To solve this problem, I store some variables in a session, and at the beginning of each page that needs to be secure in my site, I check to see if the session variable is set (usually $userid), if not I redirect the user back to the logon page. At least two things will cause the variable to be missing, a direct reference to the page using the URL, and the session having expired.
I also make it a practice of coding a page as two separate php files, the first of which performs the test above and retrieves information and presents it on the web page (this is my presentation layer). The second php program that is referenced as the as the Action of my form or as a href from an anchor on the form when data is not to be submitted. This second php program may test again for my session variable, but it does only processing (storing data in the database, etc), then does a redirect header("Location: page.php"), some of redirections will take it back to the page in file one, other redirections will take it to other pages. The reason for this dual program style, is that it avoids the problem with using the POST method of form processing and pressing the back button on the browser (IE and Netscape both issue an error). Because every one of the pages presented in my application are redirected to, they are entered by a "GET" by default and the back button works fine. The second "process only" program can pass variables to the next form either as GET parameters appended to the URL, or as a session variable. A redirect cannot cause a form to be entered with a POST method that I am aware of. hope this helps, Warren Vail Tools, Metrics & Quality Processes (415) 667-7814 Pager (877) 774-9891 215 Fremont 02-658 -----Original Message----- From: Omland Christopher m [mailto:[EMAIL PROTECTED]] Sent: Friday, March 29, 2002 10:25 AM To: Rouvas Stathis Cc: Kevin Stone; 'Justin French'; 'php' Subject: [PHP] User Authentication Hi, I had a question on user authentication/member accounts. I have built a MySQL database with users and passwords, and I wrote this code: <html> <head><title>LOGIN IN PROGRESS</title></head> <?php mysql_connect(HOST, USER, PASS); mysql_select_db(DB); <body bgcolor = "white"> <h2>PLEASE LOG IN</h2> <form method=post action="<?echo $PHP_SELF?>"> <table cellpadding=2 cellspacing=0 border=0> <td>Username:</td><td><input type="text" name="User" size=10></td><tr> <td>Password:</td><td><input type="password" name="Pass" size=10></td><tr> <td> </td><td><input type="submit" name="submit" value="Log In"></td> </table></form> <?php if ($submit) { $result=mysql_query("select * from Users where User='$User'") or die ("cant do it"); while ($row=mysql_fetch_array($result)) { if ($row["Pass"]==$Pass) { printf("Successfully Logged In!<a href=\"about.php\">Click Here</a>"); } So this will work it regonizes a real user vs. a fake on I do. But I don't understand whats to stop someone from directly linking to a protected page? For example why couldn't someone just go directly to ...../about.php. Does this make sense? Should I have the login form in one file and the php script in another? Do I need to check the http header somehow to see if they have logged in? Thanks. -Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php