I have a members area on my website. And have both the script to create a name and password, and to login to the members area. To my own surprise I managed them both to work.
My problem now is that anyone still can access that members area, as long as they know the name of that page. How can i make that page secure so that if they give in the url of the page, they can not get in.
The only way to enter that page would be by login in.
Is it also possible to log the users out as soon as they close the protect page?

Here is the login script (I hope this is enough information):


<?php
ob_start();
$host="localhost"; // Host name
$username="***"; // Mysql username
$password="***"; // Mysql password
$db_name="***"; // Database name
$tbl_name="leden"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$lid=$_POST['lid'];
$pasw=$_POST['pasw'];

// encrypt password
$pasw_md5=md5($pasw);

$sql="SELECT * FROM $tbl_name WHERE lid='$lid' and pasw_md5='$pasw_md5'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
echo "Beste ", $lid, ", we verbinden u nu door...";
session_register("lid");
session_register("pasw");
header("location:memb1.php");
}
else {
echo "Wrong Username or Password";
}

ob_end_flush();
?>

Use sessions and check that the password stored in the session (you may want to encode it, such as with md5()), matches the stored password in the script. If not, kick them out to the login.
http://twey.co.uk?q=loginscript is an example you could check out, if a bit complex.

The 2 variables (lid, pasw) are stored in a session (I hope).

But i have completely no idea how to recall them, how or what to compare and how to kick to the login page if needed.

$_SESSION['variablename']

Just compare that to what it SHOULD be, at the top of the page. If not, then dump them back to the login. You may want to create a config.php page and include that, for easy storage of the username/password variables.

Ok... seems I took a big leap instead of a small step.

I guess i have to look elsewhere to get an example of some kind...

thanx anyway

I took a closer look, and it wouldn't be hard to update that to work, at all.

Pretty simple:

1. Change $_POST for the name/pass to $_SESSION, then you get the stored value.

2. On this script, do store the pass/username in $_SESSION....
$_SESSION['pass'] = $pass;

3. Then change the script to be if NOT equal, then redirect to the login page, and include that in any members only pages.

thanks for the help, but it's still chinese for me...

Like I said before, I'm glad i could adjust this script a bit so it would do what i wanted.

I'm completely lost. So i'll probably dismiss the members area completely

To learn or not to learn. That is the question.

Solved ... and it works!!!!!!

Miracles can happen after all... :D