I am new to php, and I want to know if it is safe to do it like this...
I currently have a login system to protect a few pages.
Files:
- not_logged_in.php
- test.php
- login.php
- logout.php
- protected_page_1
- protected_page_2
- unprotected_page_1
Code:
not_logged_in.php:
<html>
You are not logged in!
</html>
test.php:
<?php
$logged_in = false;
function protect_page() {
if($logged_in == false) {
header('Location: index.php');
exit();
}
}
?>
login.php:
<?php
include "test.php";
$logged_in = true;
?>
logout.php:
<?php
include "test.php";
$logged_in = false;
?>
protected_page_1.php:
<?php
include "test.php";
protect_page();
?>
<html>
Content
</html>
protected_page_2:
<?php
include "test.php";
protect_page();
?>
<html>
Content
</html>
unprotected_page_1:
<html>
Content
</html>
I completely understand that the login.php page just logs in and you don't have to give in a password, but that is just for testing currently...
Thanks for reading!
I think the way of using this $logged_in variable is too loose.
I suggest to make use of sessions.
session.php:
<?php
session_start(); // start on top of your page before any output
if(!isset($_SESSION['loggedin'])) {
$_SESSION['loggedin'] = false;
}
function loggedin()
{
return $_SESSION['loggedin'];
}
?>
and in any page with protected content.
<?php
include 'session.php';
if(!logged_in()) {
include 'login.php';
exit();
}
// some info
?>
login.php will have a form to log in. (and to $_SESSION['loggedin'] = true; every page could include session.php.
Yes, it's protected. Maybe you can store the variable that shows weather the user is logged or not in a session storage to make it even more efficient.