Organization of Files on Web Server |
Organization of Files on Web Server |
joehesse |
Jul 10 2018, 09:16 AM
Post
#1
|
Group: Members Posts: 7 Joined: 5-July 18 Member No.: 26,667 |
My tentative website has two files, Login.php and Main.php. They are both in the root of the web server.
I want users to go to MySite.com/Login.php and see a login screen which asks for a user name and password. If the user enters a correct name and password they are linked to Main.php, otherwise they get an error message. How do I prevent the user from just going to MySite.com/Main.php and bypassing Login.php? Thank you, Joe |
CharlesEF |
Jul 10 2018, 12:30 PM
Post
#2
|
Programming Fanatic Group: Members Posts: 1,981 Joined: 27-April 13 From: Edinburg, Texas Member No.: 19,088 |
When a user logs in you must set a SESSION variable, only when log in was successful. Then in the Main.php page you test for that SESSION variable. If the variable isn't set then you redirect the user to the Login.php page.
This post has been edited by CharlesEF: Jul 10 2018, 12:32 PM |
Christian J |
Jul 10 2018, 12:39 PM
Post
#3
|
. Group: WDG Moderators Posts: 9,656 Joined: 10-August 06 Member No.: 7 |
You could let Main.php check if any POST form data was sent from Login.php. If valid form data was sent, let the PHP script on Main.php print the content, else print the error message. (Actually you don't need a separate Login.php page for this, you could let Main.php print the login form instead of the error message.)
The above will only work for a single Main.php page. If you want to protect several pages with a single login, you might let each page check for a session cookie, and if the cookie doesn't exist print a login form (or redirect to Login.php). Just be aware that lots of people disable cookies, so you need to inform the user or let a script check if the browser allows cookies. Another simple option is to use HTTP authentication, this is done by the (Apache) server and works on a whole directory. The disadvantage is that the user stays logged in until the browser is completely closed (not just the web page). See http://www.javascriptkit.com/howto/htaccess3.shtml |
joehesse |
Jul 10 2018, 02:38 PM
Post
#4
|
Group: Members Posts: 7 Joined: 5-July 18 Member No.: 26,667 |
You could let Main.php check if any POST form data was sent from Login.php. If valid form data was sent, let the PHP script on Main.php print the content, else print the error message. (Actually you don't need a separate Login.php page for this, you could let Main.php print the login form instead of the error message.) The above will only work for a single Main.php page. If you want to protect several pages with a single login, you might let each page check for a session cookie, and if the cookie doesn't exist print a login form (or redirect to Login.php). Just be aware that lots of people disable cookies, so you need to inform the user or let a script check if the browser allows cookies. Another simple option is to use HTTP authentication, this is done by the (Apache) server and works on a whole directory. The disadvantage is that the user stays logged in until the browser is completely closed (not just the web page). See http://www.javascriptkit.com/howto/htaccess3.shtml Someone suggested that I put Main.php in a folder that is not under the html root directory. Does this sound reasonable? |
Christian J |
Jul 10 2018, 05:11 PM
Post
#5
|
. Group: WDG Moderators Posts: 9,656 Joined: 10-August 06 Member No.: 7 |
Someone suggested that I put Main.php in a folder that is not under the html root directory. Does this sound reasonable? Yes, it's better security to keep files with usernames and passwords above the html root. For example, if the server's PHP engine stops working properly users may otherwise be able to see the PHP scripts directly (including any sensitive data in it). Of course all HTML pages must be located in the html root directory, but you can always include a file from a higher level with PHP. |
Lo-Fi Version | Time is now: 26th April 2024 - 08:48 AM |