restrictedcess

wortmann

I'm trying to restrict access to people who havent logged in.
I have a login page and after wich the user should be redirected to user-pages.
However i do not wish to have the pages directly accessable to the users, they need to login first.

what is the best way to be sure that only after login the pages can be accessed and only then and while they are loged in.

bradgrafelman

What do you do when a user is successfully "logged in" in regards to identifying that user in subsequent requests? Do you set a cookie?

wortmann

yes in a cookie stored in a variable used to display name and access to database.

bradgrafelman

In that case, you'd simply check to see if that value exists in the "user-pages" before displaying the relevant content.

Of course, this doesn't address the issue that a malicious user might fabricate his own cookie without actually logging in, so you'd probably want to be able to somehow authenticate data stored in a cookie rather than trusting it came from a legitimate login.

wortmann

bradgrafelman;11033931 wrote:
In that case, you'd simply check to see if that value exists in the "user-pages" before displaying the relevant content.

Of course, this doesn't address the issue that a malicious user might fabricate his own cookie without actually logging in, so you'd probably want to be able to somehow authenticate data stored in a cookie rather than trusting it came from a legitimate login.

thanks a mill. good solid advice without judgement.

I'm starting to get grips with PHP but is it possible to guide me in the right direction to soem more information regards this? Maybe you know of an article that could help me out understand it or a book/course/video i could use to get up to speed?