Checking if they have logged in

StevenCarlisle

Hi all,

I've set up a membership system, everything is ok with the sign up process and storing information and sending emails,even the login.

My question is how do i protect the page that they log into?

do i session_start and then check the password and username vars

I have all the ifnormation stored on the user alrady, so i think i just need to check the usernames and passwords have been filled in??

The problem is i dont know how to stop them fro just typing in the url of the page im trying to protect.
If anyone can explain how i check to see if they have logged in it would be great.

kind regards

dnast

Yes, if you're setting those session variables at login, then you just check them before displaying anything on the page. If they aren't logged in, echo a friendly "Please log in" message and make sure you use [man]exit[/man] to be on the safe side.

StevenCarlisle

Thanks
i though thats all i needed to do, so i check to see if the registered vars have been filled in.I really dont know how to go about it could you give quick example on how to check those registerd vars please.

Kind regards

rachel2004

... or, to be a tad more useful, use the header() funtion to redirect the visitor to the login or registration page.

To check for a registered session:

if (!isset($_SESSION['username']))
{
    // redirect user with header() or exit()
}
else
{
    $msg = "Welcome back, ".$_SESSION['username']."!";
}
echo $msg;

StevenCarlisle

Thanks alot for helping out guys, now i'll try play around to see if i can get it to work.

Thanks again

StevenCarlisle

Hi rahcel, this what i used on the page a user logs into.

but its stopping them from just typing in the url without loggin in.

could you please help me out with this?

<?
session_start();
include 'db.php';
if (!isset($SESSION['username']))
{
exit();
}
echo "Welcome ". $SESSION['first_name'] ." ". $_SESSION['last_name'] ."!;
?>

rachel2004

On the login page, you wouldn't want that check in the posted code because what it's doing is checking if a user is logged in. So, on the "login" page, we assume that a user is not logged in and we wouldn't want to check that he is logged in with our check.

With that said, on your login page, don't use the code snippet I gave you, but it's still okay to do session_start();

So the code I gave you is to be used elsewhere in your site where you want to check if a user is logged in.

On the login page, though, you wouldn't want to use that code. Instead the following would be okay:

<?php
session_start();
// rest of your page for the login form
?>

StevenCarlisle

thanks rahcel, i understand that part, i actually had it all set up.

i dont think i was clear enough.
Im trying to stop them from just going into the page after logging in without actually loggin in.

so how can i stop a user if they try and bypass the logging step and go directly into the member page?
the code snippet you gave bfore didn't work so could you help out please

Kind regards

rachel2004

into the page after logging in without actually loggin in

The statement sounds contradictory, so I am confused on what you mean... maybe post your code so I can look at it, but I'm shutting down in a minute, so I'll look at it while I'm at work.

To be more specific with my previous snippet: on your protected pages, something similar to this should appear near the top:

if (!isset($_SESSION['username']))
{
    $login_page = "http://www.domain.com/login.php";
    header('Location: '.$login_page);
}
else
{
    $msg = "Welcome back, ".$_SESSION['username']."!";
}
echo $msg;

If that isn't working, then I'll need to see your code to double check what you've done. Please use the color highlighting instead of posting in black and white and limit the code to relevant content. Also, specify which version of PHP you are using.