Basically, I have two files, in two different directories: index.php (in /login/) and index.php(in /login/buyer/) .
The /login/buyer/ index.php file has:
<?php
session_start();
function isLoggedIn()
{
if(isset($_SESSION['valid']) && $_SESSION['valid'])
return true;
return false;
}
//if the user has not logged in
if(!isLoggedIn())
{
header('Location: index.php');
die();
}
?>
<?php
if($_SESSION['valid'] == 1){
echo "<a href='../logout.php'>Logout</a>";
}
else{
echo "<a href='../index.php'>Login</a>";
}
?>
The /login/ index.php file has:
<!--
an form to login
-->
<?php
if($_SESSION['valid'] == 1){ #user has logged in by creating a session var
echo "<a href='logout.php'>Logout</a>";
}
else{
return true;
}
?>
These two files seem to be working fine, but say for instance a malicious user wants to try to directly access /login/buyer/ without providing an credentials and wants to just try that at the end of the url like mysite.com/login/buyer, instead of logging in. How can I add another condition in there to stop this?
I suggest to use a single
/index.phpfile (that is, a “controller“) for all web accesses.This way, you have to check once for all files if the session is valid or not.
Use parameters to tell which “module” and “action” (Symfony 1.x vocabulary) you want to proceed.
E.g.
yoursite.com/index.php?module=user&action=login&type=buyer, or better with a .htaccess and a routing engine:yousite.com/user/login/buyerAs I suggest in this other question, it is even better to put the
index.phpand the other source files (which should not be accessed directly through the webserver), in separate directories.Additional advice:
could be simply rewritten to: