-4

The website is password protected, however visitors can bypass the login screen by deleting it from http://www.sitename/directory/login.php and go directly to the index page. I can't seem to find the correct code to put into the index page to redirect non-authenticated users back to login.php

<?php
if (!isset($_SESSION)) {
session_start();
}
$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
$_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

if (isset($_POST['username'])) {
$loginUsername=$_POST['username'];
$password=$_POST['password'];
$MM_fldUserAuthorization = "";
$MM_redirectLoginSuccess = "index.php";
$MM_redirectLoginFailed = "login.php";
$MM_redirecttoReferrer = false;
mysql_select_db($database_name, $name);

$LoginRS__query=sprintf("SELECT memberUser, MemberPass FROM administrators WHERE memberUser=%s AND MemberPass=%s",
GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")); 

$LoginRS = mysql_query($LoginRS__query, $name) or die(mysql_error());
$loginFoundUser = mysql_num_rows($LoginRS);
if ($loginFoundUser) {
 $loginStrGroup = "";

$_SESSION['MM_Username'] = $loginUsername;
$_SESSION['MM_UserGroup'] = $loginStrGroup;       

if (isset($_SESSION['PrevUrl']) && false) {
  $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];  
}
header("Location: " . $MM_redirectLoginSuccess );
}
else {
header("Location: ". $MM_redirectLoginFailed );
}
}
?>
4

1 回答 1

1

How about you declare a session variable, and check for the presence of that variable on the index page. If it doesn't exist, do a redirect to the login page.

Login.php

<?php
Session_start();
//Successful login
$_SESSION['logged_in']=TRUE;
?>

index.php

<?php
if(!isset($_SESSION['logged_in'])){
    Header('Location: login.php');
}
?>

Doing this will make sure no one can access the index page without first being directed to the login page.

于 2013-10-23T16:26:11.790 回答