Demos | PHP & MySQL | Tutorials

David Carr

Simple Member Only Page

Here's a quick way to secure a page so only logged in users can access it otherwise the user is shown a login page.

This system will be using sessions and using headers to redirect the user. Enable sessions and output buffering at the top of the file.

  • Username: demo
  • Password: demopassword
session_start();
ob_start();

To log a user out destroy the session and refresh the page.

if(isset($_GET['logout'])){
    session_destroy();
    header('Location: '.$_SERVER['PHP_SELF']);
    exit;    
}

To show the page contents to logged in users a check is made against the session if authorised is set then show the contents.

if(isset($_SESSION['authorised'])){

Otherwise show a login form.

<fieldset>
    <legend>Login</legend>
    <form action='' method='post'>
        <p>Username: <input type='text' name='username' value=''></p>
        <p>Username: <input type='password' name='password' value=''></p>
        <p><input type='submit' name='loginsubmit' value='Login'></p>
    </form>
</fieldset>

If the form has been submitted then capture the username and password from the form check against a defined username and password if they match create the session and refresh the page otherwise create an error message and save it to a variable called $error.

if(isset($_POST['loginsubmit'])){

    $username = $_POST['username'];
    $password = $_POST['password'];

    if($username == 'demo' && $password == 'demopassword'){
        //correct username and password
        $_SESSION['authorised'] = true;
        header('Location: '.$_SERVER['PHP_SELF']);
        exit;
    } else {
        $error = '<p style="color:#ff0000;">Sorry wrong username or password</p><p>Please try again</p>';
    }
}

If the error has been created then show it.

<?php if(isset($error)){ echo $error; }?>

At the bottom of the file clear the buffer by calling ob_flush();

Putting in all together:

<?php
session_start();
ob_start();

if(isset($_GET['logout'])){
    session_destroy();
    header('Location: '.$_SERVER['PHP_SELF']);
    exit;    
}

?>

<!doctype html>
<html lang="en">
<head>
  <meta charset="utf-8">
  <title>Member Only Page</title>

</head>
<body>

<?php

//already logged in
if(isset($_SESSION['authorised'])){
?>

    <h1>Member Only Page<h1>
    <p>This page can only be seen when logged in.</p>
    <p><a href="?logout">Logout</a></p>


<?php 
} else { //user needs to login

    if(isset($_POST['loginsubmit'])){

        $username = $_POST['username'];
        $password = $_POST['password'];

        if($username == 'demo' && $password == 'demopassword'){
            //correct username and password
            $_SESSION['authorised'] = true;
            header('Location: '.$_SERVER['PHP_SELF']);
            exit;
        } else {
            $error = '<p style="color:#ff0000;">Sorry wrong username or password</p><p>Please try again</p>';
        }
    }

    ?>

    <div style='margin:auto; width:300px; margin-top:20px;'>
        
        <?php if(isset($error)){ echo $error; }?>

        <fieldset>
            <legend>Login</legend>
            <form action='' method='post'>
                <p>Username: <input type='text' name='username' value=''></p>
                <p>Username: <input type='password' name='password' value=''></p>
                <p><input type='submit' name='loginsubmit' value='Login'></p>
            </form>
        </fieldset>
        

    </div>

<?php } ?> 
</body>
</html>
<?php ob_flush(); ?>

 

Domains are often purchased from multiple providers, keeping track of where a domain is and its DNS settings can be tricky. Domain Mapper solves this by listing all your domains in one place. View your DNS settings and receive reminders to renew your domains. Try it today.

Support my work by donating with PayPal.

Subscribe to my newsletter

Subscribe and get my books and product announcements.

© 2009 - 2021 DC Blog. All code MIT license. All rights reserved.