登录表单和保护页面仅适用于已登录用户？

Question

I've created a login form in PHP that works ok, but I've realised my page my user is directed too can still be accessed by anybody. How do I go on protecting the pages for it to be only accessible only by those who are logged into the site?

Do I need to place a script on the success page itself?

I've tried quite a few different things, but not sure what is going on. Here is what I have so far!

checking_login.php

<?php
ob_start();
$host=""; // Host name 
$username=""; // Mysql username 
$password=""; // Mysql password 
$db_name=""; // Database name 
$tbl_name=""; // Table name 

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){

// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION['username'] = $myusername;
$_SESSION['password'] = $mypassword;
header("location: portkey.php");
}
else {
echo "Wrong Username or Password. ";
}
ob_end_flush();
?>

Here is the page part of where I was talking about redirecting the page too. (Its still public to everyone).

<?php
session_start();
$host=""; // Host name 
$username=""; // Mysql username 
$password=""; // Mysql password 
$db_name=""; // Database name 
$tbl_name="members"; // Table name 

    session_start();
    if(!isset($_SESSION['myusername'])) {
        header("location:login.php");
    }
?>

Login is the page with the form. The table/users.

<table width="300" border="0" align="center" cellpadding="0" cellspacing="1">
<tr>
<form name="form1" method="post" action="checking.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1">
<tr>
</tr>
<tr>
<td width="78">Username</td>
<td width="0">:</td>
<td width="294"><input name="myusername" type="text" id="myusername"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="mypassword" type="text" id="mypassword"></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td><input type="submit" name="Submit" value="Login"></td>
</tr>
</table>
</td>
</form>
</tr>
</table>

Answer 1

You need to check if username isset:

if(!isset($_SESSION['username'])) {
        header("location:login.php");
    }

Also, you are calling session_start(); twice. The second call will however be ignored.

Tip : Instead of storing the username and password, you should be storing the user id in the session.

Answer 2

You don't start the session on checking_login.php . Change your code to:

session_start();
$_SESSION['username'] = $myusername;
$_SESSION['password'] = $mypassword;

You don't need to start the session twice on the protected page. Remove the session_start(); above the if statement.

In addition... on your protected page, you're checking for a session that doesn't exist! Change if(!isset($_SESSION['myusername'])) { to if(!isset($_SESSION['username'])) {

Answer 3

The reason your members-only page is still visible and accessible by anyone is, because you have not correctly checked, if there is a user session set.

To make your code work, you need to change you conditional statement from:

if(!isset($_SESSION['myusername'])) {
    header("location:login.php");
}

to:

if(!isset($_SESSION['username'])) {
    header("location: login.php");
}

because myusername is is not the variable you stored into your session.

Quoting your setting of the $_SESSION :

$_SESSION['username'] = $myusername;

When you set your $_SESSION you used username and not myusername . Be sure to stick to that when checking if $_SESSION is set.

In order for your page to work as you desire you must use the following format:

<?php session_start(); ?>
<!DOCTYPE html>
<html>
    <head></head>
    <body>
        <?php
            // Check if user session is set. If it is redirect to login.php.
            if(!isset($_SESSION['username'])):
                header("location: login.php");

            // If it is not set show the your login form.
            else:
        ?>

        <!--Your HTML code for the form.-->

        <?php
            endif;
        ?>
    </body>
</html>

In case your login form is in another page, then you can redirect again by changing the else part as shown:

// If it is not set show the your login form.
else:
    header("location: loginform.php"); // The name of the file
endif;

Answer 4

If you have a global header.php file, then in that check if the $_SESSION['username'] is set. If it is, set $logged_in = true , and if it's not, set $logged_in = false . It's what I use for my website. If you don't use header.php , then in the page check for $_SESSION['username'] . For both, if $looged_in = true or isset($_SESSION['username']) , then DON'T redirect. but if $logged_in = false or !isset($_SESSION['username']) then you redirect them. You could also set a $_SESSION['logged_in'] variable.

some code to help.

header('location: page.php'); // REDIRECT VIA PHP

// IF YOU HAVE header.php
if(isset($_SESSION['username'])) $logged_in = true; // IN herder.php
else $logged_in = false; // IN herder.php

if($logged_in != true) header('location: login.php') // IN USERS ONLY PAGE

// IF YOU DON'T HAVE header.php

// OPTION 1
if(!isset($_SESSION['username'])) header('location: login.php'); // IN USERS ONLY PAGE

// OPTION 2
$_SESSION['logged_in'] = true; // WHEN THE USER HAS LOGGED IN

if($_SESSION['logged_in'] != true) header('location: login.php'); // IN USERS ONLY PAGE