I wondering how if anybody had any ideas how to write this. I want to have a page that is restricted to only registered users. A non-registered/non-loggedin user can click on a restricted page which takes them to a log in screen, they login and then the server takes them to the restricted page.

Whats the best way to do this? Store the restricted page's address in a hidden input field in the loggin screen (and load when user is loggin in)?

I need some feedback!

There are a number of ways to deal with sort of situation. and therefore I would like to know if you are using a database. If so what package are you using? Personally with PHP I would use MySQL, but I know it is not to everyone's tastes, and if you are using the beta of PHP5, I know MySQL is not natively supported, and compiling programs can have a tendency to scare people who aren't used to it (Like me!!!)

Sorry I can't be of more help yet, but I will (hopefully) help you a lot more when you provide this information. (But I promise you, cookies will be used in my solution. Coincidently if anyone knows a situation that doesn't use cookies I would greatly appreciate it. I need to set up something similar to this without cookies.)

Sincerely,

---
David Thorne, Student
UK

There are two simple solutions to this problem. The first you've already mentioned -- store the original link in some hidden form input field.

The other way is to store the original link in a session variable.

When you think about it, storing the original link in a hidden form field is just one way of persisting data -- something that the session variable was *designed* to do... so why not use it?


Here's a simple example:

<?php // login_check.inc.php

if (!logged_in()) // assume that you've written logged_in().
{
    $_SESSION['original_url'] = $_SERVER['PHP_SELF']
    header("Location: login.php");
    exit();
}

?>


<?php // Any password-protected page:
session_start();
require_once('login_check.inc.php'); // redirects anyone who's not logged in.

// Here we can assume that everyone's logged in.
// Proceed with the rest of the script.

...

?>

<?php // login.php
session_start();

if (isset($_POST['username'] && $_POST['password']))
{
    // validate user login.
    ...

    $target_url = isset($_SESSION['original_url'])
                    ? $_SESSION['original_url']
                    : 'member_main.php';

    if (login_valid)
    {
        header("Location: {$target_url}");
        exit();
    }
    else display some invalid login error
}

// generate the login form here.
...
?>


Hope the above gives you ideas.


Take care,

Nik
http://www.bigaction.org/

I'm using PHP 4.3.4 with MySQL 4.18 (i think).

nikolai, i like you're session implementation, so i'm going to try that. So you pretty much think that's the best way? Anyway, it seems pretty good to me.

Thanks

Well, it's not by itself the best way, but it's the backend to what I'd consider one of the better ways. Remember, whenever there's more than one way of doing something, there's bound to be arguments why each way is "better" than any of the others...

In my example, I used a separate include file to control forcing registered users. In practice, I'd probably define all my user-authentication functions in a single file (user_auth.inc.php or whatever), and write a function to protect the page.

This file would also be where you'd write logged_in() and the code that validates username/password combos.



Take care,

Nik
http://www.bigaction.org/