Needing guidance on how to redirect a user if not logged in on admin panel

Question

At the moment I have an extremely basic admin login system. I am able to login in through my admin_login.php page which has a script from my login.php page I can update records from the admin_control_panel.php. My main concern is the fact that anyone can type these URL's straight into the address bar and bypass the login procedure.

My code at the moment isn't based around security (I am just trying to get all my basic functionality and features up and running, I will then focus on security).

I know that I have to use sessions to track if the user is logged in or not but I am becoming a bit confused as to where I will implement these session.

My questions is: What pages do I include the code in?, where on the pages do I include these sessions? and what do I include in these files?

What I want is to be able to redirect the user back to the login page if they are not logged in.

admin_login.php

<?php 

$dbhost = 'x';
$dbuser = 'x';
$dbpass = 'x';

$con = mysql_connect($dbhost, $dbuser, $dbpass);
if(! $con )
{
  die('Could not connect: ' . mysql_error());
}
mysql_select_db('x');

?>

<html>

<head>
<link rel="stylesheet" type="text/css" href="css/master.css">
</head>

<body>

<form method="post" action="login.php">

User:<input name="username" type="text">
Pass:<input name="password" type="password">

<input name="submit" type="submit" value="Submit">

</form>

</body>

</html>

login.php

<?php

$dbhost = 'x';
$dbuser = 'x';
$dbpass = 'x';

$con = mysql_connect($dbhost, $dbuser, $dbpass);
if(! $con )
{
  die('Could not connect: ' . mysql_error());
}
mysql_select_db('x', $con);

$query = "SELECT username FROM members ".
         "WHERE username=\"$_POST[username]\" ".
         "AND password = \"$_POST[password]\"";

$result = mysql_query($query, $con);         

mysql_data_seek($result, 0);

if (mysql_num_rows($result) == 0)
    header("Location: admin_login.php");
 else   
    header("Location: admin_control_panel.php");
?>

admin_control_panel.php

<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
<title>Untitled 3</title>
</head>

<body>

<?php

include('./upload.html');

?>

</body>

</html>

Thank you in advance.

Answer 1

Best way to do that is with sessions. In the login.php do something like this

if (mysql_num_rows($result) == 0) {
    header("Location: admin_login.php");
} else   {
    header("Location: admin_control_panel.php");
    session_start();
    $_SESSION['user'] = $_POST['username'];
}

Now in the admin_control_panel.php at the top of the file, just add this php code to check if $_SESSION['user'] exists.

<?php
if (! isset($_SESSION['user'])) {
  header("Location: admin_login.php");
}
?>

Basically with this code you will create session with user data if login is correct. If it's not, he will by default get redirected to the login page. Now when someone tries to access admin_control_panel page, we will first check if session is set. If it's true, he can access the page, if not, he will get redirected to the login.

For more read about session: PHP.net Session manual and w3schools.com Session manual

*Note. To logout, you gotta destroy session, to do that use session_destroy(); function.

Answer 2

Include session_start(); at the top of your script and then you would do something like this:

if (mysql_num_rows($result) == 0){
    header("Location: admin_login.php");
} else {
    $_SESSION['permission'] = 'admin';   
    header("Location: admin_control_panel.php");
}

You then need to implement a function to check if the admin is logged in.

function verifyAdmin() {
   if(!isset($_SESSION['permission']) || $_SESSION['permission'] != 'admin'){
        header("Location: admin_login.php");
    }
}

Now, on the top of each admin page just add verifyAdmin();. Remember to add session_start(); to the top of any page the uses sessions.