php|mySQL login...redirection issue

Azazeal

Hi folks.
I need a little assistance with a login page that uses a mySQL database which stores a username and userid.
The concept, which works completely right now, is to present the user with a login page. The ID and username are predetermined by me. The mySQL database also contains a column labeled,'logged', with values of '0' and '1'. '0' represents the user hasnt logged in and '1' means they have. By default the value is '0' and when the user succesfully logs on, it is SET to '1'.
After a succesful login, the user is then redirected to hidden survey (HTML) and can't login again, because of the logged value. Of course the php login has verification of this.
To get to the issue, when the user is redirected, obviously the URL changes and is exposed to the user. The direct issue, is that the user can write this URL down and type it directly in the address, and bypass the login.
I have thought of how to resolve this for a few days, and need a few ideas.
I thought of having a verification on the survey page, but it has no values to verify, as far as username and ID.
I though cookies might work, but not entirely fool proof.
Thanks for any assistance.
~Az

volleytotal_ch

why don't you use sessions?
if you want a simple php code, try the following one:
(i use this code, which works perfectly for my page)

  $user_referer = $HTTP_REFERER;
  $allowed_referer = "http://www.yourpage.com/the/path/to/script/";
  $ref_l = strlen($allowed_referer);
  $short_ref = substr($user_referer,0,$ref_l);

  if( !( strcmp($short_ref,$allowed_referer)==0) )
  {
    // USER typed in an URL - set $user_id = false or something
  }

notionlogic

One problem with your code that I've certainly experienced is that the HTTP_REFERER variable does not always get set... I believe it depends on the browser sending the correct information but I'm not absolutely certain.

Azazeal

Thx...will try it out.

trooper

Why not do the following

When the user has been authenticated set a cookie that has an expiry time of 0 (when the browser is closed)

Then on your secret survey pages simply put in a check for the variable logged in being 1 and the cookie being valid

so something like this

if($_COOKE["cookie_name"] && $logged_in =="1")
{
show survey page

}else{
redirect back to the login page
}

Then when the user has completed the survey then you could simply delete the cookie that you set.

press711

as advised use sessions , you can use sessions with or without cookies dependiing on your preferences. Just go to google.com and search for tutorials on login

Once you are using sessions then you can use something similar to:

function isMember() {
//global $SESSION;
return ((isset($SESSION["USERNAME"])) or ($SESSION["USERNAME"] == "guest") or ($SESSION['USERID'] == 0));
}

then just call the function isMember at the top of any file e.g.
if(!(isMember()))
{
header('Location: home.php?error=badlogin');
}

If you decide to stick your db instead of sessions. Then :

Instead of

return ((isset($SESSION["USERNAME"])) or ($SESSION["USERNAME"] == "guest") or ($_SESSION['USERID'] == 0));
use a database connection to find out what the value of 'logged' is and return the value off logged.

Note : MAKE SURE YOU STORE AT WHAT TIME YOUR USER LAST LOGGED IN AND EXPIRE IT AFTER SOMETIME YOU DONT WANT YOUR USER TO BE LOGGED IN FOREVER

Azazeal

Thanks for the help.
I went with the session idea. I needed to first read about it..heh heh..then implement it in the code.
The entire process now works.
Basically, I start a session upon loading the login page. (obvious)
Then if they successfully log in, I register the username in the session. Upon redirection, I just check for the registered username existence, if it does, display the survey, if not, redirect to login.

I destroy the session on each failed attempt and after the survey is displayed.

Thanks again...great help.
~az

press711

Welcome..... Just remember to extend your hand to others below you.