Social
Reputation: 1
How can I prevent users from logging in and then typing a url and carry the session to that url?
I am creating a website where you can login to a free version of a specific area, and you pay to get to a paid version of that specific area, but when I login into the free version of that area and if I type in the url of the paid version, it takes me there, how can I make sure that when the url is typed in it redirects the user.
The index.php for the free version is the same for the paid version.
Here is the code for the free version:
index.php:
<!--
//index.php
!-->
<?php
include('database_connection.php');
session_start();
include('session.php');
if(!isset($_SESSION['id']))
{
}
?>
<!DOCTYPE html>
<html>
<head>
<link rel="stylesheet" href="style.css">
<script src="https://code.jquery.com/jquery-1.12.4.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/bootstrap-3-typeahead/4.0.2/bootstrap3-typeahead.min.js"></script>
</head>
<body>
<div class="container">
<?php
include('menu.php');
?>
<div class="row">
<div class="col-md-8">
<div class="panel panel-default">
<br>
<div class="panel-heading" style="background-color: #fff1a3;">
<div class="row">
<div class="col-md-8">
<h3 class="panel-title" style="color: white"><br></h3>
</div>
<div class="col-md-4">
<div class="image_upload">
<form id="uploadImage" method="post" action="upload.php">
<label for="uploadFile"><img src="image.png" /></label>
<input type="file" name="uploadFile" id="uploadFile" accept=".jpg, .png, .mp4" />
</form>
</div>
</div>
</div>
</div>
<div class="panel-body">
<form method="post" id="post_form">
<div class="form-group" id="dynamic_field">
<textarea style="resize: none;" name="post_content" id="post_content" maxlength="160" class="form-control" placeholder="Make a post"></textarea>
</div>
<div id="link_content"></div>
<div class="form-group" align="right">
<input type="hidden" name="action" value="insert" />
<input type="hidden" name="post_type" id="post_type" value="text" />
<br>
<input type="submit" style="float:left; background-color: #a5dbff; width: 12%; border: none; margin-left: -1.6%;" name="share_post" id="share_post" class="btn btn-primary" value="Post" />
</div>
</form>
</div>
</div>
<div class="panel panel-default">
<div class="panel-heading">
<h3 class="panel-title">All Posts</h3>
</div>
<div class="panel-body">
<div id="post_list">
</div>
</div>
</div>
</div>
<div class="col-md-4">
<div class="panel panel-default">
<br>
<div class="panel-heading" style='background-color: #5bc0de;'>
<h3 class="panel-title" style='color: white;'>Users</h3>
</div>
<div class="panel-body">
<div id="user_list"></div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>
<?php
include('jquery.php');
?>
login for free version:
<!--
//login.php
!-->
<?php
include('database_connection.php');
session_start();
$message = '';
if(isset($_SESSION['user_id']))
{
header('location:index.php');
}
if(isset($_POST["login"]))
{
$query = "
SELECT * FROM tbl_twitter_user
WHERE username = :username
";
$statement = $connect->prepare($query);
$statement->execute(
array(
':username' => $_POST["username"]
)
);
$count = $statement->rowCount();
if($count > 0)
{
$result = $statement->fetchAll();
foreach($result as $row)
{
if(password_verify($_POST['password'], $row['password']))
{
$_SESSION['user_id'] = $row['user_id'];
$_SESSION['username'] = $row['username'];
header('location: page.php');
}
else
{
$message = '<label>Wrong Password</label>';
}
}
}
else
{
$message = '<label>Wrong Username</labe>';
}
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Connect Kitty</title>
<link rel="stylesheet" href="mdp.css">
<link rel="stylesheet" href="bootstrap.min.css" integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T" crossorigin="anonymous">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body>
<br>
<script type="text/javascript">
<!--
var step=1
function slideit(){
document.images.slide.src=eval("image"+step+".src")
if(step<6)
step++
else
step=1
setTimeout("slideit()",2500)
}
slideit()
</script>
</div>
</div>
</div>
</div>
<div class="container" style="text-align: center">
<div class="panel panel-default">
<div class="panel-body">
<div class="regisFrm">
<div class="panel panel-default" align="center">
<div class="panel-body">
<form method="post">
<p class="text-danger"><?php echo $message; ?></p>
<div class="form-group">
<input type="text" name="username" placeholder="Username" id="email" class="form-control" required />
</div>
<br>
<div class="form-group">
<input type="password" name="password" placeholder="Password" id="phone" class="form-control" required />
</div>
<br>
<div class="form-group">
<input type="submit" name="login" id="login" class="btn btn-info" value="Login" />
</div>
<br>
</form>
</div>
</div>
<br><p id="u" align="center">Don't have an account? <a href="new.php">Register</a></p>
<footer><br><br><a class='term' href='CK TermsofService.pdf'>Terms, Data Policy, and Cookies Policy</a><br><br><br></footer>
</body>
</html>
and here is the login for the paid version:
login.php:
<!--
//login.php
!-->
<?php
include('database_connection.php');
session_start();
$message = '';
if(isset($_SESSION['user_id']))
{
}
if(isset($_POST["login"]))
{
$query = "
SELECT * FROM tbl_twitter_user
WHERE username = :username AND plan = 1
";
$statement = $connect->prepare($query);
$statement->execute(
array(
':username' => $_POST["username"]
)
);
$count = $statement->rowCount();
if($count > 0)
{
$result = $statement->fetchAll();
foreach($result as $row)
{
if(password_verify($_POST['password'], $row['password']))
{
$_SESSION['user_id'] = $row['user_id'];
$_SESSION['username'] = $row['username'];
header('location: index.php');
}
else
{
$message = '<label>Wrong Password</label>';
}
}
}
else
{
$message = '<label>You are not a subscriber, to become a subscriber, return <a href="../mop/paidcatwalk.php">here</a></label>';
}
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Connect Kitty</title>
<link rel="stylesheet" href="mdp.css">
<link rel="stylesheet" href="bootstrap.min.css" integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T" crossorigin="anonymous">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body>
<script type="text/javascript">
<!--
var step=1
function slideit(){
document.images.slide.src=eval("image"+step+".src")
if(step<6)
step++
else
step=1
setTimeout("slideit()",2500)
}
slideit()
</script>
</div>
</div>
</div>
</div>
<div class="container" style="text-align: center">
<div class="panel panel-default">
<div class="panel-body">
<div class="regisFrm">
<div class="panel panel-default" align="center">
<div class="panel-body">
<form method="post">
<p class="text-danger"><?php echo $message; ?></p>
<div class="form-group">
<input type="text" name="username" placeholder="Username" id="email" class="form-control" required />
</div>
<br>
<div class="form-group">
<input type="password" name="password" placeholder="Password" id="phone" class="form-control" required />
</div>
<br>
<div class="form-group">
<input type="submit" name="login" id="login" class="btn btn-info" value="Login" />
</div>
<br>
</form>
</div>
</div>
<br><p id="u" align="center">Don't have an account? <a href="new.php">Register</a></p>
<footer><br><br><a class='term' href='CK TermsofService.pdf'>Terms, Data Policy, and Cookies Policy</a><br><br><br></footer>
</body>
</html>
I have tried using this:
<?php
if(!isset($_POST['login'])) {
header('Location: login.php');
}
?>
Which would trigger a redirection if the actual login form was not submitted to enter the page, but when I use this line of code when I login it does not direct me to the index.php page.
Upvotes: 0
Views: 60
Answers (1)
symcbean
Reputation: 48357
You need to store the authorization state in the session, not just the authentication state.
Upvotes: 1
Related Questions
- Protect a page with php sessions
- Prevent direct access to a webpage by typing the URL
- Stopping user from accessing admin area via URL
- Procedure for restricting user from typing in php url
- How to Prevent from illegal access in PHP Web page?
- Prevent php direct page access in the url bar
- How to stop people accessing hidden pages where a login is required?
- Restrict access to page with PHP
- How do you stop people from going to a page that should be used as log in page?
- How to restrict users from entering a page without being logged on