Login Script with hidden buttons

I have been using PHP and JavaScript for building my dad’s website. He wants to incorporate a login system into his website, and I have the design for the system using PHP. My problem is how do I show buttons if the person is logged in?­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­

For Example – You have Home, Products, About Us, and Contact. I want to have buttons for Dealer, Distributor, and maybe other information if the user is logged in. So I will have Home, Products, About Us, Contacts, Dealer (if dealer login), Distributor (if distributor login), and so forth.

Would JavaScript be a good way to do this or would PHP, or maybe even both? Using JavaScript to show and hide buttons, and PHP to check to see which buttons to show.

Regarding security, you cannot trust what comes from the client:

  • The visitor can see all your code (HTML and Javascript, not PHP) and try stuff
  • The visitor may not even use a browser; it’s trivially easy to send a request with a script

This means hiding the buttons is good User Interface design (because you can’t use them if you are not logged in). But it’s not a security feature. The security feature is checking, on the server, that the visitor is logged in before each action that requires it.

If you don’t intend to show the buttons, it’s not useful to send the HTML and images to the browser and then hide them with Javascript. I would check with PHP.

In your menu file or w/e you put:

<? require 'auth.php' ?>
    <li><a href="">Home</a></li>
    <li><a href="">Products</a></li>
    <? if( loggedin() ): ?><li><a href="">Secret area</a></li><? endif; ?>

Then in pages that require auth just do this:

    require 'auth.php';

Where auth.php may contain:

    function loggedin(){
        return isset( $_SESSION['loggedin'] );

    function require_login(){
        if( !loggedin() ){
            header( 'Location: /login.php?referrer=".$_SERVER["REQUEST_URI'] );

If you use javascript to hide the buttons, you open a security hole in the application. A malicious user could either disable javascript or apply some of their own to get around your security.

Read More:   How do I calculate how many seconds between two dates?

I suggest using PHP to chose to either render the buttons or not. I do this in .NET quite often.

You should be able to check the user’s access on the server-side whenever they try to use a restricted button as well.

What we have done at my work is have a library the provides functions such as checking if the user is logged in. For example:

require_once 'Auth.php';
// output some html
if (isLoggedIn()) {
    echo 'html for logged in user';
// rest of html

For pages that only authenicated users should see, the controller checks if they are logged in and if not it redirects them to the login page.

public function viewCustomer($customerId) {
    if (!isLoggedIn())

Everything that Christian Lescuyer wrote is correct. Notice, however, that he said “I would” and not “you should”. The choice is not that easy.

First of all, security is not an issue in the choice. You should have security check on server when you execute an action. Which code decides to show/hide the button that leads to the action is irrelevant.

That leaves us with only one drawback of doing show/hide logic in Javascript – the HTML sent to user is bigger than necessary. This may not be a big deal.

Having show/hide logic in PHP does have a minus, though. The PHP code required is usually a tag soup. Akira’s code provides a good example of how it is usually done.

Corresponding Javascript code would probably look something like this:

if (logged())
    elementSecretArea.style.display = "list-item";

(assuming that elements that could be hidden have display:none by default).

Read More:   React display line breaks from saved textarea

This style also allows nice “Ajax” scenario: user sees a page w/o secret area, inputs password, sees the secret area all without refreshing the page.

So, if you already have a script that runs when your document load for other reasons, I would seriously consider having show/hide logic there.

Basically where you have your menu in html, say as a list <ul> <li>Home</li> </ul> you add php after </li> of the last item:

  if($session-logged_in) {    

<li>My Account</li>


The answers/resolutions are collected from stackoverflow, are licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0 .

Similar Posts