0

Quick question, can I restrict HTML pages from non-logged in users? As of now, at the start of each HTML script I have PHP code checking whether the $_SESSION['LoggedIn'] variable is true. If not, the HTML code is not loaded. Is this safe? Is there a better way to do this?

Thanks!

This code is in reference to the question, whether it is safe or not.

<body>
<div id = "homePage" align = center>
<?php
session_start ();
if ($_SESSION["LoggedIn"] != "true") {
    echo '<h1>Restricted Access</h1>';
    die();
}
?>
<h1> Home Page </h1><br>
<form action = "https://www.google.com">
<input id = "button" type = "submit" value= "Ban Panel">
</form>
<form action = "https://www.google.com">
<input id = "button" type = "submit" value= "User Info">
</form>
<form action = "https://www.google.com">
<input id = "button" type = "submit" value= "Gift User">
</form>
</div>

Omar Dajani
  • 378
  • 6
  • 16
  • "Is this safe?" Generally, although I'd hesitate to say so for sure without having seen the code you're using. – ceejayoz May 22 '18 at 19:35
  • @ceejayoz I have added a snippet of code that I am using to verify that the user is logged in. Thanks! – Omar Dajani May 22 '18 at 19:39
  • 1
    _As of now, at the start of each HTML script I have PHP code checking whether the $_SESSION['LoggedIn'] variable is true_. No, actually you're checking for the **string** "true" according to your code. `true` !== `"true"` – RobIII May 22 '18 at 19:41
  • @RobIII My bad. I couldn't get the true or false to work with a session variable to I used a string instead. But would this have an affect? – Omar Dajani May 22 '18 at 19:43
  • Possible duplicate of [PHP - Session destroy after closing browser](https://stackoverflow.com/questions/24402047/php-session-destroy-after-closing-browser) – dmgig May 22 '18 at 19:46
  • @OmarDajani if it has an effect is hard to say without knowing / being able to see all your code. But it's generally a good idea to use the correct types / cast (or convert) explicitly when needed. You should be able to store a boolean in a session no problem though. So if you're experiencing trouble getting that to work you're doing _something_ wrong. – RobIII May 23 '18 at 08:40
  • @RobIII Gotcha. The code I have provided is basically it, I just wanted to make sure that it is secure and that people won't be able to load the HTML code if they are not signed in. Is that good enough, or should I be doing something that I am not already doing? And I will definitely check on that Boolean variable issue. Thanks! – Omar Dajani May 23 '18 at 13:17

0 Answers0