You can use session,if the session array is not set ,the url redirected to a login page. .

I have just made a function that checks if a URL exists or not

$ch = curl_init();
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

function url_exists($url, $ch) {
   curl_setopt($ch, CURLOPT_URL, $url);
   $out = curl_exec($ch);
   // line endings is the wonkiest piece of this whole thing
   $out = str_replace("\r", "", $out);

   // only look at the headers
   $headers_end = strpos($out, "\n\n");
   if( $headers_end !== false ) { 
       $out = substr($out, 0, $headers_end);
   }   
   //echo $out."====<br>";
   $headers = explode("\n", $out);
   //echo "<pre>";
   //print_r($headers);
   foreach($headers as $header) {
       //echo $header."---<br>";
       if( strpos($header, 'HTTP/1.1 200 OK') !== false ) { 
          return true;
          break;
       }
   }  

}

Now I have used an array of URLs to check if a URL exists as following:

$my_url_array = array('http://howtocode.pk/result', 'http://google.com/jobssss', 'https://howtocode.pk/javascript-tutorial/', 'https://www.google.com/');

for($j = 0; $j < count($my_url_array); $j++){

      if(url_exists($my_url_array[$j], $ch)){
           echo 'This URL "'.$my_url_array[$j].'" exists. <br>';
      }
}

$urls = array(
    'http://www.apple.com/imac',
    'http://www.google.com/'
);

$ch = curl_init();

curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

foreach($urls as $url) {
    curl_setopt($ch, CURLOPT_URL, $url);
    $out = curl_exec($ch);

    // line endings is the wonkiest piece of this whole thing
    $out = str_replace("\r", "", $out);

    // only look at the headers
    $headers_end = strpos($out, "\n\n");
    if( $headers_end !== false ) { 
        $out = substr($out, 0, $headers_end);
    }   

    $headers = explode("\n", $out);
    foreach($headers as $header) {
        if( substr($header, 0, 10) == "Location: " ) { 
            $target = substr($header, 10);

            echo "[$url] redirects to [$target]<br>";
            continue 2;
        }   
    }   

    echo "[$url] does not redirect<br>";
}

I'm not sure whether this really makes sense as a security check.

If you are worried about files getting called directly without your "is the user logged in?" checks being run, you could do what many big PHP projects do: In the central include file (where the security check is being done) define a constant BOOTSTRAP_LOADED or whatever, and in every file, check for whether that constant is set.

Testing is great and security testing is even better, but I'm not sure what kind of flaw you are looking to uncover with this? To me, this idea feels like a waste of time that will not bring any real additional security.

Just make sure your script die() s after the header("Location:...") redirect. That is essential to stop additional content from being displayed after the header command (a missing die() wouldn't be caught by your idea by the way, as the redirect header would still be issued...)

If you really want to do this, you could also use a tool like wget and feed it a list of URLs. Have it fetch the results into a directory, and check (e.g. by looking at the file sizes that should be identical) whether every page contains the login dialog. Just to add another option...

I can't understand your question. You have an array with URLs and you want to know if user is from one of the listed URLs? If I'm right in understanding your quest:

$urls = array('http://url1.com','http://url2.ru','http://url3.org');
if(in_array($_SERVER['HTTP_REFERER'],$urls))
{
 echo 'FROM ARRAY';
} else {
 echo 'NOT FROM ARR';
}

You could always try adding:

curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); 

since 302 means it moved, allow the curl call to follow it and return whatever the moved url returns.