tags:

views:

81

answers:

1

hi, I am using php session for a basic login without encryption for my site. I want to prevent a user from directly accessing a php page by typing the url when he/she is not signed in. But this is not happening. I am using session_start(), initializing session variables and aslo unsetting and destroying sesssion during logout. Also if I type the link in a different browser the page is getting displayed. I am not very well versed with php , only a beginner. I googled for such problem and found few alternatives as keeping all files in a seperate folder from the web root, using .htaccess etc. Can someone explain in simple terms what could be a good solution.thanks in advance.

+3  A: 

There are lots of solutions, but basically you need to generate the page only if the session is valid. If not valid, shunt user to a non-access display. If you have this and it seems not to work, perhaps you should post some code.

See: http://www.astahost.com/info.php/simple-user-validation-script_t14857.html http://www.puremango.co.uk/2004/12/php_pass_81

Smandoli
Does it mean I have to check for valid session at the beginning of every page?
aeonsleo
Yes. But depending on your scheme, you may also check a session variable. So you might be validating the user's access, which is not the same as checking for the session validity. I'm not sure it's generally the practice to use session-is-valid as your criterion. An invalid session means certainly you'll block access, but a valid session might offer variables for your authorization.
Smandoli
Sorry the above comment is not clear. I believe the links may be helpful, though!
Smandoli
Make a session variable, $valid. Start it out as FALSE. When login succeeds, make it TRUE. Upon logout, FALSE. Use this as your criteria at top of every page. There are some security considerations in arranging this. But you will have a more flexible and robust solution than jsut shutting down the session.
Smandoli
Thanks, that seems to be a nice and easy solution and sorry for the answering part, getting used to stackoverflow.
aeonsleo
No problem, we all did that. Also, I've been in the same situation -- a PHP newbie needing a logon scheme, trying htaccess etc. Glad you got some help.
Smandoli