How to prevent direct access to a landing page after password validation?

Hi everyone,

I am new to PHP and having been working through a tutorial on how to develop a PHP log in capability (in conjunction with MySQL). Everything is working just fine, but I dislike the idea that once you know the URL for the ‘secret’ landing page, you can navigate staright there without the need to log in!

What I am hoping to achieve is to only allow access to the landing page as part of the PHP/MySQL validation process or perhaps some other routine.

I would be grateful for any ideas/suggestions.

Not sure if it helps, but I’ve provided the PHP code as follows. As you will see, if the user name & password is correct you are directed to SecretPage.php.

[php<?php
/* Program: Login.php
*/
session_start();
switch (@$_POST[‘Button’])
{
case “Log in”:
include(“dogs.inc”);
$cxn = mysqli_connect($host,$user,$passwd,$dbname)
or die(“Query died: connect”);
$sql = “SELECT loginName FROM Member
WHERE loginName=’$_POST[fusername]’”;
$result = mysqli_query($cxn,$sql)
or die("Query died: fusername: ".mysqli_error($cxn));
$num = mysqli_num_rows($result);
if($num > 0) //login name was found
{
$sql = “SELECT loginName FROM Member
WHERE loginName=’$_POST[fusername]’
AND password=md5(’$_POST[fpassword]’)”;
$result2 = mysqli_query($cxn,$sql)
or die(“Query died: fpassword”);
$num2 = mysqli_num_rows($result2);
if($num2 > 0) //password matches
{
$_SESSION[‘auth’]=“yes”;
$_SESSION[‘logname’] = $_POST[‘fusername’];
$sql = “INSERT INTO Login (loginName,loginTime)
VALUES (’$_SESSION[logname]’,NOW())”;
$result = mysqli_query($cxn,$sql)
or die(“Query died: insert”);
header(“Location: SecretPage.php”);
}
else // password does not match
{
$message_1=“The Login Name, ‘$_POST[fusername]’
exists, but you have not entered the
correct password! Please try again.”;
$fusername = strip_tags(trim($_POST[‘fusername’]));
include(“login_form.inc”);
}
}
else // login name not found
{
$message_1 = “The User Name you entered does not
exist! Please try again.”;
include(“login_form.inc”);
}
break;

default:                                              
include("login_form.inc");

}
?>][/php]

Can you put the code in the php tags please use the php button.

but you could do something like
[php] if( $_SESSION[‘auth’] == “yes”){ show page code }else{ redirect}[/php]

Hi,

Thanks for the suggestion, which I’ve tried without success.

I’m probably being really dumb, but I have assumed the code goes in the header section of the landing page. Is this correct? I have tried various ways of interpreting how to redirect the user back to the login page and hope you can tell me where I’m going wrong.

Thanks a lot.

at the top of the secret page
[php]

<?php session_start(); #$_SESSION['loginName'] = ''; if (!(isset($_SESSION['loginName'] ) && $_SESSION['loginName'] !='')) { session_destroy(); header("Location: login.html"); exit; } ?>

[/php]

Hi,

Thanks for that. There are no error messages on landing page (a good start), but I can still visit the page by using the URL. Any ideas please?

Are you logged in ?
Try with the code I changed it to
loginName

But you could print out the session variables to see what they are with
[php]print_r($_SESSION);[/php]

Hi again,

Whoops, I didn’t think I might be logged in still. Now that’s what you might call stupid!

Thanks for all your help. It works perfectly.

Have a good weekend.

PS This will take me down the path of trying to learn how to log out of sessions!!

Sorry, I spoke too soon! Now that I cannot go direct to the landing page, when I try logging in I am looping back to the log in page.

This is the code I am using: <?php session_start();if (!(isset($_SESSION['loginName'] ) && $_SESSION['loginName'] !='')) {header ("Location: Login_reg.php");exit;} ?>

Have I misunderstood what you were suggesting?

Thanks again.

you need to use the php code button to wrap the code in.

print out your session variables and if one has password username just remove them and put user and pass in there place.

[php]print_r($_SESSION);[/php]