Help - Search - Members - Calendar
Full Version: Organization of Files on Web Server
HTMLHelp Forums > Web Authoring > Web Site Functionality
joehesse
My tentative website has two files, Login.php and Main.php. They are both in the root of the web server.
I want users to go to MySite.com/Login.php and see a login screen which asks for a user name and password. If the user enters a correct name and password they are linked to Main.php, otherwise they get an error message.
How do I prevent the user from just going to MySite.com/Main.php and bypassing Login.php?

Thank you,
Joe
CharlesEF
When a user logs in you must set a SESSION variable, only when log in was successful. Then in the Main.php page you test for that SESSION variable. If the variable isn't set then you redirect the user to the Login.php page.
Christian J
You could let Main.php check if any POST form data was sent from Login.php. If valid form data was sent, let the PHP script on Main.php print the content, else print the error message. (Actually you don't need a separate Login.php page for this, you could let Main.php print the login form instead of the error message.)

The above will only work for a single Main.php page. If you want to protect several pages with a single login, you might let each page check for a session cookie, and if the cookie doesn't exist print a login form (or redirect to Login.php). Just be aware that lots of people disable cookies, so you need to inform the user or let a script check if the browser allows cookies.

Another simple option is to use HTTP authentication, this is done by the (Apache) server and works on a whole directory. The disadvantage is that the user stays logged in until the browser is completely closed (not just the web page). See http://www.javascriptkit.com/howto/htaccess3.shtml
joehesse
QUOTE(Christian J @ Jul 10 2018, 12:39 PM) *

You could let Main.php check if any POST form data was sent from Login.php. If valid form data was sent, let the PHP script on Main.php print the content, else print the error message. (Actually you don't need a separate Login.php page for this, you could let Main.php print the login form instead of the error message.)

The above will only work for a single Main.php page. If you want to protect several pages with a single login, you might let each page check for a session cookie, and if the cookie doesn't exist print a login form (or redirect to Login.php). Just be aware that lots of people disable cookies, so you need to inform the user or let a script check if the browser allows cookies.

Another simple option is to use HTTP authentication, this is done by the (Apache) server and works on a whole directory. The disadvantage is that the user stays logged in until the browser is completely closed (not just the web page). See http://www.javascriptkit.com/howto/htaccess3.shtml


Someone suggested that I put Main.php in a folder that is not under the html root directory. Does this sound reasonable?
Christian J
QUOTE(joehesse @ Jul 10 2018, 09:38 PM) *

Someone suggested that I put Main.php in a folder that is not under the html root directory. Does this sound reasonable?

Yes, it's better security to keep files with usernames and passwords above the html root. For example, if the server's PHP engine stops working properly users may otherwise be able to see the PHP scripts directly (including any sensitive data in it).

Of course all HTML pages must be located in the html root directory, but you can always include a file from a higher level with PHP.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2018 Invision Power Services, Inc.