redirect if not logged in

hi all

im having a little trouble with a login script. all works fine but i can
still access the admin pages with the full url. do you have any pointers
on how i can solve this?

this is the script im using

<?php
include "dbconnect.php";

// handle the logout event
if ($logout == true) {
setcookie ("user", md5($_POST[user]), $time-3200);
setcookie ("pass", md5($_POST[pass]), $time-3200);
header("Location: index.php");
}

// handle validation event
if ($_POST[user] && $_POST[pass]) {
if ($_POST[user]==$username && $_POST[pass]==$password) {
setcookie ("user", md5($_POST[user]), $time+3200);
setcookie ("pass", md5($_POST[pass]), $time+3200);
header("Location: index2.php");
} else { $login_error= true; }
}

// handle login event, both successful and erroneous, or show login screen
if ($login_error == true) { ?>
<table align=center style=&quot;font-family:arial; font-size:12; border:1
solid #000000;&quot;>
<tr><td align=center bgcolor=#123dd4>LOGIN ERROR</td></tr>
<tr><td align=center><b>Invalid Username and/or
Password</b><br>&lt;br>&lt;a href=index.php>Back</a>;</td&gt;</tr&gt;
</table>
<?
} elseif ($_COOKIE[user] == md5($username) && $_COOKIE[pass] ==
md5($password)) { ?>
<;a href=index.php?logout=true>Logout</a>
<?
} else {
?>
<form action=index.php method=post>
<table align=center style=&quot;font-family:arial; font-size:12; border:1
solid #000000;&quot;>
<tr><td colspan=2 align=center bgcolor=#123dd4>LOGIN</td></tr>
<tr><td align=right>Username: </td>;<td><input type=text name=user
size=15&gt;</td&gt;</tr>
<tr><td align=right>Password: </td>;<td><input type=password name=pass
size=15&gt;</td&gt;</tr>
<tr><td align=center colspan=2&gt;<input type=submit value=Login></td></tr>
</table>
</form>
&lt;?
}
?&gt;

Messages in this topic (1) Reply (via web post) | Start a new topic

.

On Sat, 2006-10-28 at 22:57 +0100, Mark Mckee wrote:
&gt; hi all
>
> im having a little trouble with a login script. all works fine but i can
> still access the admin pages with the full url. do you have any pointers
> on how i can solve this?

You have to check that they are logged in on every page that they must
login to access. I am doing something similar on one of my sites. At the
beginning of each page they must login to access, I am checking for the
login. If they are not logged in, then I am redirecting them to the
login page.

I am using sessions in mine, but you should be able to easily adapt this
for cookies. Something like this (WARNING: this has not been tested):

// If the user and pass cookies are not set, redirect to the login page.
if ( (! is_set($_COOKIE[user])) && (! is_set($_COOKIE['pass'])) ) {
header(&quot;Location: login.php&quot;);
}

HTH,
--
Doug

Registered Linux User #285548 (http://counter.li.org)
----------------------------------------
Random Thought:
Life is not for everyone.

Messages in this topic (2) Reply (via web post) | Start a new topic

.

On Sat, 2006-10-28 at 22:57 +0100, Mark Mckee wrote:
&gt; hi all
>
> im having a little trouble with a login script. all works fine but i can
> still access the admin pages with the full url. do you have any pointers
> on how i can solve this?

You have to check that they are logged in on every page that they must
login to access. I am doing something similar on one of my sites. At the
beginning of each page they must login to access, I am checking for the
login. If they are not logged in, then I am redirecting them to the
login page.

I am using sessions in mine, but you should be able to easily adapt this
for cookies. Something like this (WARNING: this has not been tested):

// If the user and pass cookies are not set, redirect to the login page.
if ( (! is_set($_COOKIE[user])) && (! is_set($_COOKIE['pass'])) ) {
header(&quot;Location: login.php&quot;);
}

HTH,
--
Doug

Registered Linux User #285548 (http://counter.li.org)
----------------------------------------
Random Thought:
Life is not for everyone.

Messages in this topic (2) Reply (via web post) | Start a new topic

.