Printable Version of Topic

Click here to view this topic in its original format

HTMLHelp Forums _ Web Site Functionality _ Organization of Files on Web Server

Posted by: joehesse Jul 10 2018, 09:16 AM

My tentative website has two files, Login.php and Main.php. They are both in the root of the web server.
I want users to go to MySite.com/Login.php and see a login screen which asks for a user name and password. If the user enters a correct name and password they are linked to Main.php, otherwise they get an error message.
How do I prevent the user from just going to MySite.com/Main.php and bypassing Login.php?

Thank you,
Joe

Posted by: CharlesEF Jul 10 2018, 12:30 PM

When a user logs in you must set a SESSION variable, only when log in was successful. Then in the Main.php page you test for that SESSION variable. If the variable isn't set then you redirect the user to the Login.php page.

Posted by: Christian J Jul 10 2018, 12:39 PM

You could let Main.php check if any POST form data was sent from Login.php. If valid form data was sent, let the PHP script on Main.php print the content, else print the error message. (Actually you don't need a separate Login.php page for this, you could let Main.php print the login form instead of the error message.)

The above will only work for a single Main.php page. If you want to protect several pages with a single login, you might let each page check for a session cookie, and if the cookie doesn't exist print a login form (or redirect to Login.php). Just be aware that lots of people disable cookies, so you need to inform the user or let a script check if the browser allows cookies.

Another simple option is to use HTTP authentication, this is done by the (Apache) server and works on a whole directory. The disadvantage is that the user stays logged in until the browser is completely closed (not just the web page). See http://www.javascriptkit.com/howto/htaccess3.shtml

Posted by: joehesse Jul 10 2018, 02:38 PM

QUOTE(Christian J @ Jul 10 2018, 12:39 PM) *

You could let Main.php check if any POST form data was sent from Login.php. If valid form data was sent, let the PHP script on Main.php print the content, else print the error message. (Actually you don't need a separate Login.php page for this, you could let Main.php print the login form instead of the error message.)

The above will only work for a single Main.php page. If you want to protect several pages with a single login, you might let each page check for a session cookie, and if the cookie doesn't exist print a login form (or redirect to Login.php). Just be aware that lots of people disable cookies, so you need to inform the user or let a script check if the browser allows cookies.

Another simple option is to use HTTP authentication, this is done by the (Apache) server and works on a whole directory. The disadvantage is that the user stays logged in until the browser is completely closed (not just the web page). See http://www.javascriptkit.com/howto/htaccess3.shtml


Someone suggested that I put Main.php in a folder that is not under the html root directory. Does this sound reasonable?

Posted by: Christian J Jul 10 2018, 05:11 PM

QUOTE(joehesse @ Jul 10 2018, 09:38 PM) *

Someone suggested that I put Main.php in a folder that is not under the html root directory. Does this sound reasonable?

Yes, it's better security to keep files with usernames and passwords above the html root. For example, if the server's PHP engine stops working properly users may otherwise be able to see the PHP scripts directly (including any sensitive data in it).

Of course all HTML pages must be located in the html root directory, but you can always include a file from a higher level with PHP.

Powered by Invision Power Board (http://www.invisionboard.com)
© Invision Power Services (http://www.invisionpower.com)