Jump to content

Unauthorised access to admin are problem

geroid

By geroid
in PHP Coding Help

 Share

Recommended Posts

geroid Member

geroid

Posted
Posted

Hi

I'vé just created my first website and uploaded it to a hosting site today for the client. It's working very well but I have a problem. There is an admin area that admin can log into via the site. Obviously I don't want anyone else to be able to see the admin pages. Admin can login with a username and password (encrypted with md5). However I have notice that if you just  put the address into the address bar of the admin page (i.e. www.domainname/adminpage.php), it allows immediate access to anyone, bypassing the login. This is a major problem. I'm relatively new to this so I would appreciate some help.

 

Thanks

 

gerry

cags Member

cags

Posted
Posted

In other words, your login page would set...

 

<?php $_SESSION['logged_in'] ?>

 

Whilst the other page would check

 

<?php
if(!$_SESSION['logged_in']) {
   // redirect
   header("Location: http://www.yourdomain.com/login.php");
   exit();
}
?>

daneth1712 Member

daneth1712

Posted
Posted

thanks cags, I was gonna add that, but wasnt sure he was using sessions to check login in the first place.  ;)

 

geroid, if you register your session on your login script, and add what cags put onto your admin page, anyone that is not logged in will be redirected to your login page.

geroid Member

geroid

Posted
  • Author
Posted

Thanks

I'm trying to understand this. Are you saying that when admin logs in I should include the following code at that successful login stage:

<?php $_SESSION['logged_in'] ?>

Then if anyone tries to go directly to the admin page I should have this code at the top of that admin page:

<?php
if(!$_SESSION['logged_in']) {
   // redirect
   header("Location: http://www.yourdomain.com/login.php");
   exit();
}
?>

 

Is that the idea? With the first line, <?php $_SESSION['logged_in'] ?>, am I just creating a session variable (logged_in). What will this do exactly?

 

Sorry for seeming stupid

 

daneth1712 Member

daneth1712

Posted
Posted

On your login page, (the page you are sending them too to check if username and password is correct) after you have checked the result in the database, add this....

 

$row = mysql_num_rows($result);
if($row == 1){
while($row = mysql_fetch_array($result)){

//start the session and register variable to username
session_start();
$_SESSION['username']= $row['username'];
header( "Location: admin.php" );
exit;
}

 

change $row['username']; to whatever you are using. then on the admin page, or all the pages that the users must be logged in for add this code....

 

<?php
//start the session
session_start();

//check to make sure the session username variable is registered
if(isset($_SESSION['username'])){
$username=$_SESSION['username']; //adds username to variable so you can use this if you need it
}
else{
//the session variable isn't registered, send them back to the login page
header( "Location: login.php" );
}
?>

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.