php - session protection
67
I am creating a webpage bit by bit, testing parts of the webpage ideas. I want to learn how to session protect a page. I have already password protected a page seccsesfully, but anybody can access the page by typing in the url. i want to session protect my page so no one can do that. i have three pages: index.html, which has the form which sends the the password.php, the password.php, which makes sure that the password and username are correct using "if statments"(here is the "if statment")
if ($username == 'mgmb99'){
if ($password == 'mgmb91mas'){
header('Location: youhere.php');
} else {
echo 'your username or password is wrong.<a href="http://www.passwordtest.comze.com"> go back to login page </a>';
}} else {
echo 'your username or password is wrong.<a href="http://www.passwordtest.comze.com"> go back to login page </a>';
};
, and the youhere.php which is the page once you logged in.
Answer
Solution:
Sets the connect value in session to be 0.
Currently this check:
Will always return true because if
$_SESSION['connect']is unset then!$_SESSION['connect']will be true. Likewiseif(!0)will be true.Try setting
$_SESSION['connect']to true or 1 or the like or, alternatively, change the check to be:Answer
Solution:
( ! $_SESSION['connect'] )will is true when the session variable isn't set but also when it is set to 0. So if you want to protect youhere.php, you need to assign another value and check for it.Also
session_destroy()will delete all session variables, so you login, you go to youhere.php but if you refresh the site, you will instantly be logged outAnswer
Solution:
There is a plethora of information on Sessions on the PHP website. http://www.php.net/manual/en/intro.session.php
Here's an example with storing and killing session variables. http://www.php.net/manual/en/session.examples.basic.php
To set a Session var:
To kill the session var: