login page only blocks one page

Security and PHP
#1

hey guys having a little problem i want to block other pages from being seen without them being logged at the moment my script directs the user to the secret.php page only but if the user knew the other pages they could get in with no problem. is there anyway of preventing multiple page blocking by using multiple headers i.e header(“Location:secret.php”);

i have tried certain things but still no luck :frowning:

<?php $userDB = array("pcjohn" => "secret", "ewood" => "secret", "helen" => "secret"); function getPasswordForUser($username) { global $userDB; return $userDB[$username]; } function validate($challenge, $response, $password) { return md5($challenge . $password) == $response; } function authenticate() { if (isset($_SESSION[challenge]) && isset($_REQUEST[username]) && isset($_REQUEST[response])) { $password = getPasswordForUser($_REQUEST[username]); if (validate($_SESSION[challenge], $_REQUEST[response], $password)) { $_SESSION[authenticated] = "yes"; $_SESSION[username] = $_REQUEST[username];; unset($_SESSION[challenge]); } else { header("Location:login.php?error=".urlencode("Failed authentication")); exit; } } else { header("Location:login.php?error=".urlencode("Session expired")); exit; } } session_start(); authenticate(); <?php $userDB = array("pcjohn" => "secret", "ewood" => "secret", "helen" => "secret"); function getPasswordForUser($username) { global $userDB; return $userDB[$username]; } function validate($challenge, $response, $password) { return md5($challenge . $password) == $response; } function authenticate() { if (isset($_SESSION[challenge]) && isset($_REQUEST[username]) && isset($_REQUEST[response])) { $password = getPasswordForUser($_REQUEST[username]); if (validate($_SESSION[challenge], $_REQUEST[response], $password)) { $_SESSION[authenticated] = "yes"; $_SESSION[username] = $_REQUEST[username];; unset($_SESSION[challenge]); } else { header("Location:login.php?error=".urlencode("Failed authentication")); exit; } } else { header("Location:login.php?error=".urlencode("Session expired")); exit; } } session_start(); authenticate(); header("Location:secret.php"); exit(); ?>

exit();
?>

#2

set a session variable when they are logged in. At the top of every “Secret” page, CHECK the session variable when the page is accessed . If it’s not set to be “LOGGED IN” then re-direct them to the login page.

Sponsor our Newsletter | Privacy Policy | Terms of Service