I have a website assignment for my class and I ran into some trouble. When users access a protected page using the direct link they're able to access it still. But if they were to login to the homepage with incorrect credentials it won't direct them to the protected page. How do I protect my webpage from direct link access?
The index page is the login page and when people login it will authenticate and direct to the protected_page.php but if i were to type into a web browser: http://localhost/protected_page.php it will still direct me through. How do I block that or redirect?
IF it helps I can post some of the source code...
<?php
include_once 'includes/db_connect.php';
include_once 'includes/functions.php';
sec_session_start();
if (login_check($mysqli) == true) {
$logged = 'in';
} else {
$logged = 'out';
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type" content="text/html;charset=ISO-8859-1" />
<link rel="stylesheet" href="style.css" type="text/css" />
<title>Login</title>
<script type="text/JavaScript" src="js/sha512.js"></script>
<script type="text/JavaScript" src="js/forms.js"></script>
</head>
<body>
<?php
if (isset($_GET['error'])) {
echo '<p class="error">Error Logging In!</p>';
}
?>
<form action="includes/process_login.php" method="post" name="login_form">
<p>Usuario:</p>
<p>
<input type="text" name="email" />
</p>
<p>Contrasena:</p>
<p>
<input type="password"
name="password"
id="password"/>
<input type="button"
value="Aceptar"
onclick="formhash(this.form, this.form.password);" />
</p>
</form>
<?
<?php
if (login_check($mysqli) == true) {
echo '<p>Currently logged ' . $logged . ' as ' . htmlentities($_SESSION['username']) . '.</p>';
echo '<p>Do you want to change user? <a href="includes/logout.php">Log out</a>.</p>';
} else {
echo '<p>Currently logged ' . $logged . '.</p>';
echo "<p>If you don't have a login, please <a href='register.php'>register</a></p>";
}
?>
That's the index.php
Here is protected_page.php
<?php
include_once 'includes/db_connect.php';
include_once 'includes/functions.php';
sec_session_start();
?>
<?php if (login_check($mysqli) == true) : ?>
</h2>
<p>Welcome <?php echo htmlentities($_SESSION['username']); ?>!</p>
<p>Return to <a href="index.php">login page</a></p>
<?php else : ?>
<p> <span class="error">You are not authorized to access this page.</span> Please <a href="index.php">login</a>. </p>
<?php endif; ?>
<br />
I only focused on protected_page.php since you don't want it to be accessed using direct link.
The code that I added above is:
It means that if $_SESSION['username'] is not set then it will redirect to index.php (that's the job of header("Location: index.php")). By the way, $_SESSION['username'] will ONLY be set if someone logged in.