Implementing User Authorization Using Session Control

You may want to read An
Example of User Authentication System in PHP, What
is Session Control/Variables? before reading this post.

In this post we are going to create a ‘secret’ site whose pages
will only be accessible after logging in using the correct username and password.
We will be using our knowledge of Session
Control/Variables since we want authorization for the whole site and
not a single page.

The site that we are going to create will have three ‘secret’ pages
plus one-one page for logging in and homepage.

Let’s start by having a look at the login page code:


<html>

<head>

<title>My Web Site | Login</title>

</head>



<body>

<h1>My Web Site</h1>

<h2>Login </h2>

<?php

define('USERNAME','happyjoe');

define('PASSWORD','123456');



//if submit button was pressed

//that means form was submitted

if(isset($_POST['submit']))

{

    //fetch other form data

    $username=$_POST['username'];

    $password=$_POST['password'];

    

    //start a session

    session_start();



    //match username & password

    if($username==USERNAME && $password==PASSWORD)

    {

        //save session variable with the username

        //which will be unique

        $_SESSION['user']=$username;

        //redirect to homepage

        header("Location: home.php");

    }

    else

        echo "<p style=\"color:#ff0000;\">Incorrect 

    Username/Password. Please Try Again.</p>";

}

else

//requesting the login page

{

    //if requesting the login page

    //check if already logged in

    //and redirect to homepage if true



    //start session

    session_start();

    if(isset($_SESSION['user']))

    {

        //redirect to homepage

        //if already logged in

        header("Location: home.php");

    }

}

//if not logged in show the login page

?>

<form name="form1" id="form1" method="post" action="">

  <table width="30%" border="0" cellspacing="0" cellpadding="0">

    <tr> 

      <td>Username</td>

      <td><input name="username" type="text" id="username" /></td>

    </tr>

    <tr> 

      <td>Password</td>


      <td><input name="password" type="password" id="password" /></td>


    </tr>

    <tr>

      <td>&nbsp;</td>

      <td><input name="submit" type="submit" id="submit" 

    value="Submit" /></td>

    </tr>

  </table>

</form>

</body>

</html>


Now the homepage:


<html>

<head>

<title>My Web Site | Login</title>

</head>



<body>

<h1>My Web Site</h1>

<?php

//start session again

session_start();

//if someone is requesting this page

//without logging in

if(!isset($_SESSION['user']))

{

    echo "<p>You are not Authorized to view this page. Please <a href=\"login.php\">Login</a> first.</p>";

    //exit script; don't execute any further

    exit;

}

//if logged in

?>

<h2>Secret Pages </h2>

<ul>

  <li><a href="page1.php">Page1</a></li>

  <li><a href="page2.php">Page2</a></li>

  <li><a href="page3.php">Page3</a></li>

</ul>

<?php

//show user name at the bottom

echo "<p>USER: <i>".$_SESSION['user']."</i></p>";



?>

</body>

</html>


You can see that the content of the homepage will only be accessible when the
session variable has been set by successful login from the login page.

The homepage after login will look something like below:

As you can see there are three links to the bottom. The codes for these pages
are listed below:

For page one:

<html>

<head>

<title>My Web Site | Page1</title>

</head>



<body>

<h1>My Web Site</h1>

<?php

//if someone is requesting this page


//without logging in

session_start();


if(!isset($_SESSION['user']))


{

    echo "<p>You are not Authorized to view this page. 

Please <a href=\"login.php\">Login</a> first.</p>";


    //exit script; don't execute any further


    exit;

}

//if logged in

?>

<h2>Page1</h2>

<p>this is a secret page.</p>

</body>

</html>

For page two:

<html>

<head>

<title>My Web Site | Page2</title>

</head>



<body>

<h1>My Web Site</h1>

<?php

//if someone is requesting this page


//without logging in

session_start();


if(!isset($_SESSION['user']))


{

    echo "<p>You are not Authorized to view this page. 

Please <a href=\"login.php\">Login</a> first.</p>";


    //exit script; don't execute any further


    exit;

}

//if logged in

?>

<h2>Page2</h2>

<p>this is a secret page.</p>

</body>

</html>

For page three:

<html>

<head>

<title>My Web Site | Page3</title>

</head>



<body>

<h1>My Web Site</h1>

<?php

//if someone is requesting this page


//without logging in

session_start();


if(!isset($_SESSION['user']))


{

    echo "<p>You are not Authorized to view this page. 

Please <a href=\"login.php\">Login</a> first.</p>";


    //exit script; don't execute any further


    exit;

}

//if logged in

?>

<h2>Page3</h2>

<p>this is a secret page.</p>

</body>

</html>

If you look closely, each ‘secret’ page checks to see if the session
variable is set or not (which can only be after successful login). So, even
direct access to these pages is restricted.

In case someone tries to access these pages directly without logging in, he/she
would see:

We could have created the whole site using the method outlined in the post How
does CMS Create Dynamic Pages to create the whole site off just one
script but I wanted to illustrate the fact that session variables are accessible
from different pages too, across a session.

Previous Articles:

• 
  

  What
  is Session Control/Variables?

  
  


• 
  

  Some
  Useful Array Manipulation Functions in PHP

  
  


• 
  

  Designing
  a Simple ‘Shout Box’ Script in PHP

  
  


• 
  

  Other
  Ways of Initializing Arrays in PHP

  
  


• 
  

  All
  About User-Defined Functions in PHP