I'm making a web page where I have a login and when you log in it takes you to a file called user.php What I want to achieve is that only logged-in users can see the contents of the user.php file I want to avoid that in the search engine of the browser putting route / user.php shows you the data without having logged in, to give more security.
Currently with what I have done, I get that nobody enters the user.php file but neither the users who log in, redirects them all to index.html
This is my login.php
//CAPTURO LOS INPUTS
$user=$_POST["email"];
$passw=$_POST["password"];
//CONECTAMOS CON LA BBDD
$conexion=mysqli_connect("localhost","root","x", "bbdd");
if(mysqli_connect_errno($conexion)) {
printf("Falló la conexión: ",mysqli_connect_errno());
}
//comprobamos que exista el usuario
$resultado=mysqli_query($conexion,
"SELECT * FROM usuarios WHERE
correo='$user' and
contrasena='$passw'");
$usuExiste=mysqli_num_rows($resultado);
if($usuExiste >0){
$_SESSION['loggedin'] = true;
$_SESSION['username'] = $user;
$_SESSION['start'] = time();
$_SESSION['expire'] = $_SESSION['start'] + (5 * 60);
header('location:usuario.php');
echo "";
} else {
echo "<script>alert('Usuario y/o Contraseña incorrectas.')
window.location='index.html'</script>";
}
session_destroy();
?>
and this my user.php
<?php
session_start();
if (isset($_SESSION['loggedin'])) {
} else {
echo "<script>alert('esta pagina es para administradores')
window.location='index.html'</script>";
header("location:index.html");
exit;
}
$now = time();
if($now > $_SESSION['expire']) {
session_destroy();
echo "Su sesion a terminado,
<a href='login.html'>Necesita Hacer Login</a>";
exit;
}
?>