I have created a simple login page to access mail sending form. Login page works and redirects to sender.html. What I am trying to get is not to let others access sender.html or send.php without logging in. I have already tried putting
<?php
$referrer = $_SERVER['HTTP_REFERER'];
if ($referrer != "http://www.example.com/login.html") {
header('Location: http://www.example.com/login.html');
} ;
?>into the beginning of the sender.html but it doesn't work. I also tried adding redirect rules to .htaccess but it would not allow access the page after login. I'm a beginner but already spent a while to sort this out, would appreciate your help guys.
</div>
Change the filename from sender.html to sender.php. When a file has html extension it won't process php.
Also you could modify the .htaccess file to tell the server to process .html files as .php files, but I think it is easier to change the file extension.
First off, checking the referer variable is not a good way to do this; attackers can forge that header. The easy way would be to use basic authentication to protect your two pages of interest.
Example .htaccess:
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /usr/local/apache/passwd/htpasswd
Require valid-user
(See http://httpd.apache.org/docs/2.2/howto/auth.html for more details as well as how to create the htpasswd file containing your users)