Quick Question

Anon

Hi guys...I saw this on the board before but i can't seem to find that post anymore. I have this user authenticatication feature on my website i'm using sessions and they "seem" to be working fine. But my question is that how i do pervent a user to just typing in the url of the page that i only want them to see after they have logged in. This is the code that i am currently using, but it doesn't work.
if (!start_session())
{
printf("You are an idiot for trying to get to a protected site without logging in!");
}
else
{
register the session variables again!
}

but that doesn't work 🙁
any suggestions!!!

thank you

Anon

There are several different ways you can do this. One is to assign the user a session ID as they log in. The session can be stored as an expiring cookie or in a database with a time stamp. Just check to see that the SID hasn't "expired" at the top of each page.

if (isThisSIDValid($SID))
{
.. page content goes here ..
}
else
{
.. "you need to login" message ..

}

its a good idea to check if isset($SID) and !empty($SID)

Anon

Do i have to explicitly set SID? I thought when a session was started that an id was already created....but I’m new to php so I’m not totally sure about that

Anon

PHP's session might be useful, but i'm not very familiar with it. I prefer to create my own as I have more control over it.

On the log in page, after you've verified user name and or password etc. give them a new SID:

$SID = md5 (unique (rand()));

Store the new SID in a database or in a cookie so you can determine if the SID is valid. Also, place the $SID in a hidden form field on each page.

Good luck.

Anon

Thank you much big guy it is now working. 🙂