Securing area of site

Hudson · 10-21-2008, 10:33 AM

Hello all, hope everyone is well.

I need to password protect an area of my site which contains multiple pages.

I've sorted out the log in system without problem, but I now need to think about how to check to see if a user has logged in.

For example, I don't want people to be able to go directly to www.mysite.com/secretarea/apage.html so I'm guessing I'd need something in each page of the secret area which checks to see if the user has come via the log in, or simply navigated straight there. If it's the latter, I need to kick them back to the log in form.

Does that all make sense? I'm sure this is a real n00b question, but I could do with a pointer in the right direction.

Thanks muchly all

EyeDentify · 10-21-2008, 12:29 PM

Simple Check for a logged in session:

<?PHP
if(ISSET($_SESSION['user_name']))
{
// Don´t perform any action cause a Logged in session is detected
} else {
// Send the snooping people back that has not logged in
header("Location: index.php");
exit;
}
?>

Hudson · 10-21-2008, 01:00 PM

Ah, I thought I might need to do something with sessions. It's not an area I've looked into much before, but you've definitely started me off in the right direction.

Many thanks.

Wildhoney · 10-21-2008, 09:30 PM

We do have a good article on sessions. Well, I say good. I wrote it so I may be being a little conceited!

EyeDentify · 10-22-2008, 08:32 AM

@Hudson

I´m just glad i could help. I know when i myself started venturing out into logged in areas of websites and secure things that SESSIONS at first seemed a little scary.

And Wildhoneys article is a good read. i recomend it. :)

Ciao.

Hudson · 10-22-2008, 08:38 AM

Yeah, it's an area I've been meaning to get into for a while, but I've never had a "real life" project that needed it (until now).

I'm reading through that article right now. Very useful for a novice such as myself.

One question - can you check to see if multiple parts of the session have been set?

For example...

PHP Code:


			
<?php



session_start();



// Check the session to see if it has been set

if (isset($_SESSION['sess_userName']) &&

isset($_SESSION['sess_passWord']) &&

isset($_SESSION['sess_niceName']) &&

isset($_SESSION['sess_sessionId'])) {

// Do not need to do anything as the user is logged in

}



else {

header("Location: ../index2.php"); // Redirect to the log in if the session is not set

exit;

}



?>

When someone logs in it works fine, but when I destroy the session and try to navigate back to the secret area, it doesn't bounce me to ../index2.php (as it should do), but instead just displays a blank page.

EyeDentify · 10-22-2008, 08:42 AM

Yes you can. But then all the Variables that are tied together with AND would have to be SET to so that first part of the IF clause to become TRUE.

If all else fails. Trial and Error you know :)

EyeDentify · 10-22-2008, 08:45 AM

If it does not bounce you back then some SESSION variables still are set.

use this code in somewhere to echo out the session array:

<?PHP

echo('<pre>');
print_r($_SESSION);
echo('</pre>');

?>

EyeDentify · 10-22-2008, 08:47 AM

And i forgott.

You should not put your users password in a SESSION variable unless you have a very strong reason and a way to encrypt it so if it ends up in someone elses hands they have no use for it.

Hudson · 10-22-2008, 08:51 AM

Mmmmm, session variables are all set correctly, changed it so I'm only checking the $_SESSION['sess_sessionId'] variable and when I output the session variables, it's coming out OK.

Still won't bounce back to ../index2.php. Very odd. I'll dig a little deeper.

I'll remove the password session variable as well.

Cheers for all the help. Much appreciated

Hudson · 10-22-2008, 01:53 PM

Argh, this is getting annoying now.

I'm trying to bounce users back to ../index2.php if they come to the secure area without logging in

At the top of my .com/secure/index.php file I've got an include that pulls in the following file to check if a user is authorised

PHP Code:


			
<?php

session_start();



ini_set('display_errors',1);

error_reporting (E_ALL & ~E_NOTICE);



    // Check the session to see if it's been set

    if (isset($_SESSION['sess_userName'])) {

        } // Don't do anything cos the user has logged in.

        else {

            header("Location: ../index2.php");

            exit;

        }

?>

I'm getting an error which says (obviously edited certain info

)

Quote:

Warning: Cannot modify header information - headers already sent by (output started at /***/***/***/***/***/***.com/***/***/secure/index.php:1) in /***/***/***/***/***/***.com/***/***/includefolder/checkauth.php.inc on line 11

Now then, a quick Google of this error reveals that it's usually caused by content (either real content or whitespace) being sent to the browser before the header() function.

However, I'm calling this include at the very start of the secure/index.php page like this

HTML Code:

<?php include("../includefolder/checkauth.php.inc"); ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

So as far as I can see there's no whitespace in there. I've also removed any whitespace from the checkauth.php.inc file without any luck.

I've spent the best part of the day trying to sort this, and I can't figure it out for the life of me.

Any help would be appreciated. Ta.

EyeDentify · 10-22-2008, 02:30 PM

try putting this at the very top of your PHP:

<?PHP
ob_start();
?>

And put:

<?PHP
ob_end_flush();
?>

Att the very bottom of your PHP page.

It´s a way to get around the error.

To get an idea about why the error happens. check this link:
PHP: header - Manual

Hope it helps.

/Eye.

Hudson · 10-22-2008, 02:37 PM

Mmm, tried output buffering with no joy (forgot to mention that in my previous post - sorry).

I've checked the session variables, and it's nothing to do with them (they're all being created fine, and all destroyed when the user logs out). However, after logging out (which destroys the session variables) and going to .com/secure I get a blank page (or the error if error reporting is turned on) instead of being bounced to the ../index2.php page.

xenon · 10-22-2008, 06:04 PM

...you could also go with a .htaccess password protection...

.htaccess authentication - Google Search

Hudson · 10-23-2008, 06:35 AM

I initially thought of using htaccess, but they want a login area as part of the design, rather than an alert appearing when you try to go to .com/secure

AKAIK you can't tie a <form> into htaccess (although someone feel free to correct me if I'm wrong)

Hudson · 10-23-2008, 02:25 PM

I've decided to go a different route.

Instead of sending users to the index page when they try and log in without a username/password, I'm now sending them to a page which tells them the area they're trying to get into is restricted and they need to log in.

On reflection, I think that's probably better from a usability point of view - makes it obvious to the user that they've done something they're not allowed to do, rather than just loading a normal page which looks similar to the secure area.

Thanks for all the help though guys and gals. I've learnt so much about PHP this week. Feels rather good.