The basic logic of how to make a simple passworded area using php, well the way I would do it, would be like this:
post html form – username & password
verify against database, get IP and session ID. Make some hash out of the session ID and IP address and put it into a sessions table. Set a flag session variable to mark the user logged in.
So now you have this to verify user logged in:
- Session variable logged in - true or false.
- Session ID hash (we’ll call it $sid for now)
Then on every page that is protected, first see if the SESSION[‘logged_in’] == true. If not then redirect back to the login.php page.
If it is true, then from page to page you pass the $sid id like this:
So on every password protected page you get that sid ID, then verify it against the sid in the database, with the current session and the IP address of the person accessing that page. If no matches, then send them to the login.php page…
This is kind of how phpBB does it.
So what you are missing is there is no way to verify whether the user is logged in or not on the password protected pages. The simplest is to just set some sessioin variable after you login so that it checks to see if that flag is marked true. But that is pretty easy to break thru, so using a Session ID with an IP address makes it a little more tougher.