1

I have recently started web development on my WAMP server and was trying to build a simple login page using php and MySQL. What I simply did was on successful authentication I redirected the user to a new page using : header("Location: locahost/redirect.php"); in my php script.

redirect.php is a simple page which shows that you have successfully logged in.

What I want to ask is that I can simply go to redirect.php by typing localhost/redirect.php in my address bar. Is there any way in which only the user who have been authenticated can visit the page...just like it works on facebook and other websites, we cannot enter into someone's profile by just typing a URL in our address bar.

yellowflash
  • 65
  • 2
  • 9

5 Answers5

3

It is called URL Manipulation.

Validate the information like session in the profile page.

+ do NOT use header('Location: ...') without exit; after it. Always do exit after redirect.

header("Location: locahost/redirect.php");
exit;

Otherwise it'll load the page content and redirects. If somebody avoid the redirect he can see page contents there.

Mahdyfo
  • 1,155
  • 7
  • 18
  • Is it correct using : $_SESSION["authenticated"]==true in my login page script on authentication and then checking : if ( isset($_SESSION["authenticated"]) ) in my redirect.php page script? – yellowflash Jul 12 '15 at 06:20
  • @ShivanshRai Yes exactly it's true but don't use == for assignment. Insert $_SESSION["authenticated"]=true; if the user was validated as well in login page. – Mahdyfo Jul 12 '15 at 06:23
  • Yes...it was my mistake. Thanks. – yellowflash Jul 12 '15 at 06:26
  • @ShivanshRai however I suggest check the session in profile page not redirect. _+ FYI: You can click on tik leftside of the question to specify as the best answer if it helped you._ – Mahdyfo Jul 12 '15 at 06:29
  • If I check the session in my login page doesn't that mean that since there is no check for session in my redirect.php page, I can still access the page through typing localhost/redirect.php in my address bar? – yellowflash Jul 12 '15 at 06:37
  • @ShivanshRai You're redirecting user from redirect.php to profile.php aren't you? So if somebody types profile.php in addressbar then with no redirection(and no session validation) he can access the info. – Mahdyfo Jul 12 '15 at 06:41
  • Thanks...that would help. – yellowflash Jul 12 '15 at 07:01
2

Well, you could add create a Cookie if a user was logged in successfully. (and maybe set the value to an md5 hash of the date, username and password for example, and also write that to your database so you can check later of somebody "cheated" that Cookie or not)

Then on your redict.php you just have to look if that Cookie exists (and maybe check the value with your database?).

Also if you set your cookie expire value you can control if the user should be logged in only in that session or for example a full month.

I'm sorry I have not done that before, but maybe I could help you with that idea

Simon
  • 143
  • 7
  • Thanks. But if a user's browser does not allow cookies, does that mean he/she cannot be redirected to redirect.php on successful authentication? – yellowflash Jul 12 '15 at 06:44
  • 1
    You're welcome. Yeah I think so but maybe you can add an "Please allow this site to have cookies enabled" message, if you can check if cookies are disabled or there is just no valid cookie – Simon Jul 12 '15 at 06:47
  • You can check if cookies are enabled: http://stackoverflow.com/questions/6663859/check-if-cookies-are-enabled or you can add to your "Please login to view this content"-message "Please be sure that you have cookies enabled – Simon Jul 12 '15 at 06:53
  • Thanks...that would help. – yellowflash Jul 12 '15 at 06:58
1

You can make a PHP code inside the redirect.php page, and make a conditional statement:

  1. If the user is logged in, keep him in the page.
  2. If the user is not logged in, redirect him to the login page.
Guesty
  • 11
  • 2
1

You have to add this function to redirect.php

function logged_in(){
return (isset($_SESSION['user_id'])) ? true :false;
}

Then add this 

if (logged_in()===false){
header('Location: whateverpageyouwant.php');
exit();
}
Bjørn-Roger Kringsjå
  • 9,849
  • 6
  • 36
  • 64
Zouaoui Djaballah
  • 61
  • 3
  • 9
0

You can create session on successfully authentication and check this on redirect.php page.

If you dont find session on this page then redirect user back to the login page.

In this way you can restrict direct access to the redirect.php page

Thanks

nana.chorage
  • 496
  • 4
  • 15