The Web Design Group

... Making the Web accessible to all.

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> Organization of Files on Web Server
joehesse
post Jul 10 2018, 09:16 AM
Post #1





Group: Members
Posts: 7
Joined: 5-July 18
Member No.: 26,667



My tentative website has two files, Login.php and Main.php. They are both in the root of the web server.
I want users to go to MySite.com/Login.php and see a login screen which asks for a user name and password. If the user enters a correct name and password they are linked to Main.php, otherwise they get an error message.
How do I prevent the user from just going to MySite.com/Main.php and bypassing Login.php?

Thank you,
Joe
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
CharlesEF
post Jul 10 2018, 12:30 PM
Post #2


Programming Fanatic
********

Group: Members
Posts: 1,544
Joined: 27-April 13
From: Edinburg, Texas
Member No.: 19,088



When a user logs in you must set a SESSION variable, only when log in was successful. Then in the Main.php page you test for that SESSION variable. If the variable isn't set then you redirect the user to the Login.php page.

This post has been edited by CharlesEF: Jul 10 2018, 12:32 PM
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Christian J
post Jul 10 2018, 12:39 PM
Post #3


.
********

Group: WDG Moderators
Posts: 7,919
Joined: 10-August 06
Member No.: 7



You could let Main.php check if any POST form data was sent from Login.php. If valid form data was sent, let the PHP script on Main.php print the content, else print the error message. (Actually you don't need a separate Login.php page for this, you could let Main.php print the login form instead of the error message.)

The above will only work for a single Main.php page. If you want to protect several pages with a single login, you might let each page check for a session cookie, and if the cookie doesn't exist print a login form (or redirect to Login.php). Just be aware that lots of people disable cookies, so you need to inform the user or let a script check if the browser allows cookies.

Another simple option is to use HTTP authentication, this is done by the (Apache) server and works on a whole directory. The disadvantage is that the user stays logged in until the browser is completely closed (not just the web page). See http://www.javascriptkit.com/howto/htaccess3.shtml
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
joehesse
post Jul 10 2018, 02:38 PM
Post #4





Group: Members
Posts: 7
Joined: 5-July 18
Member No.: 26,667



QUOTE(Christian J @ Jul 10 2018, 12:39 PM) *

You could let Main.php check if any POST form data was sent from Login.php. If valid form data was sent, let the PHP script on Main.php print the content, else print the error message. (Actually you don't need a separate Login.php page for this, you could let Main.php print the login form instead of the error message.)

The above will only work for a single Main.php page. If you want to protect several pages with a single login, you might let each page check for a session cookie, and if the cookie doesn't exist print a login form (or redirect to Login.php). Just be aware that lots of people disable cookies, so you need to inform the user or let a script check if the browser allows cookies.

Another simple option is to use HTTP authentication, this is done by the (Apache) server and works on a whole directory. The disadvantage is that the user stays logged in until the browser is completely closed (not just the web page). See http://www.javascriptkit.com/howto/htaccess3.shtml


Someone suggested that I put Main.php in a folder that is not under the html root directory. Does this sound reasonable?
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Christian J
post Jul 10 2018, 05:11 PM
Post #5


.
********

Group: WDG Moderators
Posts: 7,919
Joined: 10-August 06
Member No.: 7



QUOTE(joehesse @ Jul 10 2018, 09:38 PM) *

Someone suggested that I put Main.php in a folder that is not under the html root directory. Does this sound reasonable?

Yes, it's better security to keep files with usernames and passwords above the html root. For example, if the server's PHP engine stops working properly users may otherwise be able to see the PHP scripts directly (including any sensitive data in it).

Of course all HTML pages must be located in the html root directory, but you can always include a file from a higher level with PHP.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post

Reply to this topicStart new topic
3 User(s) are reading this topic (3 Guests and 0 Anonymous Users)
0 Members:

 



- Lo-Fi Version Time is now: 23rd October 2018 - 04:09 AM