[thejeremy]

I'm working on some admin pages for a PHP/MySQL application. I'm really new to these languages, I've only read like 2 tutorials, so bear with me. I coded a basic login page with username and password fields. When the correct ones are entered the user is taken to the administrator menu page. From there, you can navigate to a ......./create.php page, for example. My concern is that a user can skip the login process altogether if he/she types http://<path>/create.php directly into the address bar, which takes the user directly to that page and bypasses the login process. Is there anyway to prevent this, like to secure all the pages accessed after logging in? I was researching this and I think I have to start a session with the session_start(); command, but it kept giving me errors dealing with session_cache_limiter or something similar.

Does anyone have any good ideas how to do this?

[jaeusm]

Put this at the top of your file before the <html> tag:

PHP Code:

<?php  session_start();  ?>

[thejeremy]

When I last tried that it was after the <BODY> tag. So it has to be before the <HTML> tag to work like I'd want it to?

[jaeusm]

Yes.

Code:

<?php  session_start();  ?>
<html>
    ...
    <body>
    ....
    </body>
</html>

[chrisds]

has this worked?

you will also need to use the session to verify if the user has logged in or not

[jcortes]

the <?php session_start(); ?> needs to be at the very top before any other code then you have to create a variable like $_SESSION['loggedin'] if the right username and password are entered then at the beginning of the create.php put

<?php
if(!isset($_SESSION['loggedin'])) {
exit;
}

?>


this will stop the page from loading if the $_SESSION['loggedin'] is not declared. DONT FORGET TO START THE SESSION ON THE create.php by putting <?php session_start(); ?> before any code on that page too.

let me know how that works.

[thejeremy]

Here's how I set things up on the login page (my own username and password would be substituted in for myusername/mypassword):

<? session_start();

$error = '';
if (isset($_POST['aName']) && isset($_POST['aPassword'])) {

if ($_POST['aName'] === 'myusername' && $_POST['aPassword'] === 'mypassword') {

$_SESSION['basic_is_logged_in'] = true;

header('Location: menu.php');
exit;
}
else {
$error = 'Wrong username or password.';
}
}
?>


If the login turns out to be incorrect, an error message is printed out. This part isn't here, it's further along within the HTML portion itself. This works just fine, but every subsequent page accessed must have this type of session check so a user cannot simply bypass the login process and jump to a specified page. The check basically consists of seeing if $_SESSION['basic_is_logged_in'] is true or not. If not, the user is redirected back to the login page.

Thanks again for the help everyone.

[chrisds]

that would work! nice one