How to have full authorization log in

hello everybody :
i have a website and due to some reasons i put the log in page in the first page so if anybody wants to see it he/she should enter user + pass and if it be correct so he/she will be entered . my log in page is a simple log in page and i have a problem with it because :
if anybody type mydomain.com => he will go to my log in page and it is OK .
but if anybody type mydomain.com/index.php => he will go to my site without any authorization ? and it is NOT ok .
can any person give me a hand ?

You need each page to check that the user is authentic, and using sessions is probably the easiest way. A very basic example…you’d stick these 3 files in your site’s document root…

.htaccess (or stick this in your vhost container in httpd.conf):


php_value auto_prepend_file /full/path/to/your/docroot/auth.php

auth.php


<?php
    session_start();

    if (!isset($_SESSION['user']) && $_SERVER['PHP_SELF'] != '/login.php') {
        header('Location: /login.php');
        exit;
    }

login.php:


<?php
    $error = '';
    if ($_SERVER['REQUEST_METHOD'] == 'POST') {

        // do your user authentication/loading here...
        // i'll pretend that if the user/pass is bad, it returns false
        $user = findValidUserByCredentials($_POST['username'], $_POST['password']);

        $error = 'Wrong username and/or password';
        if ($user !== FALSE) {
            // yay, user is authentic, stick 'em in the session and go on inside
            $_SESSION['user'] = $user;
            header('Location: /index.php');
            exit;
        }
    }
?>
<html>
<body>

<?php if (!empty($error)): ?>
<div class="error"><?php echo $error; ?></div>
<?php endif; ?>

<form action="/login.php" method="post">
<p>Username: <input type="text" name="username" /></p>
<p>Password: <input type="password" name="password" /></p>
<p><input type="submit" /></p>
</form>

</body>
</html>

The idea is to use the auto_prepend_file feature to force your PHP interpreter to automatically include 'auth.php'; at the beginning of every PHP script that’s requested from your site. auth.php will just check to see if there’s a valid user object in the session. If not, it bounces the user over to the login page, otherwise nothing happens and the requested script (index.php for instance) will get run like normal.

Note, however, that this will not protect non-PHP resources (images, css, js, etc) from being accessed without being authenticated.

I would advise strongly against ever, EVER using the auto_prepend file setting. It is an extremely unusual move and makes code very difficult to debug for anyone that comes after you.

True, it’s a hackish convenience whose power/danger lies in it’s implicit-ness, and just like $GLOBALS it’s very easy to abuse it and turn your code into spaghetti. That being said, you can actually do some pretty neat things with auto_prepend_file and auto_append_file. I’m personally a fan of 'em, but yeah, caveat emptor…

I suppose the better way would be do rewrite all your site’s requests through a front controller, which is where you’d centralize your session management, among other things. The basic thing to understand, though, is that you have to check the session on every page request.