You need to protect the log viewing page from being seen by anyone except Pandora.  This is a bit complex to explain but should be possible if you take it step by step and indent your code properly (overall structure of the if statements is below).  The end result should be a page which behaves this way:

  1. the first time someone visits it they are not logged in so it shows them a log in form and nothing else
  2. once they have logged in correctly a cookie is written which means they do not need to log in again

This is what you need to do:

  1. edit the functions.php file and add a new function which will check if a user is logged in
  2. create an if statement in that function which uses isset to that a cookie containing a value username is NOT there
  3. add an echo in the if which is a paragraph telling us there is no cookie
  4. in viewlog.php replace the call to the logging function with a call to this new function (you could leave the other one but why log her own visits?)
  5. try index.php (as there is no cookie you should see the message saying that and then the rest of the page)
  6. comment out the echo and under it (still in the if):
    1. add a new, empty if/else statement
    2. add a condition to the if which checks to see if a form HAS been posted
    3. inside the if part add an echo saying that a form has been posted
    4. inside the else put an echo which says that the form has NOT been posted
  7. test the page and you should see a message that that there is no form data (and then the page as before)
  8. comment out the echo which says that the form has not been posted and under it display the form
    1. put $_SERVER["PHP_SELF"] into a variable
    2. echo an HTML form probably with several echo lines although it could be done in one:
      1. the form opening tag (make the action the variable you created like this: <form action=\"$page\" method=\"post\">)
      2. a label for the first field (remember to escape the quotes) which will be called username
      3. the first field should be a text field and will hold the user name so call it username
      4. a second, password field with a label
      5. a submit button
      6. the closing form tag
    3. a line which just says exit; to stop the rest of the page showing if the user is not logged in

You should now be able to test the page so far.  First time you should first see just the form.  When you submit the form you should see your message saying it has been posted (and the rest of the page).  Now to do the check on the user name and password:

  1. you currently have an echo line which says that the form has been posted - comment it out and under it:
    1. get the form data and put it into variables after using trim to remove any extra spaces
    2. add a new empty if/else statement
    3. check that the username and (&&) password typed in are pandora and password and then
      1. in the if part echo a paragraph saying correct (this will be replaced soon)
      2. in the else:
        1. echo a paragraph saying that the user name and password were wrong (it is best not to tell them which was wrong as that helps hackers)
        2. exit; to prevent the rest of the page being shown
    4. test the form with correct and incorrect details (that should take at least three separate tests)
  2. replace the correct echo line with a line which writes a cookie username and makes the value the user name held in the variable (remember no quotes around variable names)

Test the page one last time with the correct user name and password.  Once logged in you should see nothing except the original page.  If you visit the page again (not refresh but click on the URL and press enter) you should not see the form again as the cookie has been found.

If anythign does not work check your structure against the simplified one below.  The if structures should be the same.

Close your browser if you want to do more testing and it should delete the cookie.  If not you will need to manually delete the cookie with a log out page (see cookie duration on that page.

The if structure

if there is no cookie {

    if the log in form has been posted {

        if  the username and password are right {

            write the cookie

        } else {

            tell them they were wrong and stop running the page

        }

    } else (no posted form) {

        show the log in form and stop running the page

    }

}

    show the rest of the page  (you only get here after successful log on due to the use of exit twice)

The effect of this is that if they are logged in they see the page but if not they are asked to log in.

Even if the page works you may have made some minor errors which could mess it up on some browsers so right click on viewlog.php in your browser, view source, copy it and paste into the W3C validator.