PHP session question

[eric]

Working on some admin pages for a PHP/MySQL application. I'm really new to these languages, I've only read like 2 tutorials, so bear with me. I coded a basic login page with username and password fields. When the correct ones are entered the user is taken to the administrator menu page. From there, you can navigate to a ......./create.php page, for example. My concern is that a user can skip the login process altogether if he/she types http://<path>/create.php directly into the address bar, which takes the user directly to that page and bypasses the login process. Is there anyway to prevent this, like to secure all the pages accessed after logging in? I was researching this and I think I have to start a session with the session_start(); command, but it kept giving me errors dealing with session_cache_limiter or something similar.

Does anyone have any good ideas how to do this?

[Whatcha]

Okay two points. First u need to learn sesssions very important if u want to create some sort of secure app u will need to a session on each page where u want to track the user and it must be the first command!

Code:

<?php
session_start();
?>
Below will cause errors
<?php
$x ="Bad";
session_start();
?>

Check out http://www.zend.com/zend/tut/session.php
For the second part to avoid ppl being able to have direct access to secure pages u will need to create a function to checked the user is logged in before the page is displayed.
U could also secure it a little more by include the secure page rather than redirecting to it. Also using some thing this below will at another small layer of security

Code:

<?php
##Login Page
##Good User
define("Allowed", "Yes");
include 'admin.php';
?>
<?php
### admin.php ####
if(!defined('Allowed')){
die("Access Refused");
}
/* If the admin.php page is access directly the constant of "Allowed" will not be defined there for access refused*/
?>