PHP & MySQL, Demos, Tutorials

Here's a quick way to secure a page so only logged in users can access it otherwise the user is shown a login page.

This system will be using sessions and using headers to redirect the user. Enable sessions and output buffering at the top of the file.

  • Username: demo
  • Password: demopassword
session_start();
ob_start();

To log a user out destroy the session and refresh the page.

if(isset($_GET['logout'])){
    session_destroy();
    header('Location: '.$_SERVER['PHP_SELF']);
    exit;    
}

To show the page contents to logged in users a check is made against the session if authorised is set then show the contents.

if(isset($_SESSION['authorised'])){

Otherwise show a login form.

<fieldset>
    <legend>Login</legend>
    <form action='' method='post'>
        <p>Username: <input type='text' name='username' value=''></p>
        <p>Username: <input type='password' name='password' value=''></p>
        <p><input type='submit' name='loginsubmit' value='Login'></p>
    </form>
</fieldset>

If the form has been submitted then capture the username and password from the form check against a defined username and password if they match create the session and refresh the page otherwise create an error message and save it to a variable called $error.

if(isset($_POST['loginsubmit'])){

    $username = $_POST['username'];
    $password = $_POST['password'];

    if($username == 'demo' && $password == 'demopassword'){
        //correct username and password
        $_SESSION['authorised'] = true;
        header('Location: '.$_SERVER['PHP_SELF']);
        exit;
    } else {
        $error = '<p style="color:#ff0000;">Sorry wrong username or password</p><p>Please try again</p>';
    }
}

If the error has been created then show it.

<?php if(isset($error)){ echo $error; }?>

At the bottom of the file clear the buffer by calling ob_flush();

Putting in all together:

<?php
session_start();
ob_start();

if(isset($_GET['logout'])){
    session_destroy();
    header('Location: '.$_SERVER['PHP_SELF']);
    exit;    
}

?>

<!doctype html>
<html lang="en">
<head>
  <meta charset="utf-8">
  <title>Member Only Page</title>

</head>
<body>

<?php

//already logged in
if(isset($_SESSION['authorised'])){
?>

    <h1>Member Only Page<h1>
    <p>This page can only be seen when logged in.</p>
    <p><a href="?logout">Logout</a></p>


<?php 
} else { //user needs to login

    if(isset($_POST['loginsubmit'])){

        $username = $_POST['username'];
        $password = $_POST['password'];

        if($username == 'demo' && $password == 'demopassword'){
            //correct username and password
            $_SESSION['authorised'] = true;
            header('Location: '.$_SERVER['PHP_SELF']);
            exit;
        } else {
            $error = '<p style="color:#ff0000;">Sorry wrong username or password</p><p>Please try again</p>';
        }
    }

    ?>

    <div style='margin:auto; width:300px; margin-top:20px;'>
        
        <?php if(isset($error)){ echo $error; }?>

        <fieldset>
            <legend>Login</legend>
            <form action='' method='post'>
                <p>Username: <input type='text' name='username' value=''></p>
                <p>Username: <input type='password' name='password' value=''></p>
                <p><input type='submit' name='loginsubmit' value='Login'></p>
            </form>
        </fieldset>
        

    </div>

<?php } ?> 
</body>
</html>
<?php ob_flush(); ?>