[josefroyadvincula]

Hi guys, I'm trying to create a login sort of app. So the user logs in at index.php and then the details are sent to login_handler.php. If login_handler.php doesn't find anything wrong, the page will be redirected to records.php

Now the problem is, I can directly access records.php without even going through the login page (via the address bar).

In my login_handler.php, I have this line of code

    if ( $result == 1 ) {
        session_start();
        $_SESSION["user"] = $username;
        header("location: ../records.php");
    } else {
        header("location:../index.php?login_failed==true");
    }

and in the records.php, this

session_start();
if ( isset($_SESSION["user"]) == false ) {
    header("location: index.php");
}

So why can I still access the records.php?

Thanks!

[JackOfAllTrades]

Whenever you call header, you should add exit(); immediately after to stop the rest of the page from executing.

This information is right in the manual:

Quote

The second special case is the "Location:" header. Not only does it send this header back to the browser, but it also returns a REDIRECT (302) status code to the browser unless the 201 or a 3xx status code has already been set.

<?php
header("Location: http://www.example.com/"); /* Redirect browser */

/* Make sure that code below does not get executed when we redirect. */
exit;
?>

[ryant]

Hi mate,

please try this in your records.php.

session_start();
if ( !isset($_SESSION["user"])) {
    header("location: index.php");exit;
}

Hope that helps!

[josefroyadvincula]

Well, I would like to thank both of you for pointing out that exit(); line for me. I admit I wasn't aware of that, lol, so thank you both!

However, I realized the issue had to do with the browser cache. I can only access records.php if I had successfully logged in at an earlier time. Otherwise, it does as expected.