PHP, Prevent users from accessing a page while not logged in?

Question

How can I prevent a user from accessing a page when they are not logged in? I want him to be redirected to the login page. I know it has something to do with sessions.

Answer 1

It works like this:

1. Start a session: session_start()
2. If Session["user"] == null, redirect to the login page, else continue.
3. In the login page, ask the user for password using a form
4. Post this form to the login page
5. Check against your authentication service (e.g. a table in mysql) if the user is authorized
6. If yes, Session["user"] = $userName, redirect the user to the page. If no, prompt for password again

Of course, this is all very, very simple. In your session, you could keep a complex user object, or anything. Good luck coding.

Answer 2

As Svetlozar Angelov pointed out the following code would work well:

if (!isset($_SESSION['nID']))
    header("Location: login.php");

However.. this would not actually secure the page against users who really wanted access. You need to make some adjustments:

if (!isset($_SESSION['nID']))
{
    header("Location: login.php");
    die();
}

This prevents bots and savy users who know how to ignore browser headers from getting into the page and causing problems. It also allows the page to stop executing the rest of the page and to save resources.

Its also noteworthy that $_SESSION['nID'] can be swapped out for any other variable you are using to store usernames or id's.

Answer 3

When he logs - store a session variable. Then in the beginning of every page

session_start();
if (!isset($_SESSION['nID']))
    header("Location: login.php");

If the login is ok

session_start();
$_SESSION['nID'] = 1; //example

Answer 4

Follow these steps:

Create a login.php page accessible to everybody where a user enters her username and password in a form. This form must be submitted to login.php itself. (action='login.php'). Also include a hidden variable in your form which tracks if the form has been submitted.

If the hidden variable is set, check if the username ($_POST['user']) exists in your DB, and that the password matches the username. If it does, store the username in a $_SESSION variable like this:

$_SESSION['username'] = $_POST['user'];

If it does not, reload login.php like this:

echo 'header("login.php")'; //You should not have echoed anything before this

Now include login.php in every user page you create. Suppose you were writing an email application, create an inbox.php like this

include ("login.php")

Now, login.php will check if the session variable 'user' is set and allow access to authorised users only.