To solve this problem, I store some variables in a session, and at the
beginning of each page that needs to be secure in my site, I check to see if
the session variable is set (usually $userid), if not I redirect the user
back to the logon page.  At least two things will cause the variable to be
missing, a direct reference to the page using the URL, and the session
having expired.

I also make it a practice of coding a page as two separate php files, the
first of which performs the test above and retrieves information and
presents it on the web page (this is my presentation layer).  The second php
program that is referenced as the as the Action of my form or as a href from
an anchor on the form when data is not to be submitted.  This second php
program may test again for my session variable, but it does only processing
(storing data in the database, etc), then does a redirect header("Location:
page.php"), some of redirections will take it back to the page in file one,
other redirections will take it to other pages.

The reason for this dual program style, is that it avoids the problem with
using the POST method of form processing and pressing the back button on the
browser (IE and Netscape both issue an error).  Because every one of the
pages presented in my application are redirected to, they are entered by a
"GET" by default and the back button works fine.  The second "process only"
program can pass variables to the next form either as GET parameters
appended to the URL, or as a session variable.  A redirect cannot cause a
form to be entered with a POST method that I am aware of.

hope this helps,

Warren Vail
Tools, Metrics & Quality Processes
(415) 667-7814
Pager (877) 774-9891
215 Fremont 02-658

-----Original Message-----
From: Omland Christopher m [mailto:[EMAIL PROTECTED]]
Sent: Friday, March 29, 2002 10:25 AM
To: Rouvas Stathis
Cc: Kevin Stone; 'Justin French'; 'php'
Subject: [PHP] User Authentication

Hi, I had a question on user authentication/member accounts.
I have built a MySQL database with users and passwords, and I wrote this
<head><title>LOGIN IN PROGRESS</title></head>

mysql_connect(HOST, USER, PASS);

<body bgcolor = "white">
<h2>PLEASE LOG IN</h2>

<form method=post action="<?echo $PHP_SELF?>">
<table cellpadding=2 cellspacing=0 border=0>
<td>Username:</td><td><input type="text" name="User" size=10></td><tr>
<td>Password:</td><td><input type="password" name="Pass" size=10></td><tr>
<td>&nbsp;</td><td><input type="submit" name="submit" value="Log In"></td>
if ($submit) {
$result=mysql_query("select * from Users where User='$User'") or die
("cant do it");
while ($row=mysql_fetch_array($result)) {
if ($row["Pass"]==$Pass) {
printf("Successfully Logged In!<a href=\"about.php\">Click Here</a>");


So this will work it regonizes a real user vs. a fake on I do. But I don't
understand whats to stop someone from directly linking to a protected
page? For example why couldn't someone just go directly to

Does this make sense? Should I have the login form in one file and the php
script in another? Do I need to check the http header somehow to see if
they have logged in?

PHP General Mailing List (
To unsubscribe, visit:

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to