I'm working on a PHP-based website which stores within a session variable whether or not a user is logged in. If they're not logged in, they'll be redirected to a login page.
My concern is that they could somehow turn of being redirected and thus be able to view the page without being logged in.
If this is possible, how would I go around trying to stop that from happening?
I have the redirection code at the top of the page like this:
<?php
session_start();
if (empty($_SESSION["LoggedIn"])) {
$_SESSION["LoggedIn"] = false;
$logginURL = "login.php";
header("location: " . $logginURL);
die();
} else {
if ($_SESSION["LoggedIn"] == true) {
$homeURL = "home.php";
header("location: " . $homeURL);
die();
}
}
?>
(This code just determines on the index page whether or not they should be taken to a login page or the home page)
You cannot force them to be redirected.
This prevents further execution after you send the header