I am creating a content management website with a login page at the back end.
I have created a working login page for the main menu of the content management system.
The below images show my code.
1st Step - User visits the URL of main menu for content management system: Code shown below.
<?php
session_start();
echo $_SESSION['valid_user'];
if(!isset($_SESSION['valid_user']))
{
$URL="error.php";
header("Location: $URL");
}
?>
Two things can happen. 1 if they have not logged in before they will be directed to an error page. They can then select to visit the login page and login using their user name and pswd.
i have declared ?php start_session();? at the top
<?php
$login = $_POST['name'];
$loginpass =$_POST['password'];
if((isset($login)) || (isset($loginpass))){
//echo "<p> form has been submitted</p>";
include("connect.php");
$query = "select * from logins where
username='$login' and pswd=MD5('$loginpass')";
$result = mysql_query($query) or die($query."<br/><br/>".mysql_error());
$count=mysql_num_rows($result);
echo $count;
if($count > 0){
echo "<p>you are logged in as $login please
go to <a href='home2.php'>edt home</a>.</p>";
echo "<p><a href='logout.php'>log out</a> $login?</p>";
$_SESSION['valid_user'] = $login;
}else{
echo "<p>sorry login failed</p>";
}
}else{
//echo "<p> form hasn't been submitted</p>";
//Visitor needs to enter a name and password
echo "<h1>Please Log In</h1> <form method='post' action='index2.php'>";
echo "<p>Username: <input type='text'name='name'></p>";
echo "<p>Password: <input type='password' name='password'></p>";
echo "<p><input type='submit' name='submit' value='Log In'></p></form>";
}
?>
So far all of that functionality works fine for me.
However, I want to make sure that if the user bypasses the home url and decides to jump straight to a section within the edit menu, they will be either forced to login, if they have not already, or, the php will check their credentials if they have logged in.
This is an example of the code I have at the top of the page I want to place my validation ont. I'm not sure if already have a database table connection at the top will affect the session variable.
<?php
include("connect.php");
//echo "all good here";
//grab the data from the table 'designs'
$query ="SELECT * FROM designs ORDER BY id";
//send SQL statement to MySQL server
$display = mysql_query($query);
$num = mysql_numrows($display);
mysql_close();
?>
I know i want to place php scripts on all of the php pages that check the 'vaild_user' session variable is set and also give the user the ability to logout by pointing to the logout.php file. Im just not sure how to go about doing it at this point.
I am very new to all this and generally understand following a clear guide, like most people I'm sure.
Any help anyone could give would be greatly appreciated
Thanks again!.
Basically you'd just have something like this snippet on each of your "protected" pages:
<?php
session_start();
if (!isset($_SESSION['valid_user'])) {
header("Location: login.php");
exit();
}
?>
<a href="logout.php">Logout</a>
if they're logged in, they get a logout link and the rest of the page. If they haven't logged in, they get redirected to the login page.
Sessions are not affected by database connections, or ANY OTHER code. They ARE affected by having performed output before you start the session, or try to do a redirect. That'd trigger the "cannot modify headers - output started at line XXX" warning and disable the redirect.
You should only need to validate the user's credentials after they submit their information to the login page. You can then set a session variable (here it seems you are using $valid_user and if that variable exists, then they have already authenticated.
You should in fact never be storing their password anywhere on your system for security reasons. You should be hashing their password input on the login page and then comparing that to the hashed database value.
You can have a user log in more than once for added security (phpbb does this when you move from registered user content to admin content for example) though it not necessary for general purpose security.
Does that answer your question?
Use the global variable on top of every page after session_start()
$_SESSION['username'];