Proper php login authorization

Question

I was editing an old page and I needed to do an authorized access to that page. Right now the code is in php and basically I have set 1 username and 1 password that can bypass the sign in screen and if the authorization is successful, the login redirects me to my "secret" page.

But, if someone knows the URL to that "secret" page" (for example ..../secrets/secret1.php), he can bypass the login screen. What is the best solution in that case?

I tried hiding the php extension with editing the .htaccess , but it didn't work. Also I don't want to hide the address bar entirely.

Answer 1

In your login page you can set the session of the current user to grant it access to the pages that needs authorization.

For example if you have a log-in page like:

<?php
/*
Log-In
*/

 // Declare Username and Password
 $my_username = "admin";
 $my_password = "rootstemleaves";

 // Declare Page to Redirect
 $secret_page = "../secrets/secrets1.php";

 // Set Initial Value
 $proceed = 0;

 // Check if username is empty 
 if(empty($_POST['username'])){

  // Tell user that username is empty
  echo "You need to put a username!";
  // Set to not proceed
  $proceed = 0;

 } else {

  // Set to proceed 
  $proceed = 1;

 }

 // Check if empty password
 if(empty($_POST['password'])){

  // Tell user that password is empty
  echo "You need to put your password";
  // Set to not proceed
  $proceed = 0;

 } else {

  // Set to proceed
  $proceed = 1;

 }

 // Finally Proceed if Checked to be ok
 if($proceed == 1){

  // Check if username is not the same
  if($username !== $my_username){

   // Tell user that they entered the wrong username
   echo "Wrong username!";

  } else {

    // Check if password is not the same
    if($password !== $my_password){

      // Tell user that they entered the wrong password
      echo "Wrong Password";

    } else {

      // Finally redirect to page
      header("Login: $secret_page");

    }

  }

 }

?>

<!Doctype html>
<html>
 <h1>Log-In</h1>

 <form method='post'>

  <input type='text' name='username' placeholder='Username'><br>
  <input type='password' name='password' placeholder='Password'><br>
  <br>
  <button type='submit'>Submit</button>

 </form>

</html>

You can simply add session_start(); to begin a session and set the user to be logged in so they can access the secret pages if they are authorized.

So your log-in page should look more like this:

<?php
/*
Log-In
New!!!
*/

 // It is important to tell PHP to start the session at the beginning of the file
 session_start();

 // Declare Username and Password
 $my_username = "admin";
 $my_password = "rootstemleaves";

 // Declare Page to Redirect
 $secret_page = "../secrets/secrets1.php";

 // Check if the user is logged in already or not.
 if(!empty($_SESSION['logged_in'])){

   // Immediately redirect to page
   header("Location: $secret_page");

 }

 // Set Initial Value
 $proceed = 0;

 // Check if username is empty 
 if(empty($_POST['username'])){

  // Tell user that username is empty
  echo "You need to put a username!";
  // Set to not proceed
  $proceed = 0;

 } else {

  // Set to proceed 
  $proceed = 1;

 }

 // Check if empty password
 if(empty($_POST['password'])){

  // Tell user that password is empty
  echo "You need to put your password";
  // Set to not proceed
  $proceed = 0;

 } else {

  // Set to proceed
  $proceed = 1;

 }

 // Finally Proceed if Checked to be ok
 if($proceed == 1){

  // Check if username is not the same
  if($username !== $my_username){

   // Tell user that they entered the wrong username
   echo "Wrong username!";

  } else {

    // Check if password is not the same
    if($password !== $my_password){

      // Tell user that they entered the wrong password
      echo "Wrong Password";

    } else {

      // Set the session !!!
      $_SESSION['logged_in'] = True;

      // Finally redirect to page
      header("Login: $secret_page");

    }

  }

 }

?>

<!Doctype html>
<html>
 <h1>Log-In</h1>

 <form method='post'>

  <input type='text' name='username' placeholder='Username'><br>
  <input type='password' name='password' placeholder='Password'><br>
  <br>
  <button type='submit'>Submit</button>

 </form>

</html>

Look that at the end of the logic where we are going to redirect the user, we set the $_SESSION['logged_in'] = True; because we will use that to check later in the pages where that will need authorization.

So in your secret page you need to add to the top if the user is logged in:

<?php
/*
Secret Page
*/

// Start the session (Important!)
session_start();

// Your Login Page
$login_page = "login.php";

// Check if user is logged in
if($_SESSION['logged_in'] !== True){

 // Redirect to Your Login Page to Prevent Unauthorized Access
 header("Location: $login_page");

}
?>

Also if you need to logout the user, make a logout.php with the code:

<?php
/*
Log-Out
*/

// Start the Session (Important!)
session_start();

// Your Login Page
$login_page = "login.php";

// Destroy the session!
session_destory();

// Finally, redirect your user to the log-in page in case they wanted to log-in again
header("Location: $login_page");

?>

So in your hidden page simply add a <a href="logout.php">Logout</a> to log-out.

Make sure though that in the future you use a database to store log-in credentials and to hash and salt your password (Never store password in plain text ever!)

Hope that helps

Answer 2

D. melnik is right, try to use php sessions on your pages. for example:

if (!$_SESSION['user'])
{
 //do this
}

user is an example of value on your db.

always start the session in your login page

session_start();

hope it helps.