I have designed an admin login page. Once the user enters there username and password they then go from login.php to admin.php.
The code I am using to prevent people without a username and password to access admin.php is:
<?php
session_start(); //Start the session
define(ADMIN,$_SESSION['name']); //Get the user name from the previously registered super global variable
if(!session_is_registered("admin")){ //If session not registered
header("location:login.php"); // Redirect to login.php page
}
else //Continue to current page
header( 'Content-Type: text/html; charset=utf-8' );
?>
So if they came to the admin.php page without a username and password it goes to the login page instead.
I now intend to design another page in the admin part of the web site called “add content”. How to I prevent access without a password with further pages like this add content page?
In my code on the admin page I am using “Start Session”. I do not think it is wise to start sessions for every page…if the user has entered their username and password and been approved on the Admin.php page via the “start session” code above then how should they access further web pages in the admin part of the site?
Furthermore, how do I provide limited access? So they can access “Add Content” pages but not “Processed Transactions” pages?
May be i need more code on my admin page to establish what they can and cannot do? Or is it just a case of adding code at the beginning of each page, like the code above?!
Normally what is done is when the username and password match what is in the database, a session variable is set to show the user is legitimate.
$legitUser = 'qwerty';
Then on every page where the user must be logged in to see the content, you first check for the existence of the session variable.
<?php
session_start();
if(!isset($_SESSION['$legitUser']) || $_SESSION['$legitUser'] != 'qwerty') {
echo '<h1>You are not an authorised user</h1>';
//maybe redirect to login page
die();
}
?>
To restrict what users can do, you could assign access levels (integers) to users when they are created and then at the top of each page check the user’s access level before allowing them to perform a task.
I notice in your code you have used $_SESSION[‘$legitUser’] != ‘qwerty’). This code has the users name in the coding! Do you suggest I start a session individually for each user?
[php[<?php
session_start();
if(!isset($_SESSION[‘$legitUser’]) || $_SESSION[‘$legitUser’] != ‘anotheruser’) {
echo ‘<h1>You are not an authorised user</h1>’;
//maybe redirect to login page
die();
}
?>
above i have coded it for username: anotheruser
Again, can you explain with a bit more detail, please.
Thanks,
Matt.
I assume you have a login page where a user enters a username and password.
When the user clicks the “login” button, the username and password are sent to a server side script - for example validateUser.php
validateUser.php runs a query on the database to check if the username and password exist. If the username and password exist then validateUser.php creates a session variable which can be called anything you like and have any value you like. In my example I set
$_SESSION['legitUser'] = 'qwerty';
(I just noticed I didn’t set the session variable correctly in my previous post - sorry )
Therefore, $_SESSION[‘legitUser’] will exist only if the user has logged in successfully with a correct username/password.
Then on every page where the user must be logged in, at the top of the page you continue the session and first check if the user is logged in. If the user is logged in then $_SESSION[‘legitUser’] will equal ‘qwerty’. If the user is not logged in, the session variable will not exist.
<?php
session_start();
if(!isset($_SESSION['$legitUser']) || $_SESSION['$legitUser'] != 'qwerty') {
echo '<h1>You are not an authorised user</h1>';
//maybe redirect to login page
die();
}
?>
Step 5 checks if the user is logged in or not at the top of every page before displaying the rest of the page if the user is logged in. If they are not logged in, the “You are not an authorised user” message is displayed and the script terminates.
You don’t need to store the user’s username in a session variable unless you want to actually display it somewhere like “Welcome user1”.
‘qwerty’ is not a username. It is just a random value given to a session variable if the username/password entered by the user are correct.
For example, in validateUser.php you could have something like this
<?php
session_start();
$username = $_POST['txtUsername']; //user name entered by the user in in the login form
$password = $_POST['txtPassword']; //password entered in the login form.
$query = 'select * from tblUsers where fldUsername = "'.$username.'" and fldPassword = "'.$password.'"';
$rs = mysql_query($query,$conn);
if(mysql_num_rows($rs) == 1) { //username/password exist in the database
$_SESSION['legitUser'] = 'qwerty';
// redirect to user's home page
} else { //incorrect username/password entered
//redirect back to login page
}
?>
The above is very simplified and doesn’t include any data validation/sanitisation which must also be done, but I’m keeping it simple for now.
So you can see in the above code that $_SESSION[‘legitUser’] will be created only if the user enters a correct username/password. So at the top of every page where the user must be logged in to view it, you first check if $_SESSION[‘legitUser’] exists as shown earlier.
I think it would be easier coding/maintenance wise and more efficient if you set user access levels or roles in the database rather than in the application code itself.
But access levels is related to the 2nd part of the op’s question. He really needs to get the logging in working first without using session_is_registered.
)