In every PHP file in my project I am using the following code so that nobody can get into the website without logging in:
<?php
session_start();
if($_SESSION['userid']!="myuserid"){
header("Location: Adminlogon.php");
}
?>
Note that I need only one user id, the user id and password is shared among a group of people.
Is this code safe? Can I do better?
Your code is not safe, because actually it does not prevent from each script being executed - which is what you actually want to prevent.
To prevent execution if the session is not set correctly, you need to leave the file, for example with the return statement:
<?php
session_start();
if ($_SESSION['userid'] != "myuserid")
{
header("Location: Adminlogon.php");
return; ### leave this script/include
}
?>
Instead of return you can also use the exit or die statement for rudimentary scripts.
That will be safe, but cookie and session can be easily "hijacked" in LAN when you are using plain HTTP. So force your application server to use HTTPS