I'm using the code below to direct people to the page the need to see. It's code that I was given and works great. I give them a password and, when they type it in, it redirects them to their page. The problem is that I need their page to be protected so that only the person who come from this page, and type in the right password, can access the page. If they try to go to the page directly, without going through this page, they get an error message. Is that possible? If so, what php code would I put at the top of each page. Thanks for your help!



<?php

$sites = array(
'password1' => 'http://www.kgcr.org',
'password2' => 'http://www.colbyberean.com/jobs.php',
'password3' => 'http://www.kgrd.org'
);

$password = isset($_POST['password']) ? trim($_POST['password']) : '';

if($password && isset($sites[$password])) {
header('Location: ' . $sites[$password]);
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css">
body {margin: 0;padding: 0;background:#222 url('splash.gif') no-repeat top left;}
#login {margin: 245px 0 0 245px;}
#login p {margin: 2px 0 0 45px;}
#login input {padding: 5px;color: #666}
#login input:focus {color: #000}
</style>
</head>
<body>
<div id="login">
<form method="post" action="<?=$_SERVER['PHP_SELF']?>">
<input type="password" name="password" size="20" maxlength="100" />
<p><input type="submit" value="Submit" /></p>
</form>
</div>
</body>
</html>

If you can use session variables, that's a good way to do it. In your if statement, right before you send the header, set a session variable like so:



@session_start();
@session_register("logged_in");
$_SESSION["logged_in"] = 1;


The @ symbol keeps you from getting a notice if a session has already been started. Now at the top of all your destination pages, add the following code:



@session_start();
if ($_SESSION["logged_in"] !== 1) {
exit(); // or output an error message of your choice, then exit()
}


If you do it this way, it will remember they're logged in until they close their browser. So if you log in and get sent to the page, then navigate away, then go back to the destination page using a direct link, you'l get back in without having to log in again. Anyone who hasn't logged in will get shut out.

Wait, I just thought about something. You need to change the value of the session variable to be something unique depending on the page. Otherwise, once you log into 1 page, you can direct link to any other protected page.

Maybe try something like this (http://www.dynamicdrive.com/forums/blog.php?b=21)?

Nile:

I didn't see anything under your comment "Maybe try something like this?" What am I missing?

bobolibob:

Where does the error message go in the php code on the destination page? I've been doing web pages for awhile but am new to php. Thanks for your help!

Where it says "this" (it's underlined) click on that, it's a link to the page you might find helpful.

Thanks. For some reason it wasn't underlined on my page. But it went through anyway.

Ok, did this solve your problems?

I downloaded it but haven't had a chance to test it. It will probably be this evening. I'll let you know. Thanks for your help.

I got a little time and gave it a try. It worked great and I'll save it in case I need something more robust down the road. The current project just calls for something simple though so I'll probably just use the other code that was proposed. It's a little simpler to work with.

The only thing I still need to figure out is where to put the error message on the code:


@session_start();
if ($_SESSION["logged_in"] !== 1) {
exit(); // or output an error message of your choice, then exit()
}

I don't understand you. But also, there was a huge security whole that I did not fix on the page you dowloaded, fix it at http://www.dynamicdrive.com/forums/showpost.php?p=192340&postcount=27.

(I'm fixing this on the downloadable version now.

Thanks. I downloaded the new script.

Great, glad to help! Now, what was that thing about an error? You wanted to have an error if something?

There was another person that gave some code before you logged in. I was looking at both your code and his and was just wondering how to add an error message to the php code on the destination page of the code he sent me. The code is below.


@session_start();
if ($_SESSION["logged_in"] !== 1) {
exit(); // or output an error message of your choice, then exit()
}

So, you want it if the user isn't logged in it gives them an error message? My code already has that installed. Is there something else I forgot?

No, your code was great and worked perfectly.

I was just playing with his code at the same time as yours and was trying to figure it all out. I've been designing web pages for quite awhile but the is my first time actually writing php. I was trying to break down the code to see how it all worked and was just curious what it would take to add in an error message when people tried to log in without going through the proper sequence.

Your code was a little bigger bite then I felt I could chew all at once so I was playing with the other code since it was quite a bit smaller.

I really appreciate all your help on this.

Glad to help you! Your welcome!

It seems your topic is solved... Please set the status to resolved.. To do this:
Go to your first post ->
Edit your first post ->
Click "Go Advanced" ->
Then in the drop down next to the title, select "RESOLVED"

I am still curious about what I need to do to add an the error message to that code. I tried several things and thought I had but it never worked. If you have time could you show me what I need to add so I can get a better idea of how it works? I just want to change it so that people accessing the code will get an error message rather then just a blank screen.

Here's the code:


@session_start();
if ($_SESSION["logged_in"] !== 1) {
exit();
}

I just hate to walk away from it without having it figured out. Thanks again for all your help.

When you go to a page that you have no permissions to, it just directs you to the login. Can you be more descriptive please?

The log in page has the code:

<?php

$sites = array(
'password1' => 'http://www.kgcr.org/1woofter/test1.php',
'password2' => 'http://www.colbyberean.com/jobs.php',
'password3' => 'http://www.kgrd.org'
);

$password = isset($_POST['password']) ? trim($_POST['password']) : '';
@session_start();
@session_register("logged_in");
$_SESSION["logged_in"] = 1;

if($password && isset($sites[$password])) {
header('Location: ' . $sites[$password]);
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css">
body {margin: 0;padding: 0;background:#222 url('splash.gif') no-repeat top left;}
#login {margin: 245px 0 0 245px;}
#login p {margin: 2px 0 0 45px;}
#login input {padding: 5px;color: #666}
#login input:focus {color: #000}
</style>
</head>
<body>
<div id="login">
<form method="post" action="<?=$_SERVER['PHP_SELF']?>">
<input type="password" name="password" size="20" maxlength="100" />
<p><input type="submit" value="Submit" /></p>
</form>
</div>
</body>
</html>


The protected page has the following script about the <head>:

<?php
@session_start();
if ($_SESSION["logged_in"] !== 1) {
exit(); // or output an error message of your choice, then exit()
}
?>

Try this:


@session_start();
if ($_SESSION["logged_in"] !== 1) {
echo "<b>You must be logged in to view this page!</b>";

exit();
}


Or, You can either redirect the user to the login page itself if ($_SESSION["logged_in"] !== 1) which is usually what people do...

Just replace the login.php in below code, if the name is different:

@session_start();
if ($_SESSION["logged_in"] !== 1) {
header("Location = login.php");

exit();
}

I am a beginner too in php but this is a simple code, so I think I could help.