php Page Protection

1

I found a tutorial on how to make a login system ... More problem is that when I try to block the pages only for the login of users logged in does not work although the user is logged in, I think the error is in the page functions.php when the script checks if the user is logged in.

Login System

db_connect.php     

psl-config.php

<?php
/**
 * Seguem os detalhes para login para o banco de dados
 */
define("HOST", "localhost");     // Para o host com o qual você quer se conectar.
define("USER", "sec_user");    // O nome de usuário para o banco de dados.
define("PASSWORD", "root");    // A senha do banco de dados.
define("DATABASE", "secure_login");    // O nome do banco de dados.

define("CAN_REGISTER", "any");
define("DEFAULT_ROLE", "member");

define("SECURE", FALSE);    // ESTRITAMENTE PARA DESENVOLVIMENTO!!!!
?>

On the functions page there is an error on line 38 and line 135 ... which prevents the user from checking

functions.php

login.php     

sec_session_start();

if (login_check($mysqli) == true) {
    $logged = 'in';
} else {
    $logged = 'out';
}
?>
<!DOCTYPE html>
<html>
    <head>
        <title>Secure Login: Log In</title>
        <link rel="stylesheet" href="styles/main.css" />
        <script type="text/JavaScript" src="js/sha512.js"></script> 
        <script type="text/JavaScript" src="js/forms.js"></script> 
    </head>
    <body>
        <?php
        if (isset($_GET['error'])) {
            echo '<p class="error">Erro ao fazer o login!</p>';
        }
        ?> 
        <form action="includes/process_login.php" method="post" name="login_form">                      
            Email: <input type="text" name="email" />
            Password: <input type="password" 
                             name="password" 
                             id="password"/>
            <input type="button" 
                   value="Login" 
                   onclick="formhash(this.form, this.form.password);" /> 
        </form>
        <p>If you don't have a login, please <a href="register.php">register</a></p>
        <p>If you are done, please <a href="includes/logout.php">log out</a>.</p>
        <p>You are currently logged <?php echo $logged ?>.</p>
    </body>
</html>

protected_page.php     

sec_session_start();
?>
<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8">
        <title>Secure Login: Protected Page</title>
        <link rel="stylesheet" href="styles/main.css" />
    </head>
    <body>
        <?php if (login_check($mysqli) == true) : ?>
            <p>Welcome <?php echo htmlentities($_SESSION['username']); ?>!</p>
            <p>
Esta é uma página protegida para servir de exemplo. Para acessá-la, os usuários devem ter feito o login. Em dado momento, também verificaremos o papel que o usuário está desempenhando para que possamos determinar o tipo de usuário que está autorizado a acessar a página. 
            </p>
            <p>Return to <a href="index.php">login page</a></p>
        <?php else : ?>
            <p>
                <span class="error">Você não tem autorização para acessar esta página.</span> Please <a href="index.php">login</a>.
            </p>
        <?php endif; ?>
    </body>
</html>
    
asked by anonymous 12.09.2014 / 16:11

2 answers

2

Dude, I do not know if it will help you, but anyway. In the systems I develop with PHP / HTML I make the href of all pages link to my index.php and I pass a page flag to which the user wants to go

<a href="index.php?PAGINA=suapagina"></a>

In my index.php , I checked that $_SESSION of user was started

if (isset($_SESSION ['user_id'])) {

$i = $_GET ['PAGINA'];

    switch ($i) {
        case 'lojas' :
            $request = 'view/lojas.html';
            break;
        default:    
            $request = 'view/index.html';
            break;
    };
} else {
    $request = 'view/login.html';
}
header("Location:".$request."");

In index.php you can validate the user's permissions the way you like

    
15.09.2014 / 16:06
1

I use a simpler way to protect pages that should be private, but maybe give you some "light" there. First I have a file called "valida_sessao.php", like this:

$sessao = 0;
session_start(); 
if(isset($_SESSION["sessiontime"])){ 
    if($_SESSION["sessiontime"] < time()){ 
        session_unset();
        $_SESSION['retorno_login'] = "Seu tempo de sessão expirou! Faça login novamente.";
        $sessao = 0;
        //Redireciona para login
    } else {
        //'Logado ainda!';
        //Seta mais tempo 5 minutos segundos
        $_SESSION["sessiontime"] = time() + 300;
        $sessao = 1;
    }
} else { 
    session_unset();
    $_SESSION['retorno_login'] = 'Para entrar na área administrativa do site, por favor insira seu login e sua senha.';
    $sessao = 0;
}

Then, at the beginning of the private pages I put the following code:

include_once("valida_sessao.php");
if($sessao == 0){
    header('Location: login_area_adm.php');
}

I hope you have helped, I have already received a lot of help from forums like this!

    
27.09.2015 / 01:32