I want to make an administration page called admin.php. In order to access this page, a user has to login using a page called login.php. Is there a way to prevent the user from accessing admin.php unless he has logged in? Thanks.
@NogDogJul 18.2007 — #You can use PHP sessions to track the login status, and only display the admin page contents if a specific $_SESSION variable has been set by the login form.
@trivektorauthorJul 18.2007 — #What if the user can just access the admin.php page by randomly trying something like www.domain.com/path/admin.php? My question is how to prevent that access? Thanks.
When I open index.html and click on admin.php link, it directed me to login.php , which is good. However, I can still access admin.php by tracing the path. Did I do anything wrong?
@CrucialJul 19.2007 — #Your admin page does not need the username and password checked - doesn't your login_process handle that?
You only need to set the
$_SESSION['db_is_logged_in'] = true;
once - in your login_process. It doesn't need to be set on every page.
You should set a default of false however.
Before you run the qry $query_auth set the session var to false
$_SESSION['db_is_logged_in'] = false;
If the username and password are correct, set to true as you are doing.
Try this for admin.php [code=php] session_start(); //this brings in all session vars if(!$_SESSION['db_is_logged_in']){ //this checks session var and redirects to logout if false header('Location:logout.php'); exit; } include 'config.php'; include 'opendb.php'; // include other admin stuff
[/code]
Now, anytime admin.php is requested, you'll get a redirect if db_is_logged_in is not set to true.
In your code, you had this check wrapped in a login qry-if the POST['username'] was not set then your check did not happen. All you need is session_start() and then run your check.
Thanks for the reply. I tried it and changed everything as you suggested. There's still one problem however. I have another page called modify.php, if I click on that page, do some stuff, and then click on the link to admin.php, the administration page still shows up without asking for login. Do you know how to fix this? Thanks.
This should only happen if a login has already been successfully checked. Why would want to ask someone to login over and over each time they request to view admin.php? Isn't once per session enough?
If they haven't logged in successfully, admin.php should send them to logout.php.