non members are getting in

Hoangsta

I've looked through a lot of searches for this topic, but I couldn't find any sites that could help me. What I want to do is to be able to allow members to go into member pages and non members from going to them. I've studied sessions and that help to better understand sessions....so far, my session from login.php 


loging.php 



PHP:
--------------------------------------------------------------------------------
 <?php 
session_start(); 
// When you go back, the information is still there...IE 6 Fix. 
header("Cache-control: private"); // IE 6 Fix. 

// Register the input with the value 
$_SESSION['user_name'] = $_POST['user_name']; 

?> 


<P CLASS="bold">LOGIN</P> 
<FORM ACTION="$php_self" METHOD="POST"> 
<P CLASS="bold">Username<BR> 
<INPUT TYPE="TEXT" NAME="user_name" VALUE="" SIZE="10" MAXLENGTH="15"></P> 
<P CLASS="bold">Password<BR> 
<INPUT TYPE="password" NAME="password" VALUE="" SIZE="10" MAXLENGTH="15"></P> 
<P><INPUT TYPE="SUBMIT" NAME="submit" VALUE="Login"></P> 
</FORM> 

//********************************************** 
and my code for the site where people go after they logged in. 

index.php 

<?php  

// start the session 
session_start();  

header("Cache-control: private"); //IE 6 Fix 
?> 

//*********************************************** 


--------------------------------------------------------------------------------



can anyone suggest some sources that I can use to keep nonmembers from member page(s)? or help me with my code to make it work? Right now, anyone can get to my member url to go to my memberpage(s) without logging in.

downsize

somewhere, I am guessin in your index.php, you need to validate the member's login (and if not, kick them back to the login screen.)

paulsbooker

you missed the php tags from around $php_self

<? $php_self; ?>

$SESSION['user_name'] = $POST['user_name'];

if you come to this page from another page you
are going to clear the above session variable

this statement should only be carried out when the form is submitted (and the user authenticated, i guess) so you will need something like

if(isset($_POST['user_name']; )) {

.... authenticate user

$_SESSION['user_name'] = $_POST['user_name'];

}

to keep non members out on subsequent pages you need to
then check that the above $_SESSION is set

kind regards
paul

Hoangsta

there is a page called. login_funcs.php that validate the login process..

it should have been

from login.php

<?php
session_start();
// When you go back, the information is still there...IE 6 Fix.
header("Cache-control: private"); // IE 6 Fix. 

// Register the input with the value 
$_SESSION['user_name'] = $_POST['user_name'];

?>
<?php

/**************************************************
 * Login page.  There are links to this page from *
 * the header on every other page for logged-out  *
 * users only.                                    *
 **************************************************/

require_once('login_funcs.php');

<P CLASS="bold">LOGIN</P>
<FORM ACTION="$php_self" METHOD="POST">
<P CLASS="bold">Username<BR>
<INPUT TYPE="TEXT" NAME="user_name" VALUE="" SIZE="10" MAXLENGTH="15"></P>
<P CLASS="bold">Password<BR>
<INPUT TYPE="password" NAME="password" VALUE="" SIZE="10" MAXLENGTH="15"></P>
<P><INPUT TYPE="SUBMIT" NAME="submit" VALUE="Login"></P>
</FORM>
?>

and from the index.php page

<?php 
// start the session 
session_start(); 
header("Cache-control: private"); //IE 6 Fix 
?>



i don't know how to write one up to validate it.  i know that u guys are giving me some starting point. still, what should i check?

if submit == 1 then 
    echo go to member page
else
    echo not register (show login.php) link.  

that's what i think should happen...

teem

A login script that I wrote which works for me:

Step 1: Authenticate the user

session_start();
if (isset($_POST['username']) {
if($_POST['username'] = $database_username) { // where $registered_username is a username that has been registered and thus is a valid username
$_SESSION['username'] = $_POST['username'];
header("Location: memberpage.php"); // Once authenticated, move the user along to the members-only page
} else {
echo "You did not enter a valid username";
}
} else {
echo "You did not enter a username";
}

I hope that make sense (and since this is the second message I've posted, I also hope that that code is automatically intended, since I don't know how to do it otherwise.

Step 2: Validate the user on other pages.

This is what the members-only pages would look like. I write my page up as usual, but around the entire thing I have:

session_start();
if (isset($_SESSION['username'])) {
// the member-only page goes here
} else {
echo "You are not logged in. To view this page, log in.";
}

So there you go, a person can only view a page if that particular session variable is set, and that session variable can only be set if the user is authenticated by the log in script. A non-member can't simply copy and paste the url or easily fake the session, because there's a session variable there. Also the session variable is useful for when you want to use session_destroy(), because that function gets rid of the session variables, not the session itself (without the session variables set, the visitor can't access member-only pages).

I've never been all that great at explanations, but if you have any questions or if my advice wasn't what you wanted at all, let me know.

Hoangsta

thanks for trying to help me. i enter the code as u said, but i can still copy and paste the url and access the member page. one more thing, my code as i think about it, uses cookies. so i don't think it's gonna work...when u mentioned...

if (isset($_SESSION['user_name'])) { 
// the member-only page goes here 
} else { 
echo "You are not logged in. To view this page, log in."; 
}

the member-only page goes here..are u talking about displaying all my html here and on the bottom of my html goes...

 } else { 
echo "You are not logged in. To view this page, log in."; 
}

teem

It's strange that the code I gave you isn't working, since it works perfectly for me. Perhaps it doesn't work because of cookies. Mine doesn't use cookies, only php sessions. Can I ask, what is the url that you are copying and pasting (I don't care about the url of the script, but you might be passing variables in that url that should be hidden)?

Also, make sure that before you copy and paste the url, you have actually used session_destroy() to kill the session variables. I'm not an expert on how sessions work, but sometimes I find that unless I specifically destroy them, those sessions variables float around even when I'd expect they shouldn't.

As for the 'member-only page goes here' thing, yes, that's what I meant.

I just wrote this small script, which (1) works, and (2) is a demonstration of what I'm talking about in action.

<?
session_start();
error_reporting(E_ALL);
if (isset($action) && $action == "logout") { // Logout
	session_destroy(); 	// Destroys session variables, but not the session. Destroying
							//	the session variables is enough, since the member page won't
							// display without the required session variables set.
	header("Location: test.php");
	exit;
} elseif(isset($action) && $action == "login") { // Login
	$_SESSION['username'] = "example_username"; // Set the required session variable
}
?>
<a href="test.php?action=login">login</a> | <a href="test.php?action=logout">logout</a>
<br><br>
<?
if (isset($_SESSION['username'])) { 	// Validate user. This will return false unless the
											// user has logged in successfully.
	echo "Welcome, members. Enjoy all of this juicy members-only content!";
} else {
	echo "You are not logged in. To view the members-only content, log in";
}
?>

Copy and paste that into a file named test.php and it should work. Obviously in your actual script you wouldn't want to make it that easy to log in, but for this it makes the script easier to understand!