Was your php installation compiled with session support?
If your answer to both of those questions is yes (you can check your server config with a page containing this string <?php phpinfo(); ?>)
Then use session to register a variable such as the example below...
<?php
if (!empty($_SESSION['auth'])) { //where auth is a flag of yes or no
// let user into page
} elseif (empty($_SESSION['auth'])) {
header("Location: login.html"); // where login.html is your login form
} else {
exit(); }// catch all
?>Then say on your authentication module you do something like this
<?php
function authentication() {
if (!empty($_POST['username'])) && (!empty($_POST['password'])) {
// some code to check if username and password variables match database entries or file containing credentials
// if a match is found do the rest of the code
session_start();
$_SESSION['auth'] = base64_encode(1); //encoded var to deter session hijacking
} else {
header("location: login.html"); }
?>
Hope this helps a bit... more info on stuff like this is available at google.com. =)
Jas
Thomas Andersen wrote:
Hello,
I'm trying to develop a secure web based application and my only tools are php, mysql, and a SSL connection.
Does anyone know of any good references for this kind of development?
What I really need to do is to make sure that given users only gain access to the parts of the application they are given rights to. I'm not sure if I need to pass their user information along from page to page or if I should set a cookie or whatever else would be appropriate. I also want people to be bounced back to the login page if they enter a direct URL to part of the application without logging in first, and I also want people to be able to log out.
Thanks, Thomas Andersen
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
