I haven't been able to find any examples so ... I have a private site where only members can log in. All member can view all pages in the general content area. Also there is a private area for each member with proprietary documents. I am trying to control access to these areas with PHP. My idea is to have code at the top of each page to restrict access to a specific user out of about 50. On the login page I have set $_SESSION['username' to equal $_POST['username'] and then on the proprietary page I have the following code which does not seem to work since any access attempt falls through to the access-denied page. <?php session_start(); $_username = "the specific allowed username"; if ($_SESSION['username'] != $_username) { header("Location: /content/access-denied.php"); } ?> Any assistance greatly appreciated.
On the login page, do you also have session_start() at top? This is needed if session.auto_start option is turned Off in php.ini Also, I would check the following php parameters: session.save_path session.use_only_cookies Also, in the login script I'd suggest to have code like this: <?php session_start(); $_username = "the specific allowed username"; if ($_SESSION['username'] == $_username) { session_write_close(); header("Location: /member_area.php"); header("Status: 303"); exit; } // .... login page html code below ?> PHP:
Thank you for the feedback Sergey. Yes, I have session_start() at the top of the login page. If I have understood you, your suggestions relate to the login page, but my problem is with the individual page in the subsection restricted to an individual user. I'm sure there is a much more sophisticated way to accomplish this, but my knowledge isn't there yet. Here is the full code for my login page. <?php session_start(); //assign values unset($_SESSION['username']); $_POST['username'] = stripslashes($_POST['username']); $username = $_POST['username']; $_SESSION['username'] = $username; //remove space or html tags $username = trim($username); $username = strip_tags($username); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> </head> <body> // login form here </body> </html> The pages that I want to secure for individual users are located in sub-folders within the content folder. When user A tries to login in to page X, I need to verify the user (i"m trying to do this with $_SESSION['username']) and then ensure that only user A can access the page content and all other users are redirected to a deny access page. I was trying to do that with this code at the top of page X: <?php session_start(); $_username = "user A"; if ($_SESSION['username'] == $_username) { //this is the part I'm having trouble with .... if the $_SESSION['username'] trying to access the page is user A then let them see this page content .... else send to deny. How do I state this? else { header("Location: /content/access-denied.php"); exit; } ?> I'm not sure if my code is even valid, so any help is appreciated. Thank you again.
I have achieved the result I needed. Below is the solution that worked for me. <?php session_start(); if(isset($_SESSION['username']) && isset($_SESSION['userid']) && $_SESSION['username'] != GUEST_NAME){ // user is logged in } else { header ("location: /secure/s_loginForm.php"); } //now test to ensure that the user is allowed access to this page if ($_SESSION['username'] == "userthatisallowedaccess") { } else { header("Location: ../s_access-deny.php"); exit; } ?>