protecting pages from guests ROUND 2

phence

How can I give authorization to users after a successful login?

This post goes along with my previous post protecting pages from guests.

In My original post I needed to protect certian pages of my site from guests. Well now thanks to "stezz" and "trooper", i can now protect certian pages from guests.

Now the problem is: when a user logs in successfully, I need to grant that user authorization to the protected pages.

I protect the protected pages by:
1) placing a header file (header.inc) at the top of all my html pages, which is shown below.
2) placing

 <?php $secure = 1; ?>

at the top of the pages i want to protect.

header.inc

<?php
	// First things first, Start the session!
	session_start();
?>

<html>
<head>
<title>Welcome! This is the Header</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>

<?php
if(!session_is_registered("ID") && $secure) {
	?>
	<form method="POST" action="login.php">
	<font color="#FF0000" size="4">You Must be Logged in to access this page! </font>
	<table>
	<tr>
    <td>Enter your username:</td>
    <td><input type="text" size=15 maxlength=30 name="loginUsername"></td>
	</tr>     

	<tr><td>Enter your password:</td>
    <td><input type="password" size=15 maxlength=8 name="loginPassword"></td>
	</tr>
	<tr>
    <td><input type="submit" value="Log in"></td>
	</tr>
	</table>

</form>
<font color="#000000" size="2"><a href="join.php">Click here to Register Free!</a></font> 
<?php
	exit;
}
?>

Now how should i grant authorization to users that have successfully logged in?

The login script that i am using can be found in my
previous post

I would greatly appreciate any help!
Thank-you!

phence

can anyone help? have any ideas?

Weedpacket

First, a quick performance tip; check the value of $secure before the session variable.

Second, instead of session_is_registered('ID'), check isset($SESSION['ID']). Generally, use the $SESSION array instead of session_register() and session_is_registered(). And mixing them will certainly cause problems.

Third, and to actually point you in the direction of an answer to your question:

Consider the session variables you've. Consider their values. Now, if someone succesfully logs in with your script, what would the values of those session variables be? And if someone tries to get to your page without logging in, what would the values of those variables be then? Would they even exist? What tests on the variables can you do to determine which situation is the case?

stezz

if..

if(!session_is_registered("ID") && $secure)

returns true.. then a form prints out..

Make the action of that form point to an login.php (or something).. a file which will handle the login. Also, put a hidden input in the form that holds the file path to the page the user is attempting to use. You can determine the file path by using the getenv() function.

In the login file, make a query to the DB to determine validation of the user and pass.. if it's true.. register the session.. when the session is registered, use META tags to auto refresh to the value of $last_page.

Then when the..

if(!session_is_registered("ID") && $secure)

.. test is preformed again.. it will retuen false because there will be a valid session registered and therefore.. the page will be displayed.

Hope Iv'e helped!

Regards, Stezz.