How to implement a “Log In First To Access Webpage”?

Question

Basically I have certain pages on my website which I only want to show if the user is logged in. However my only idea is to do it with Bootstrap and say in PHP if the user is logged in the class should be show (to show the content), otherwise hide .. but I do not believe this is a good way to do it. (show and hide are classes from Bootstrap)

Basically I am working with an API so the only possibility to view content is anyways to log in, however I still want to say "Log In First To see Your Data" instead of only showing an empty page without anything.

Can you give me some ideas please?

I thought about something like this:

<?php echo $isLoggedIn ? "Welcome, ". $user['first'] : "LOG IN FIRST"; ?>

Answer 1

I can't really say I like any of the answers here, so I feel the need to offer my own.

I see in your comments that you have a way to check if someone is logged in. Because of this, you already have the basic groundwork laid out. Really the code you posted is the basic idea of what you should do. After all, programming is based on true/false logic. However, quite obviously a ternary operator is not the best way to handle this.

There are many ways your situation could be handled, but here is how I would do it:

<?php
/* ... your check if the user is logged in, includes, etc. */

// Request that the client disable caching:
header("Cache-control: no-store, no-cache, must-revalidate");
header("Expires: " . gmdate("D, d M Y H:i:s", (time() + 2)) . " GMT");
header("Date: " . gmdate("D, d M Y H:i:s") . " GMT");
header("Pragma: no-cache");
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");

// Check if the user is allowed to access the content:
if( false == $isLoggedIn ){
    // the user is not logged in and no private data should be shown
    header("Location: /login.php?error=" . urlencode("You must login to access the content."),
           true, // override any previously set Location header
           302 // inform the client/browser that this redirect is temporary and should not be cached as a permanent action
          );
    die("You must login <a href='/login.php?error=" . urlencode("You must login to access the content.") . "'>here</a>.");
}

// If the script is executing at this point, we know the user is logged in.

/* ... Your code for handling the API ... */

?>

The important key here is the die() function. This function prevents the script from executing any further. In a way, you could think of this like the return statement of a function. If a function has a return statement executed within it, any code following that return statement will not execute. It's the same principle here. If the user is not allowed to be in that spot, you send back some information about the error (in this case, a redirect and short message) and then you terminate all further execution. Otherwise, neither the redirect nor the termination occur.

This all said, it is important that you do NOT just use show and hide to handle unauthorized access attempts. I have pentested a few websites before (primarily for a friend of mine) and this is similar to what he was doing. In his case, he had an admin page that only admins were supposed to be able to access. If a user accessed that page without admin permission, he sent a 302 redirect back to the login page where he displayed an error message saying the user did not have sufficient privileges to access the admin page. However, much like simply using show and hide , he still sent back the admin control panel within the page's body, but because of the redirect to the login page, the admin panel would not be visible to an unauthorized user.

Setting show and hide to handle this kind of problem is much like redirecting the user, but still sending back the content he/she wants. Using Charles Proxy, I could rewrite his 302 redirect to a 200 OK and then see the entire admin panel. If you use show and hide , the unauthorized user can just look at the HTML source and still see everything they are not supposed to see.

This is why you must call die() or exit() when a user tries to access a page without proper authentication.

As an additional note: you do not have to redirect the user to a login or error page, just so long as you call die( <some message telling them they must login> ); . My example redirects simply because of my personal preference.

Answer 2

Since you are using php, follow these steps:

• Create a registration form
• Save the username and password in session
• Then redirect the user to login form
• Now user can login using his credentials. When logged in, store a value in session.
• By using this identifier, make your user logged in forever.
• When logging out, clear the session value and redirect to logout page.

Go through this link: Simple Login Appliction using PHP

Answer 3

Put the following at the top of any page that you want to restrict for non logged in member

<?php
session_start();
include_once "logd_user.php";
?>

Create the logd_user.php file

In the logd_user.php file you can create a variable to hold the username and password (that is if you want all users to log in with the same username and password, else store the username and password in MySQL database table).

Incase the user is not log in it should display "Log in first to see your data", and a form for the user to log in.

Work on the logd_user.php file and let me see what you can come up with.

I may give you the full code

Answer 4

很简单，但是我需要看一些代码，例如If（$ loggedin == TRUE）{显示页面} ELSE {不显示页面}