Remembering the User is Logged On

Anon

Hi,

I am having a trouble passing varibales between pages.

See, I have a log-on screen, and if the user successfully logs-on, then their account page opens.

But if that account page needs to link to another page of their account, how can I code it to only open that page if the user is logged on....that is how can it remember that the user is authentic without asking for a 2nd log-on ????

Please help,
Cheers, James.

Anon

If you are using php4 you can use the sessions functions......otherwise just carry over a variable from the login form like

if(however you check for authenticity)
{
header("nextpage.php3?loggedin=yes");
}

then on your next page go

if($loggedin != "yes")
{
header("location: login.php3")
}

rgds,
scott d~

Anon

Thanks for your reply!

However if I was to say "nextpage.php?loggedin=yes" as the URL,
surely a hacker could just type that in their browser and gain access to the page?

Do you know of a more secure solution where the confirmation of being logged in passes from php to browser to php in a discrete manner?

Cheers, James.

Anon

There are a couple of ways in dealing with this.....the most obvious would be to always try and use "post" when passing info between pages.....the second most obvious would be to pass the info via cookies (which I hate).....I recently did something similar using what I call a "hidden frame".

Basically, my first "login page" is a html page which has 1 frameset like this:

Then as you move through the site the php pages will be displayed within this frame that takes up 100% of the window.....but because it is in a frameset you will never be able to see the url changing.

However, if you are a hacker you can easily get around this (as they can get around most things)....they could fool with the cookies if they wanted to.

The only real safe solution is to use server side authentication which would either involve php4 or creating a session management system with php3/mysql or sim.

If your sites not going to be used by those who have the knowledge to "hack" then the hidden frame would work fine.

HTH
scott d~

Anon

I assume you are using PHP4. If you are not, upgrade to PHP4. Using the built in sessions is the easiest and probably the most secure way of doing this.

Logon Script - This is how you set your session variable

$vaild_user="username";
session_register("valid_user");

All other scripts
if (session_is_registered("valid_user"){
//Proceed with your code
}

else {
//Let the user know they have to login first
}

The session data is stored on the server and cannot be entered through the url like you stated before. Sessions is how I plan to implement an access control system for my company Intranet.

See the PHP documentation for more information on sessions.

If you only have PHP3 and absolutely, positively cannot upgrade to PHP4 then check out PHPlib. It is a library which has encorporated some sort of session management. I have never used it though.

Good Luck.