开发者

PHP, Prevent users from accessing a page while not logged in?

问答 作者:

How can I prevent a user from accessing a page when they are not logged in? I want him to be redirected to开发者_开发百科 the login page. I know it has something to do with sessions.

It works like this:

  1. Start a session: session_start()
  2. If Session["user"] == null, redirect to the login page, else continue.
  3. In the login page, ask the user for password using a form
  4. Post this form to the login page
  5. Check against your authentication service (e.g. a table in mysql) if the user is authorized
  6. If yes, Session["user"] = $userName, redirect the user to the page. If no, prompt for password again

Of course, this is all very, very simple. In your session, you could keep a complex user object, or anything. Good luck coding.

As Svetlozar Angelov pointed out the following code would work well:

if (!isset($_SESSION['nID']))
    header("Location: login.php");

However.. this would not actually secure the page against users who really wanted access. You need to make some adjustments:

if (!isset($_SESSION['nID']))
{
    header("Location: login.php");
    die();
}

This prevents bots and savy users who know how to ignore browser headers from getting into the page and causing problems. It also allows the page to stop executing the rest of the page and to save resources.

Its also noteworthy that $_SESSION['nID'] can be swapped out for any other variable you are using to store usernames or id's.

When he logs - store a session variable. Then in the beginning of every page 

session_start();
if (!isset($_SESSION['nID']))
    header("Location: login.php");

If the login is ok

session_start();
$_SESSION['nID'] = 1; //example

Follow these steps:

Create a login.php page accessible to everybody where a user enters her username and password in a form. This form must be submitted to login.php itself. (action='login.php'). Also include a hidden variable in your form which tracks if the form has been submitted.

If the hidden variable is set, check if the username ($_POST['user']) exists in your DB, and that the password matches the username. If it does, store the username in a $_SESSION variable like this:

$_SESSION['username'] = $_POST['user'];

If it does not, reload login.php like this:

echo 'header("login.php")'; //You should not have echoed anything before this

Now include login.php in every user page you create. Suppose you were writing an email application, create an inbox.php like this

include ("login.php")

Now, login.php will check if the session variable 'user' is set and allow access to authorised users only.

继续阅读:authenticationphp

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9