Unauthorised access to admin are problem

[geroid]

Hi

I'vé just created my first website and uploaded it to a hosting site today for the client. It's working very well but I have a problem. There is an admin area that admin can log into via the site. Obviously I don't want anyone else to be able to see the admin pages. Admin can login with a username and password (encrypted with md5). However I have notice that if you just  put the address into the address bar of the admin page (i.e. www.domainname/adminpage.php), it allows immediate access to anyone, bypassing the login. This is a major problem. I'm relatively new to this so I would appreciate some help.

 

Thanks

 

gerry

[daneth1712]

I assume you are using sessions to check if they are logged in. When you check if session is registered on the admin page, add a header to the login page if the session is not registered.

 

Hope this helps.

[cags]

In other words, your login page would set...

 

<?php $_SESSION['logged_in'] ?>

 

Whilst the other page would check

 

<?php
if(!$_SESSION['logged_in']) {
   // redirect
   header("Location: http://www.yourdomain.com/login.php");
   exit();
}
?>

[daneth1712]

thanks cags, I was gonna add that, but wasnt sure he was using sessions to check login in the first place. 

 

geroid, if you register your session on your login script, and add what cags put onto your admin page, anyone that is not logged in will be redirected to your login page.

[geroid]

Thanks

I'm trying to understand this. Are you saying that when admin logs in I should include the following code at that successful login stage:

<?php $_SESSION['logged_in'] ?>

Then if anyone tries to go directly to the admin page I should have this code at the top of that admin page:

<?php
if(!$_SESSION['logged_in']) {
   // redirect
   header("Location: http://www.yourdomain.com/login.php");
   exit();
}
?>

 

Is that the idea? With the first line, <?php $_SESSION['logged_in'] ?>, am I just creating a session variable (logged_in). What will this do exactly?

 

Sorry for seeming stupid

 

[staples27]

you could add user levels, example: level 1 being normal members and level 2 being admin then set the page to only allow users at level 2 to access the page, anything lower, redirect them or present them with an unauthorized access notice...

[geroid]

Thanks

I just added those lines to my login and admin pages and it works great. I thought that would be a nightmare but it was really easy. Should I add the code to all of the other admin related pages too?

[daneth1712]

On your login page, (the page you are sending them too to check if username and password is correct) after you have checked the result in the database, add this....

 

$row = mysql_num_rows($result);
if($row == 1){
while($row = mysql_fetch_array($result)){

//start the session and register variable to username
session_start();
$_SESSION['username']= $row['username'];
header( "Location: admin.php" );
exit;
} 

 

change $row['username']; to whatever you are using. then on the admin page, or all the pages that the users must be logged in for add this code....

 

<?php
//start the session
session_start();

//check to make sure the session username variable is registered
if(isset($_SESSION['username'])){
$username=$_SESSION['username']; //adds username to variable so you can use this if you need it
}
else{
//the session variable isn't registered, send them back to the login page
header( "Location: login.php" );
}
?>