Koray Ballı Koray Ballı - 5 months ago 12
PHP Question

Redirecting & Requesting Login to Protect Directly Written Url

Currently I have been trying to create a very simple login page.But I want to go a bit far of it.

Im working on local.
Lets say we have an index.php and login.php page.
When I write localhost:8080/index.php on url bar, Im able to view this page.But I want it to require a login in order to redirect to index.php page.

Here is the login.php codes,I have no idea how am I supposed to redirect it when The url was entered,

<html>
<head></head>
<body>
<form method="post" name="login" action="">
<table align=center>
<tr>
<td><input type="text" name="username" placeholder="Username"></td>
</tr>
<tr>
<td><input type="text" name="password" placeholder="Password"></td>
</tr>
<tr>
<td><input type="submit" name="submit" value="Login"></td>
</tr>
</table>
</form>

<?php



if (isset($_POST['submit']))
{
$username="admin";
$password="admin";
$uUsername=$_POST['username']; // the username which User will enter
$uPassword = $_POST['password'];// the password which User will enter

if ( $username != $uUsername || $password != $uPassword )
{
echo 'Incorrect username or password.Please try again';
}

else
{
header("refresh:0; url=deneme.php");
}
}
?>




Answer

First off, before anything outputs to the browser, you need to check if the user is authenticated or not, since header() must be called before any output. I would use sessions for this.

In the top of every file that requires an authenticated user (except on the login-page), I would add this:

<?php
session_start();
if (!isset($_SESSION['authenticated'])) {
    // The user isn't authenticated, let's redirect the user to the login page
    header('location: login.php'); // Change 'login.php' to the correct page/url to the login page.
    exit; // Important to stop the script-execution after a header location.
}

This will redirect the user to the login page if the session isn't set (the user isn't authenticated).

On the login page, I would move the authenticate script to the top of the file (before <html>), and change it like this:

<?php
$errorMessage = null;

if (isset($_POST['submit'])) {
    $username  = "admin";
    $password  = "admin";
    $uUsername = $_POST['username'];
    $uPassword = $_POST['password'];

    if  ( $username != $uUsername || $password != $uPassword ) {
        $errorMessage = 'Incorrect username or password. Please try again';
    } else {
        // Start the session and set authenticated as true.
        session_start();
        $_SESSION['authenticated'] = true;
        header('location: index.php'); // Again, change 'index.php' to the correct file/url
        exit;
    }
}
?>
<html>
....// the rest of the login form

Furhter down in the form, you can check it $errorMessage isn't null and then show the error message.

The code for the authentication check should be moved to a separate file which you include in every file instead of hard coding in every file.

Comments