[Resolved] Login System Question

Radon3k

Well my login system works just fine, so that's not the problem. When a user types his/her user name and password and submits it, and if it's correct, they will be re-directed to another page. The problem with this is that anybody can just go to that page and bypass the login system, therefore making it pointless. Aside from .htaccess is there a way to prevent this? Thanks. 🙂

jimson

cookie and session...
should be used for site that don't want to use .htaccess

rpanning

You could make sure that they came from the login page by checking the referer variable. Put this at the top of the second page and change the $login_page. This will forward them to the login page if they didn't come from there. Also note that you need the FULL URL in the $login_page variable.

<?php
$login_page = 'http://www.domain.com/login.php';
if ($_SERVER['HTTP_REFERER'] != $login_page) {
    header("Location: $login_page\n");
} else {
  // continue as normal
}
?>

Radon3k

What does HTTP_REFERER do?. I've been looking into using sessions as well but I haven't figured out how to integrate them.

rpanning

It is the URL in which the user has just came from. Ex: a user is at test1.html and then they click a link to test2.html. The HTTP_REFERER is test1.html because that's where they came from. I've also just looked at the php.net docs, here, and they say it can't be trused all that much. So, depending on how you have your login system set up there is another way I do this kind of varification.

Take a look at my post here. On the first page a variable is set to true and then the second page checks to see if the variable is set to true. If not, the script is exited with an error message displayed. You could replace the exit function with the header one above. I don't know if this way will work with your system though. Hope this helps!

Radon3k

I think I'll just use sessions, once I learn how.

jimson

remember not to use only HTTP_REFERER to protect your page because people can modify it if they want.

ganeshcp

If you want a login system...obviously u have to use cookies 😛 I learnt it a few days back by reading this tutorial
here
😃 Hope that helps.

Radon3k

But that doesn't solve my problem (or does it?) or having people bypass the login page.

ganeshcp

Hi,
I am also developing something alike and managed to do it with the help of this article http://www.evolt.org/article/Creating_a_Login_Script_with_PHP_4/17/19661/

In your protected page you can include the login file....the login file checks for an active session. if there is no session, it asks the user to login.
G

thessoro

you can try the following.
Once you had checked that $username and $password are correct, register $username:

session_register ('username');
(remember to write session_start() at the beginning of the script)

Then, all the protected pages should have this lines:
<?
if (session_is_registered ('username')) :
?>

 --The entire page html or php stuff

<?
endif;
?>
You can also add an "else" instruction with what must be done in case the user is not logged in.
when the user logs out, you can use session_destroy();

Radon3k

I'll definitely use the session_is_registered("username");. Thanks for that. I did manage to get it working along with the sessions so now I'll just be adding to it. Thanks for the help! 🙂