[RESOLVED] Login not safe enough

tams

Hello everyone,
So I have a login page where users can login which then takes them to the next page, the problem is that anyone can go to the next page without logging in by just typing in the next page's link. I realize that it is not very secure but I don't want them to login in each page so any ideas on how to fix this security issue?

Thank you.

paulnaj

Use sessions, here's a forum thread that'll help.

D_tunisia

You can use sessions and a simple IF statement to check whether the user is logged in or not. If the are not redirect them to the login page.

tams

So I am using sessions now. But when I try to go from one page to another I get the following error message

Warning: Cannot modify header information - headers already sent by (output started at /usr/local/httpd/htdocs/personal_data.php:63) in /usr/local/httpd/htdocs/retrieve.php on line 454

Here is the login code

<?php

/* Program: Login.php

 * Desc:    Login program for the Database.  

 */
 session_start();

 include("long.inc");                                  

 switch (@$_POST['do'])                                

 {

   case "login":                                       

     $cxn = mysqli_connect($host, $user,$passwd,$dbname) 

    or die ("Couldn't connect to server.");    



 $sql = "SELECT loginName FROM Member 

         WHERE loginName='$_POST[fusername]'";     

 $result = mysqli_query($cxn,$sql)

           or die("Couldn't execute query.");      

 $num = mysqli_num_rows($result);                  

 if ($num > 0)  // login name was found            

 {

    $sql = "SELECT password FROM Member 

            WHERE loginName='$_POST[fusername]'

            AND password='$_POST[fpassword]'";

    $result2 = mysqli_query($cxn,$sql)

               or die("Couldn't execute query 2.");

    $num2 = mysqli_num_rows($result2);

    if ($num2 > 0)  // password is correct         

    {

       $_SESSION['auth'] = "yes";
   $logname = $_POST['fusername'];
   $_SESSION['logname'] = $logname;

       header("Location: personal_data.php");        

    }

    else    // password is not correct             

    {

       $message="The Login Name or Password you have not entered is not 

                 correct! Please try again.<br>";

       include("login_form.inc");                  

    } 

 }                                                 

 elseif ($num == 0)  // login name not found       

 {   

    $message = "The Login Name or Password you have not entered is not 

                 correct! Please try again.<br>";

    include("login_form.inc");

 }

   break;                                              






default:                                          

    include("login_form.inc");

  }

?>

I can go from login to the next page but I can't go from there to any other page.
Here is some code fo the next page

<?php
session_start();
if (@$_SESSION['auth'] != "yes")
{	
	header("Location: login.php");
	exit();
}else{

/* Program: personal_data.php*/

include("long.inc"); 


$cxn = mysqli_connect($host, $user,$passwd,$dbname) or die ("Couldn't connect to server.");
if($_POST['retrieve']== "Retrieve Expat Info")
	{

	header("Location: retrieve.php");
	exit();
}

And here is the logout code

elseif($_POST['logout']== "Logout")
	{
		session_destroy();
		unset($_SESSION);	

}

Help is greatly appreciated.

Thank you in advance