What you propose here does not prevent the user from accessing the ‘member’ pages – however it should determine which page the user is sent to after submitting a password. If the latter is not the case then there’s something going wrong elsewhere in the code.
But as I mentioned, if you want to prevent unauthenticated users from accessing some pages, then the simplest solution is to set a flag in the session at authentication, e.g.
session_start();
if ($_POST['password']===stored_password($_POST['username'])) {
$_SESSION['authenticated']=$_POST['username'];
header("Location:success.php");
exit;
} else {
header("Location:fail.php");
exit;
}
Then at the top of each and every authenticated page:
session_start();
if (!$_SESSION['authenticated']) {
header("Location:fail.php");
exit;
}
(note the explicit exit after the header(‘Location:…’);)
Once you’ve got this licked then you can start thinking about regenerating the session id at authentication to prevent session fixation / hijacking issues, and storing the users password as a hash to prevent disclosure issues.
4
solved php login verification [closed]