I have a simple login/logout script and you should not be able to have direct access to a specific page that I have called 'success.php'. I don't know if it's a typo somewhere or if my session is not working properly.
index.php
<?php
// Start the session
session_start();
// Defines username and password. Retrieve however you like,
$username = "user";
$password = "pw";
// Error message
$error = "";
// Checks to see if the user is already logged in. If so, refirect to correct page.
if (isset($_SESSION['loggedIn']) && $_SESSION['loggedIn'] == true) {
$error = "success";
header('Location: success.php');
}
// Checks to see if the username and password have been entered.
// If so and are equal to the username and password defined above, log them in.
if (isset($_POST['username']) && isset($_POST['password'])) {
if ($_POST['username'] == $username && $_POST['password'] == $password) {
$_SESSION['loggedIn'] = true;
setcookie('userName', $_POST['username'], time()+3600); // Expiring after 2 hours
header('Location: success.php');
} else {
$_SESSION['loggedIn'] = false;
$error = "<p style='color:red;font-size:11px;'>Invalid username and/or password!</p>";
}
}
<div class="col-md-3 col-lg-2 col-sm-6 col-xs-6">
<div class="form-login">
<form method="post" action="index.php">
<h4 style="color: #FFF;">S-Files</h4>
<input type="text" name="username" class="form-control" placeholder="username" maxlength="40" autofocus required />
<br />
<input id="password" type="password" name="password" class="form-control" placeholder="password" maxlength="15" required />
<br />
<div class="wrapper">
<span class="group-btn">
<button type="submit" name="submit" class="btn btn-primary btn-md">login <i class="fa fa-sign-in" ></i></button>
</span>
</div>
</form>
<!-- Output error message if any -->
<?php echo $error; ?>
</div>
</div>
success.php
<?php
// Start the session
session_start();
// ob_start();
// Check to see if actually logged in. If not, redirect to login page
if (!isset($_SESSION['loggedIn']) && $_SESSION['loggedIn'] == false && !isset($_COOKIE['userName']))
{
header('Location: index.php');
}
Logout.php
<?php
session_start();
$_SESSION['loggedIn'] = false;
unset($_SESSION);
// Delete cookie
if (isset($_COOKIE['userName']))
{
unset($_COOKIE['userName']);
setcookie('userName', '', time() - 3600); // empty value and old
timestamp
}
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
header("Location: index.php");
So my problem is that users can type the url /success.php and view the content in there without logging in, I want them to be redirected to index.php if they are not authenticated. What am I doing wrong?