[Resolved] Restricting access to pages... how???

spstieng

After browsing through SEVERAL pages here - I'm kind of more confused now, than before I started!

I need to restrict access to my pages for anyone that is not logged in.

The login works like this:

index.php
The user types in usr name and psw
Info is sent to authentication.php

Authentication.php
The user name is checked against the database.
If exists, info is retrieved, inkluding psw.

If pswd is correct, user name and ID is logged into sessions.
User is forwarded to registrering.php

At the moment i can type in registrering.php directly and the page opens. That is not suppose to happened.

I recon I have to controll if the user is logged in.. somehow.

What is the easiest way to do this?
Can I use .htaccess for this?

bastien

The simple way to do this is to check for a session variable on each page. The convenient way to do this is to write a function in a common page that you can import into every page via an include statement and a function call

In your description you log the username and id

so a simple security function could be

<?
//page - common,.php (holds all common functions to the app)
function security_check()
{
   if (!isset($_SESSION['username'])&&(!isset($_SESSION['id'])){
      header("location:index.php");
   }else{
    $auth = true;
   }
   return $auth;
}
?>

then in each page you include common.php and check the authorization

<?
//registrering.php 
include("common.php");

$auth = security_check();
if ($auth = TRUE){
  //rest of the code for your page

}//end if

?>

spstieng

Merci Bastien
(your name looked kind of french ;-)

I think I'd rather call a access_denied.php page, than to put my code inside the IF statement. e.g. header("location:access_denied.php");

The problem is that the session stores info in clear text someplace on my computer, right? That also means that anyone can access that file and enter some user name and ID.

My guess is that I have to controll the session data against something on the server side, e.g. a table that have info about whos logged in.

That gives me another problem.... how do I know a user is logged out if the user do not click the LOGG OUT button, and the session has yet not expired?

Also, at each page, I have to use session_start, right?
Do I also have to write the sessions time to live?
I think it's session_cache_expire???

bastien

no, session data is stored on the server, only the session cookie is sent to the client..

1. Also, at each page, I have to use session_start, right?
2. Do I also have to write the sessions time to live?
3. I think it's session_cache_expire???

yes
leave the default...(about 20 min)
leave as default

That gives me another problem.... how do I know a user is logged out if the user do not click the LOGG OUT button, and the session has yet not expired?

Thats why its hard to manage uesrs this way...sessions are more managable
The only way is to let the session time out

spstieng

Thanks for the feedback!