lilwing Posted June 19, 2008 Share Posted June 19, 2008 Maybe this is easily solved; First I have a login page, with a session variable called 'logged'. The php script is this: <?php session_start(); $_SESSION['logged'] = false; $_SESSION['uid'] = 0; $_SESSION['username'] = ''; ?> Then I have a verification script, which redirects the user to the administration page, if the correct username and password are entered. On the administration page, I have the following script at the beginning: <?php ob_start(); session_start(); if ($_SESSION['logged']==false) { header('location:http://www.url.org/auth/login.php'); } ?> If the user tries to access the administration iles with a session started, and he has not logged in, he will be redirected to the login page. However, if the session ends, and he tries to access the administration page, via URL, since the session is not started, and this variable is not there to protect it, the administration page becomes accessible. How do I correct this problem? Quote Link to comment Share on other sites More sharing options...
hitman6003 Posted June 19, 2008 Share Posted June 19, 2008 Check to see if the logged element exists...if not, redirect: if (!$_SESSION['logged'] || $_SESSION['logged'] == false) { header('location:http://www.url.org/auth/login.php'); } Quote Link to comment Share on other sites More sharing options...
lilwing Posted June 19, 2008 Author Share Posted June 19, 2008 Thanks... I had no idea I could do that! Hopefully there are no other security issues while I am beta testing. It's a simple script, but it seems to work effectively. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.