[murdocsvan]

Awesome, thanks. Can you see anything i've missed out?

[murdocsvan]

I was also reading about sessions and i read that the old session has been depracated by $_SESSION. I've tried changing it, but i've found i've got a parse error when i request the session on the other pages. No problem with registering it though.

This is the code that gives me an error:

PHP Code:

<?php

session_start();

if(!isset($_SESSION['logged'))
    {
    header("location:login/main_login.htm");
    }
    
?>

And this is the code that sets the variable on the check_login page:

PHP Code:

if($count==1)
        {
        // Register $myusername, $mypassword and redirect to file "login_success.php"
        $_SESSION['logged'] = "yes";
        header("location:login_success.php");
        }
    else 
        {
        echo "Error: Wrong Username or Password";
        } 


Lol it probably isn't very secure.

Thanks in advanced.

[CrazeD]

Quote:

Originally Posted by murdocsvan

I was also reading about sessions and i read that the old session has been depracated by $_SESSION. I've tried changing it, but i've found i've got a parse error when i request the session on the other pages. No problem with registering it though.

This is the code that gives me an error:

PHP Code:

<?php

session_start();

if(!isset($_SESSION['logged'))
    {
    header("location:login/main_login.htm");
    }
    
?>

And this is the code that sets the variable on the check_login page:

PHP Code:

if($count==1)
        {
        // Register $myusername, $mypassword and redirect to file "login_success.php"
        $_SESSION['logged'] = "yes";
        header("location:login_success.php");
        }
    else 
        {
        echo "Error: Wrong Username or Password";
        } 


Lol it probably isn't very secure.

Thanks in advanced.

I don't see anything that would give an error. Can you post the error you get?

Also, instead of doing $_SESSION['logged'] = "yes", make it a Boolean. $_SESSION['logged'] = true.

Then, when you check for it, do if ($_SESSION['logged'] == true) { //asdfasdf }

[murdocsvan]

haha turned out i was just using the wrong type of bracket, if you look at $_SESSON i put ['logged') instead of ['logged']. Most of the time it seems like really simple stuff like this is what catches me out lol.

[CrazeD]

Oh, I see now. Actually you just forgot the ], the ) should be there.

if(!isset($_SESSION['logged']))

Like that.

[murdocsvan]

Okay well that's all working dandy now.

A couple of questions. First of all, when i log in, sometimes it says successful, but then takes me back to the login page anyway.

Also, do i have to put this bit code on every page i want protected by the login system:

PHP Code:

//Check user is logged in
session_start();

if(!isset($_SESSION['logged']))
    {
    header("location:login/main_login.htm");
    } 


or is there a simpler way to protect all my pages?

[CrazeD]

Personally, I like to use flow control for the entire section that I want protected.

For example;

PHP Code:

<?php

session_start();

if (isset ($_SESSION['logged'])) {
     // do logged in stuff
} else {
     // not logged in
     header('location: login/main_login.html');
}

?>

Since the header() function just sends headers to the browser, there is probably a way to block or manipulate that data (though, I'm just guessing here) so if that were the case, your script offers no protection. My script displays the logged in stuff ONLY if they are logged in.

Remember that when you are making scripts such as these, always code as if every user is a malicious user and will attempt to use the script in ways you didn't intend.

[murdocsvan]

Are you sure about that? It just looks like it does the same thing. Also if i used that code on a document with HTML, i'd have to put Echo before every line of HTML code

[murdocsvan]

And also, how would i protect a file which i can't put PHP in, life a .txt or a .pdf? Isn't there a way to just protect a sub directory?

[CrazeD]

You don't need to echo every line, you can echo once and then put all of your HTML inside. Or, you can just end the PHP and then continue it later.

PHP Code:

   <?php

session_start();

if (isset ($_SESSION['logged'])) {
     echo '<b>Multiple</b>

     <i>lines of</i>

     <u>wonderful HTML!</u>';
} else {
     // not logged in
     header('location: login/main_login.html');
}

?>

PHP Code:

   <?php

session_start();

if (isset ($_SESSION['logged'])) {
     // do logged in stuff

?>

You've ended the PHP tags, so do your junk here.

<?php

// then you can restart here. PHP doesn't care
} else {
     // not logged in
     header('location: login/main_login.html');
}

?>

Here's examples of both methods.

To protect an external file, you have two fairly easy methods. One is to do funky things with .htaccess. Another option is to store the files in a folder that's not an obvious name. Then, have long random file names for the files. Store the names in a database and then when the file is requested, just get it from the database. You could even have the name change on each request, or after a certain time period.

It's difficult to truly protect external files, I don't really know of any other way except what I just mentioned.