Hi all,

I've been using .htaccess and those little gray login boxes to password-protect the member section of my site for years now. The biggest downside is that, to keep the flow the way I want... I need to practically keep two versions of the site posted, one in the protected "members" directory, and one in the root folder. (That and the fact that I have to keep all my links relative because if folks login to "http:rimea.org" and then clicked a link that read "http://www.rimea.org" it would prompt them to login again... ugh.)

I am most definately a PHP novice... but I'd wanted to play around with using PHP to create sessions and then simply add a tag to the top of each "protected" page to check and see if the user is currently logged in.

Following a tutorial I found online... I can check usernames and password against a table in a MySQL database. Works great. I can now add this header on any particular page to check to see if the user has logged in:

<?php
session_start();

// is the one accessing this page logged in or not?
if (!isset($_SESSION['db_is_logged_in'])
   || $_SESSION['db_is_logged_in'] !== true) {
print "Logged In!";
   // not logged in, move to login page
   header('Location: login.php');
   exit;
}

?>

So far it works fine... but I was wondering if using the same logic if I could display {print} a simple bit of text on each page telling the user if he/she is currently logged in or not. In other words, on every page of the site, whether the page is "member-protected" or not... is there something I can use that would display something like "You are logged in" or "You are not logged in"?

Thanks for reading.

~Wayne

    I have this secure pages I have designed.
    It uses something called php "page protection".
    If you search on google, you can read more about this technique.

    You can also see a demo of my Page Protection Authentication script
    this is how it works:

    <?php include ( 'pagesecurity.php' ); ?>
    // here is contents of protected page
    // can be HTML or PHP
    <?php
    echo 'Hello my Friend';
    echo 'You are now logged in';
    
    ?>

    So, in every page you like to protect,
    you include this check for login, with a loggin form,
    if user is not in SESSION
    When user has logged in, the rest of page is shown
    and of course showed directly to anyone loggedin

    http://213.100.118.115/secure/
    for halojoy page protection DEMO
    Scriptname: Secure

    /halojoy

      you almost have the logic there yourself, just an extra { else }. if you want to print a message if there not logged in, you would need to replcae the redirect with your message. either that or just print the message on the login page.

      <?php 
        session_start();
        if (!isset($_SESSION['db_is_logged_in']) || $_SESSION['db_is_logged_in'] !== true) {
        header('Location: login.php'); 
        exit;
      } else {
        echo 'you are logged in';
      }
      ?>
      

        😃
        Thank you very much... I'm in good shape now... but I just noticed one thing.

        If you login and access my protected "test" page:
        http://rimea.org/main.php

        And then pull up the same URL using:
        http://www.rimea.org/main.php

        You are prompted to login once again... this was my main reason to abandon .htaccess in the first place.

        Any thoughts?

        Here is what I'm using for the login page:

        <?php
        // we must never forget to start the session
        session_start();
        
        MySQL_connect("localhost", 'username', 'password'); MySQL_select_db("members");
        
        
        $errorMessage = '';
        if (isset($_POST['txtUserId']) && isset($_POST['txtPassword'])) {
        
        $userId   = $_POST['txtUserId'];
        $password = $_POST['txtPassword'];
        
        // check if the user id and password combination exist in database
        $sql = "SELECT user_id
                FROM tbl_auth_user
                WHERE user_id = '$userId' AND user_password = PASSWORD('$password')";
        
        $result = mysql_query($sql) or die('Query failed. ' . mysql_error());
        
        if (mysql_num_rows($result) == 1) {
            // the user id and password match,
            // set the session
            $_SESSION['db_is_logged_in'] = true;
        
            // after login we move to the main page
            header('Location: main.php');
            exit;
        } else {
            $errorMessage = 'Sorry, wrong user id / password';
        }
        
        }
        ?> 
        

        Thanks yet again,

        ~Wayne

          interesting your dealing with a session issue too - my latest post is also a session issue (although I'm using custom headers to record my info to the db and my problem is I'm throwing an error even though I'm still recording the session info) but since I'm new to this too I dont know if I can help you much but it occured to me ... dont you have to configure htacces in order to get it to prompt for access info? Is it possible that your sessions are being authenticated but because htaccess is still configured it is also looking for authentication? In effect causing a double authentication on your website?

            Hi there. I had the problem with the www and non www session thing ages ago. It's because of cookies. You need to set the domain with [man]session_set_cookie_params[/man] and have the domain as .your.domain.com with the dot in front, that lets it be used with or without the www

              Thanks for the replies. I don't think it's the .htaccess conflicting... the page I'm test-protecting isn't even in a .htaccess-prtected directory.

              It's because of cookies. You need to set the domain with session_set_cookie_params and have the domain as .your.domain.com

              This makes sense. Is it as simple as adding a line of code to the 'session start' part of the code? I followed that link and read a bit... but was unable to figure out exactly what to add to my existing script.

              Thanks.

              ~Wayne

                Before session_start() put

                session_set_cookie_params (0, '/', '.rimea.org');

                Now the same cookie will serve both. I've left the lifetime at zero, but tweak it if you ever need to.

                  THANK YOU!

                  Funny though... it works beautiful in IE, but after a successful login, changing the base URL from "rimea.org" to "www.rimea.org" with FireFox causes the session to fail. It now appears logged out with either URL... it appears that doing it the opposite way (removing the 'www') works fine.

                  Chalk it up to a browser bug?

                  Thank you for helping!

                  ~Wayne

                    I logged in, changed domains and was still logged in using Firefox 1.04 and IE, maybe some other freakyness abounds.

                    Mark the thread resolved if it's time to stick a fork in it.

                      Write a Reply...