0

I am quite new at PHP, so I hope there are some that can help. I have a login page which works fine. My problem is if you know the url, you can still access the subpages.

This is what it says on my login page

<body>
<?php
if(@!empty($_SESSION['acesses'])) {
echo '<script language="JavaScript">{ location.href="subpage.php"; self.focus(); }</script>';
}
?>
<div id="loginWrapper">
<div id="login">
    <form name="loginform" action="<?php $_SERVER['REQUEST_URI']; ?>" method="post" autocomplete="on">
        <fieldset id="input">
            <h1>Log Ind</h1>
            <?php
                if(isset($_POST['submit'])) {
                    echo '<div class="errorBox">';
                    $username = mysqli_escape_string($conn,$_POST['username']);
                    $password = mysqli_escape_string($conn,$_POST['password']);

                    if(!empty($username) && !empty($password)) {
                        $query = mysqli_query($conn,"SELECT * FROM member WHERE username='$username' LIMIT 1");
                        $result = mysqli_fetch_array($query);

                        if($result['username'] == $username && $result['password'] == $password) {
                            //Sesstion Information
                            $_SESSION['acesses'] = $result['id'];
                            echo '<script language="JavaScript">{ location.href="subpage.php"; self.focus(); }</script>';
                        }else {
                            echo 'Brugernavnet eller Adganskoden stemmer ikke overens.';
                        }
                    }
                    echo '</div>';
                }
            ?>

            <label for="username"> Dit Brugernavn</label>
            <input name="username" id="user" type="text" placeholder="Brugernavn"> 

            <label for="password"> Dit password </label>  
            <input name="password" id="pass" type="password" placeholder="Password">
            <input name="submit" type="submit" value="Log ind" />
        </fieldset>   
     </form>
..........

This is what it says at the top of my subpage

<?php
session_start();

if(!empty($_SESSION['acesses'])) {   
echo '<script language="JavaScript">{ location.href="login.php"; self.focus(); }</script>';
}
?>
<!doctype html>
<html lang="en">
<head>
Improve this question
2
  • If the user has javascript disabled, they'll never see the subpage. Consider using .htaccess and .htpasswd and checking those values. Commented Apr 1, 2014 at 18:36
  • session_start(); needs to be on line 1 EXACTLY! <?php session_start();?> Cannot be anywhere else. Commented Apr 1, 2014 at 19:15

4 Answers 4

Reset to default
3

You could do redirect the user, if they are not logged in, and vice-versa.

if (!empty($_SESSION['acesses'])){ 
            header("Location: yourpage.php"); // or whatever page you like
            exit();
}
else{  
// your code for when user is logged in 
}

Don't use JavaScript to redirect, especially when dealing with sessions. A user can simply turn off JavaScript in their browser and the redirect won't work anymore.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

First of all, your subpage redirects away if the user isn't logged in. Second of all, instead of a javascript redirect, use an HTTP one:

<?php
session_start();

if(!isset($_SESSION['acesses']) || empty($_SESSION['acesses'])) {   
    Header("Location: index.php");
}
?>
Improve this answer

Comments

1

You can use the following logic in the page(s) you wish to protect:

if(isset($_SESSION['acesses']) && !empty($_SESSION['acesses'])){
// give access
}

else{
// don't give access
}

and do the same for all your pages.

Sidenote: The code you posted for your login page doesn't contain session_start(); - If it's not in your working code, include it. It must be inside all pages using sessions.

<body>
<?php
session_start();
    if(@!empty($_SESSION['acesses'])) {
    echo '<script language="JavaScript">{ location.href="subpage.php"; self.focus(); }</script>';
    }
?>

You should also consider embedding <noscript>Please enable Javascript</noscript> into your code and redirect the user if it isn't enabled.

Important sidenote: I noticed you are storing passwords in plain text. This is highly discouraged.

If your PHP version is 5.5, you can use the password_hash() function, or crypt() or bcrypt()

Here are a few resources you can look into:

About using Javascript:

If you absolutely want to use JS in your code, you can use the following logic:

<?php
    echo "<div id=\"hide\">This line is hidden in PHP and will appear once JS is enabled.</div>";
    // you can include your JS anywhere in here and will execute once the user enables JS.
?>

<body>
<div class="hide_class">This is hidden using a CSS class and will appear once JS is enabled.</div>

<noscript>
Please enable Javascript to view the content of this page, thank you.

    <style>
    #hide {
    display:none;
    }

    .hide_class {
    display:none;
    }
    </style>

</noscript>
</body>
Improve this answer

Comments

0

First of all, you should use PHP-PDO in order to prevent SQL Injection attacks.

Also your code is wrong at subpage. You should check out variable acesses like following example.

if(!isset($_SESSION['acesses']) or empty($_SESSION['acesses'])) {   
echo '<script language="JavaScript">{ location.href="login.php"; self.focus(); }</script>';
}
Improve this answer

1 Comment

Thank you, this solved my problem. I will immediately read about PDO and see if I can make an example of it and then change this one.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.