Page Protection php

Asked

Viewed 1,206 times

1

I found a tutorial on how to make a login system... More problem is that when I try to block pages only for logged in users access does not work although the user is logged in, I think the error is on the page functions.php when the script checks if the user is logged in.

Sistem de Login

db_connect.php

psl-config.php

<?php
/**
 * Seguem os detalhes para login para o banco de dados
 */
define("HOST", "localhost");     // Para o host com o qual você quer se conectar.
define("USER", "sec_user");    // O nome de usuário para o banco de dados.
define("PASSWORD", "root");    // A senha do banco de dados.
define("DATABASE", "secure_login");    // O nome do banco de dados.

define("CAN_REGISTER", "any");
define("DEFAULT_ROLE", "member");

define("SECURE", FALSE);    // ESTRITAMENTE PARA DESENVOLVIMENTO!!!!
?>

On page functions there is an error on line 38 and line 135... which prevents checking the user

functions.php

login.php

sec_session_start();

if (login_check($mysqli) == true) {
    $logged = 'in';
} else {
    $logged = 'out';
}
?>
<!DOCTYPE html>
<html>
    <head>
        <title>Secure Login: Log In</title>
        <link rel="stylesheet" href="styles/main.css" />
        <script type="text/JavaScript" src="js/sha512.js"></script> 
        <script type="text/JavaScript" src="js/forms.js"></script> 
    </head>
    <body>
        <?php
        if (isset($_GET['error'])) {
            echo '<p class="error">Erro ao fazer o login!</p>';
        }
        ?> 
        <form action="includes/process_login.php" method="post" name="login_form">                      
            Email: <input type="text" name="email" />
            Password: <input type="password" 
                             name="password" 
                             id="password"/>
            <input type="button" 
                   value="Login" 
                   onclick="formhash(this.form, this.form.password);" /> 
        </form>
        <p>If you don't have a login, please <a href="register.php">register</a></p>
        <p>If you are done, please <a href="includes/logout.php">log out</a>.</p>
        <p>You are currently logged <?php echo $logged ?>.</p>
    </body>
</html>

protected_page.php

sec_session_start();
?>
<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8">
        <title>Secure Login: Protected Page</title>
        <link rel="stylesheet" href="styles/main.css" />
    </head>
    <body>
        <?php if (login_check($mysqli) == true) : ?>
            <p>Welcome <?php echo htmlentities($_SESSION['username']); ?>!</p>
            <p>
Esta é uma página protegida para servir de exemplo. Para acessá-la, os usuários devem ter feito o login. Em dado momento, também verificaremos o papel que o usuário está desempenhando para que possamos determinar o tipo de usuário que está autorizado a acessar a página. 
            </p>
            <p>Return to <a href="index.php">login page</a></p>
        <?php else : ?>
            <p>
                <span class="error">Você não tem autorização para acessar esta página.</span> Please <a href="index.php">login</a>.
            </p>
        <?php endif; ?>
    </body>
</html>

  • Inform which error messages appear on line 38 and 135 of functions.php, as different errors may occur

  • Use Phpstorm that identifies errors in code lines... More so it seems to me that errors do not allow you to check whether the user is logged in

  • Parsed both line 38 and line 135 of functions.php are variable associations for the query to run. I suggest that before these lines are carried out the command echo of them to be able to know their content.

  • has tried to change to: define("SECURE", TRUE); ?

2 answers

2

Cara, I don’t know if he’s gonna help you, but he’s still coming. In the systems I develop with PHP/HTML I make the href of all the pages link to my index.php and pass a flag of the page to which the user wants to go

<a href="index.php?PAGINA=suapagina"></a>

In my index.php check whether the $_SESSION user was started

if (isset($_SESSION ['user_id'])) {

$i = $_GET ['PAGINA'];

    switch ($i) {
        case 'lojas' :
            $request = 'view/lojas.html';
            break;
        default:    
            $request = 'view/index.html';
            break;
    };
} else {
    $request = 'view/login.html';
}
header("Location:".$request."");

In the index.php you can validate user permissions the way you want

  • That’s the way I do it. But I don’t know if that answers the question.

  • I know it doesn’t answer the question correctly, but I left just one idea, if he’s not able to solve the problem

  • It is at these times that I recommend the use of a good Framework.

1

I use a simpler way to protect the pages that should be private, but it might give you some "light" there. First I have a file called "valida_sessao.php", that way:

$sessao = 0;
session_start(); 
if(isset($_SESSION["sessiontime"])){ 
    if($_SESSION["sessiontime"] < time()){ 
        session_unset();
        $_SESSION['retorno_login'] = "Seu tempo de sessão expirou! Faça login novamente.";
        $sessao = 0;
        //Redireciona para login
    } else {
        //'Logado ainda!';
        //Seta mais tempo 5 minutos segundos
        $_SESSION["sessiontime"] = time() + 300;
        $sessao = 1;
    }
} else { 
    session_unset();
    $_SESSION['retorno_login'] = 'Para entrar na área administrativa do site, por favor insira seu login e sua senha.';
    $sessao = 0;
}

Then at the beginning of the private pages I put the following code:

include_once("valida_sessao.php");
if($sessao == 0){
    header('Location: login_area_adm.php');
}

I hope you helped, I’ve received a lot of help from forums like this!

Browser other questions tagged

You are not signed in. Login or sign up in order to post.