Users are able to access a protected page using the direct link. How do I create a redirect?

282 views Asked by At

I have a website assignment for my class and I ran into some trouble. When users access a protected page using the direct link they're able to access it still. But if they were to login to the homepage with incorrect credentials it won't direct them to the protected page. How do I protect my webpage from direct link access?

The index page is the login page and when people login it will authenticate and direct to the protected_page.php but if i were to type into a web browser: http://localhost/protected_page.php it will still direct me through. How do I block that or redirect?

IF it helps I can post some of the source code...

<?php
include_once 'includes/db_connect.php';
include_once 'includes/functions.php';

sec_session_start();

if (login_check($mysqli) == true) {
    $logged = 'in';
} else {
    $logged = 'out';
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content="text/html;charset=ISO-8859-1" />
<link rel="stylesheet" href="style.css" type="text/css" />
<title>Login</title>
<script type="text/JavaScript" src="js/sha512.js"></script> 
        <script type="text/JavaScript" src="js/forms.js"></script> 
</head>
<body>
<?php
        if (isset($_GET['error'])) {
            echo '<p class="error">Error Logging In!</p>';
        }
        ?> 





     <form action="includes/process_login.php" method="post" name="login_form">                      
            <p>Usuario:</p>
            <p>
  <input type="text" name="email" />
            </p>
            <p>Contrasena:</p>
            <p>
  <input type="password" 
                             name="password" 
                             id="password"/>
              <input type="button" 
                   value="Aceptar" 
                   onclick="formhash(this.form, this.form.password);" />
            </p> 
        </form>
       <?


<?php
        if (login_check($mysqli) == true) {
                        echo '<p>Currently logged ' . $logged . ' as ' . htmlentities($_SESSION['username']) . '.</p>';

            echo '<p>Do you want to change user? <a href="includes/logout.php">Log out</a>.</p>';
        } else {
                        echo '<p>Currently logged ' . $logged . '.</p>';
                        echo "<p>If you don't have a login, please <a href='register.php'>register</a></p>";
                }
?>      

That's the index.php

Here is protected_page.php

<?php
include_once 'includes/db_connect.php';
include_once 'includes/functions.php';

sec_session_start();
?>

<?php if (login_check($mysqli) == true) : ?>
      </h2>
      <p>Welcome <?php echo htmlentities($_SESSION['username']); ?>!</p>
      <p>Return to <a href="index.php">login page</a></p>
      <?php else : ?>
      <p> <span class="error">You are not authorized to access this page.</span> Please <a href="index.php">login</a>. </p>
      <?php endif; ?>
      <br />
3

There are 3 answers

2
Gene On BEST ANSWER

I only focused on protected_page.php since you don't want it to be accessed using direct link.

<?php
include_once 'includes/db_connect.php';
include_once 'includes/functions.php';

sec_session_start();

if(!isset($_SESSION['username'])) {
   header("Location: index.php");
}

?>

<?php if (login_check($mysqli) == true) : ?>
      </h2>
      <p>Welcome <?php echo htmlentities($_SESSION['username']); ?>!</p>
      <p>Return to <a href="index.php">login page</a></p>
      <?php else : ?>
      <p> <span class="error">You are not authorized to access this page.</span> Please <a href="index.php">login</a>. </p>
      <?php endif; ?>
      <br />

The code that I added above is:

if(!isset($_SESSION['username'])) {
   header("Location: index.php");
}

It means that if $_SESSION['username'] is not set then it will redirect to index.php (that's the job of header("Location: index.php")). By the way, $_SESSION['username'] will ONLY be set if someone logged in.

0
nonamorando On

Check the $_SESSION variable and if it's not valid (or however you defined a valid session) then use the method below.

The header() method available in PHP allows you to redirect a user:

<?php
header("Location: http://www.yourRedirect.com/"); /* Redirect browser */

/* Make sure that code below does not get executed when we redirect. */
exit;
?>

So in your case,

<?php if (login_check($mysqli)) : ?>
      </h2>
      <p>Welcome <?php echo htmlentities($_SESSION['username']); ?>!</p>
      <p>Return to <a href="index.php">login page</a></p>
      <?php else : ?>
      <?php header("Location: errorPageLocation");
      <?php endif; ?>
      <br />
2
AudioBubble On

you should use a session identifier

if (login_check($mysqli) == true) {
$_SESSION['logged_in'] = 'logged_in' ;
}

then in protected_page.php

if(isset($_SESSION['logged_in'])){
 echo "</h2>
  <p>Welcome <?php echo htmlentities($_SESSION['logged_in'], ENT_QUOTES, 'UTF-8'); ?>!</p>
  <p>Return to <a href="index.php">login page</a></p>" ;
} else {
 //redirect the user 
header('Location:index.php');
exit();
}