how can I secure web pages?

Actually it's hard to decipher what you wan't although your thread's question is understandable; though too generalize. Can you please provide a snippets of your code, and put what you want to do in bullets? If it's ok for you.

Ok, What I am doing is creating an Admin area for the website to make a CMS to easily manage the website.

Here is the signin page:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Login</title>
</head>
<body>
<center><h1><font color="#09729f">Rise & Shine<br/>Login</font></h1>
<form action="login.php" method="post" enctype="multipart/form-data">
User Name: <input type="text" name="userName" /><br />
Password: <input type="password" name="password" /><br />
<input type="submit" value="Login" />
</form></center>
</body>
</html>

my login.php:

<?php
require 'connect_to_other_required_pages';

if(empty($_POST) === false)
{
    $username = $_POST['userName'];
    $password = $_POST['password'];

    if(empty($username) === true || empty($password) === true)
    {
        $errors[] = 'please enter a username and password';
    }else if(user_exists($username) === false)
    {
        $errors[] = 'we can\'t find that user, please contact AZ Media Production';

    }else
    { 
        $login = login($username, $password);

        if($login == false)
        {
            $errors[] = 'That username and password combination is incorrect';

        }else
        {
            $_SESSION[user_id] = $login;

            header('Location: editor.php');         
        }
    }
    print_r($errors);
}
?>

my protection function which the tutorial said is suposed to be placed at the top of any page I want protected:

if(login($username, $password) == false)
    {
        header('Location: logout.php');
        exit();
    }

and finally the login function that the login uses and the protection uses to check and see if the user name and password in $POST are correct:

function login($username, $password)
{
    $user_id = user_id_from_username($username);
    $username = sanitize($username);
    $password = $password;
    $query = mysql_query("SELECT COUNT(user_id) FROM users WHERE userName = '$username' AND password = '$password'");

    return(mysql_result($query, 0) == 1) ? $user_id : false;
}

however any time I ad in the check at the top of the pages I want to protect i get thrown over to the logout page weather I am signed in properly or not.

The problem's in the login function, you don't have any DB resource to reference to when execution the query.

function login($username, $password)
{
    $user_id = user_id_from_username($username);
    $username = sanitize($username);
    $password = $password;
    // Particularly in this part
    $query = mysql_query("SELECT COUNT(user_id) FROM users WHERE userName = '$username' AND password = '$password'");
    return(mysql_result($query, 0) == 1) ? $user_id : false;
}

what are you talking about? the login works just fine and gets me to the page I want to be in as long as I dont have the protection code at the top, and it blocks me from getting in when I put in the wrong information, as long as I go in from the login page.

Hi,

on your function login, you can try setting the session for that username.

for example,

    if(mysql_num_rows($query)== 1){

    ## this user exists
    ## set session for this user
    session_start(); 

    $_SESSION['thisUser'] = $username;

    }

    else{

    ## do what you want to do on failed login

    }

You protection function on top of every pages can be as simple as this

    session_start();
    if(!isset($_SESSION['thisUser']) )

    {
    ## this user is not login send them to the login page, or wherever you deemed appropriate.

    header("location:login.php");
    die();

    }
    else{

    ## this is user is authenticated at the very least :).

        $user_isLogin = true;

        $user = $_SESSION['thisUser'];



    }

Warning! There are broader topics in web security, validation, and sanitization of data you must take into consideration, before sending this script to production site.

my login.php sets that upi after it checks to make sure that userName and password are correct, and I have tried that code and it still doesn't let me in when I sign in with propper information.

Dude,

Your controlled page does not check for any existing session. YOu need to validate if the session exist, before letting them in.

I hope I am making sense here.

no it doesn't now, that was a step I tried yesterday and it failed miserably. still sent me to the logout page, I belive my code was,

if(!($_SESSION[user_id] = $username))
{
    header('Location: logout.php');
    exit();
}

then I tried

 session_start();
    if(!isset($_SESSION['user_id']) )
    {
        header("location:login.php");
    }
    else{
        page code here
    }

and even reversed it, and then I tried entering $_SESSION[$username] which is completely off the wall I know just thought I'd give it a shot.

thanks all I found a solution

If you're going to run an online store or ecommerce Web site, you should be aware of HTTPS - or HyperText Transfer Protocol with Secure Sockets Layer. HTTPS is a protocol to transfer encrypted data over the Web.

thanks kam, I am aware of HTTPS, however I am not running either of those, I just needed to secure the web page for a general admin area so that other people dont get in and change my announcements and other information that I dont want changed on the web site.