How to block direct access to my php file

Question

I have the following files with flow:

index.html -> login.php -> displayinbox.php

The login.php files confirms the users from database and redirects to displayinbox.php file.

The problem is that if someone just types the direct link to the displayinbox.php page, the script in the page runs.

How can i stop this from happening? I tried the 'define' and 'defined' method, but that just works for the included files i guess. any help?

Answer 1

this is a very open ended question on security that requires more than any answer here could fully provide. at the very simplest level, setting a $_SESSION variable is the way I would go.

if you're using an MVC pattern, have a Secure_Controller that all controllers that require password access to extend from. If not using an MVC or even some type of templating, you'll have a to include a script in every page that you would like password protected.

login.php

<?php
//check username and pw against the database
if($passwordAndUsername == 'good'){
    $_SESSION['loggedIn'] = 'yes';
}
?>

securityCheck.php

<?php
if($_SESSION['loggedIn'] != 'yes'){
    $message = 'you must log in to see this page.';
    header('location:login.php');
}
?>

include securityCheck.php at the beginning of any password protected pages.

Answer 2

Use a session value to track if a user is logged in. If !$_SESSION['whatever'], redirect them to the index/login page.

Example:

login.php

session_start();
/* login code here */
$_SESSION['logged_in'] = true;

displayinbox.php

session_start();
if (!$_SESSION['logged_in']) {
    header("Location: login.php");
    exit;
}

Answer 3

There are many ways to do this. Include login.php on the top of your displayinbox.php and POST_SELF or after login, set sessions cookies and check for that at the top of your displayinbox.php page.