new roman'>Username</font>
        </td>
        <td>
        <input type='text' name='username' maxlength='200'>
        </td>
   </tr>
    <tr>
        <td></br></br>
               
         <font size='5' face='times new roman'>Password</font>
        </td>
        <td>
        <input type='password' name='password' maxlength='200'>
        </td>
   </tr>
   <tr>
       <td align='center' valign='top' colspan='2'>
        <input type='submit' name='Login' value='Login'>
       </td>
           </tr>
   </form>";
?>

Re: secring multiple pages

Posted: Sat Jan 22, 2011 11:06 am
by social_experiment
Move it to the top of the page and see what happens, this from the php manual
PHP Manual wrote:If you are using cookie-based sessions, you must call session_start() before anything is outputted to the browser.

Re: secring multiple pages

Posted: Sun Jan 23, 2011 7:34 am
by shehan31
it dosent work either. same result with a notice.
social_experiment wrote:Move it to the top of the page and see what happens, this from the php manual
PHP Manual wrote:If you are using cookie-based sessions, you must call session_start() before anything is outputted to the browser.

Re: secring multiple pages

Posted: Tue Jan 25, 2011 2:26 am
by shehan31
does any one no what is this notice and how to eliminate.
shehan31 wrote:it dosent work either. same result with a notice.
social_experiment wrote:Move it to the top of the page and see what happens, this from the php manual
PHP Manual wrote:If you are using cookie-based sessions, you must call session_start() before anything is outputted to the browser.