Here's a quick way to secure a page so only logged in users can access it otherwise the user is shown a login page.
This system will be using sessions and using headers to redirect the user. Enable sessions and output buffering at the top of the file.
- Username: demo
- Password: demopassword
session_start();
ob_start();
To log a user out destroy the session and refresh the page.
if(isset($_GET['logout'])){
session_destroy();
header('Location: '.$_SERVER['PHP_SELF']);
exit;
}
To show the page contents to logged in users a check is made against the session if authorised is set then show the contents.
if(isset($_SESSION['authorised'])){
Otherwise show a login form.
<fieldset>
<legend>Login</legend>
<form action='' method='post'>
<p>Username: <input type='text' name='username' value=''></p>
<p>Username: <input type='password' name='password' value=''></p>
<p><input type='submit' name='loginsubmit' value='Login'></p>
</form>
</fieldset>
If the form has been submitted then capture the username and password from the form check against a defined username and password if they match create the session and refresh the page otherwise create an error message and save it to a variable called $error.
if(isset($_POST['loginsubmit'])){
$username = $_POST['username'];
$password = $_POST['password'];
if($username == 'demo' && $password == 'demopassword'){
//correct username and password
$_SESSION['authorised'] = true;
header('Location: '.$_SERVER['PHP_SELF']);
exit;
} else {
$error = '<p style="color:#ff0000;">Sorry wrong username or password</p><p>Please try again</p>';
}
}
If the error has been created then show it.
<?php if(isset($error)){ echo $error; }?>
At the bottom of the file clear the buffer by calling ob_flush();
Putting in all together:
<?php
session_start();
ob_start();
if(isset($_GET['logout'])){
session_destroy();
header('Location: '.$_SERVER['PHP_SELF']);
exit;
}
?>
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Member Only Page</title>
</head>
<body>
<?php
//already logged in
if(isset($_SESSION['authorised'])){
?>
<h1>Member Only Page<h1>
<p>This page can only be seen when logged in.</p>
<p><a href="?logout">Logout</a></p>
<?php
} else { //user needs to login
if(isset($_POST['loginsubmit'])){
$username = $_POST['username'];
$password = $_POST['password'];
if($username == 'demo' && $password == 'demopassword'){
//correct username and password
$_SESSION['authorised'] = true;
header('Location: '.$_SERVER['PHP_SELF']);
exit;
} else {
$error = '<p style="color:#ff0000;">Sorry wrong username or password</p><p>Please try again</p>';
}
}
?>
<div style='margin:auto; width:300px; margin-top:20px;'>
<?php if(isset($error)){ echo $error; }?>
<fieldset>
<legend>Login</legend>
<form action='' method='post'>
<p>Username: <input type='text' name='username' value=''></p>
<p>Username: <input type='password' name='password' value=''></p>
<p><input type='submit' name='loginsubmit' value='Login'></p>
</form>
</fieldset>
</div>
<?php } ?>
</body>
</html>
<?php ob_flush(); ?>