ok, i need some basic security for a site.. nothing super fancy, but enough to keep anyone from view some stuff. The pages are already blocked from google etc indexing so for the most part, no one will even know they exist.

now, i think i have done this correctly... there is a login page.. wife enters user/pass

then it goes here and this is done first thing


<?php
session_start();
$loggedin=FALSE;
if (isset($_SESSION['owner'])) {
if ($_SESSION['owner']=='xxxxxx') {
$loggedin=TRUE;
}
}

if (!$loggedin) {
if ($_POST['user']=='xxxxxx' && $_POST['pass']=='xxxxxx') {
$_SESSION['owner']='xxxxxx';
$loggedin=TRUE;
} else {
if (isset($_SESSION['attempt'])) {
$_SESSION['attempt']=$_SESSION['attempt']+1;
} else {
$_SESSION['attempt']=1;
}
if ($_SESSION['attempt'] > 4) {
header("location:http://google.com");
}
}
}
?>


and other pages have this:


session_start();
$loggedin=FALSE;
if (isset($_SESSION['owner'])) {
if ($_SESSION['owner']=='xxxxxx') {
$loggedin=TRUE;
}
}
if (!$loggedin) {
header("location:index.html");
die('tsk tsk');
}


is that good enough? I tried putting in wrong passwords and it seemed to work.. and tried going to pages without 'logging in' and it seemed to work... but being new to sessions... is this good enough?

Thanks all!

yes, that would work. I would change some things, but not the basic way that it works. just the way you're doing it. if you don't have specific pages that only certain "owners" can see, then I would just do this instead (for every page):

<?php
session_start();

if(!isset($_SESSION['owner'])){

//redirect
header("Location: login.php?return=" . __FILE__);

}
?>
<!-- your content goes here -->