scorpio22 Posted March 24, 2010 Share Posted March 24, 2010 I have developed a website, where i have 2 access levels, users and admin. on the server, i have admin folder with all admin stuff and user folder with all user stuff. based on the username,password combination from login page, i am redirecting the user to appropriate location. Everything is fine, but when user logs in and if he changes or types into the address bar, the pages from the admin folder then he is able to access them. How do i prevent this from happening? like if the user is redirected to User.php and he changes the address to Admin.php he is getting access to all the admin stuff from there on. I want to know how i can prevent a user from entering the Admin folder and all its pages completely, even by changing the address bar. Thanks. Quote Link to comment https://forums.phpfreaks.com/topic/196384-changing-address-bar-gives-access-for-user-to-admin-page/ Share on other sites More sharing options...
premiso Posted March 24, 2010 Share Posted March 24, 2010 Add verification to the admin.php to require a valid administrator. However you are redirecting the user to the correct page, use that logic to validate the user on each admin page. Quote Link to comment https://forums.phpfreaks.com/topic/196384-changing-address-bar-gives-access-for-user-to-admin-page/#findComment-1031112 Share on other sites More sharing options...
PFMaBiSmAd Posted March 24, 2010 Share Posted March 24, 2010 You must enforce security on each page, not just by outputting links or redirecting. You cannot achieve security by hiding pages. Sooner or later someone will find them. Each page must check if the current visitor is both logged in and has permission to access that page. Quote Link to comment https://forums.phpfreaks.com/topic/196384-changing-address-bar-gives-access-for-user-to-admin-page/#findComment-1031114 Share on other sites More sharing options...
scorpio22 Posted March 24, 2010 Author Share Posted March 24, 2010 is there no other way to achieve this, because there are so many pages in the admin (obviously because admin has access to everything), so i was wondering if there was any other simple solution??? Quote Link to comment https://forums.phpfreaks.com/topic/196384-changing-address-bar-gives-access-for-user-to-admin-page/#findComment-1031115 Share on other sites More sharing options...
schilly Posted March 24, 2010 Share Posted March 24, 2010 you need an authentication file which is checked every time a user or admin page loads. there is no point in validating a login if there is no access check on your pages. any admin file needs a check in it that looks for a specific admin variable in the session and the same for the user area. so if you're setting an access level in the session when the person logs in, you check this and either display the page or redirect them somewhere. session_start(); //if they are not an admin if($_SESSION['access_level'] != 1){ header('location: user.php'); exit(); } put that in a file and include it in all your admin pages. create something similar for users as well. that's just an example but it really all depends on how you set your session. Quote Link to comment https://forums.phpfreaks.com/topic/196384-changing-address-bar-gives-access-for-user-to-admin-page/#findComment-1031116 Share on other sites More sharing options...
scorpio22 Posted March 24, 2010 Author Share Posted March 24, 2010 Thanks schilly, i can do that. I have set Username as a session when a user logs in. so based on that session i can find out the username and find out if he has admin access or not. But when i upload it to a website, then there will be multiple users accessing the website at the same time, in that case, having only one session will it be overwritten or something like that??? if admin and user log in at the same time, then what will the session variable be? or is the session dependent only on the local system from which the user is accessing? Quote Link to comment https://forums.phpfreaks.com/topic/196384-changing-address-bar-gives-access-for-user-to-admin-page/#findComment-1031120 Share on other sites More sharing options...
schilly Posted March 24, 2010 Share Posted March 24, 2010 each session is assigned to each user. session can be hijacked but that is another story. it sounds like you don't set the session when the user logs in? typically when someone logs in you: -create the session (session_start()) if one hasn't been created already -put some kind of authentication variable in the session to distinguish the user (ie. username) as well as any other info you will make use of during that persons visit to your site (first name, access level, etc) Now if someone accesses a login restricted page we check the session, validate them then either show the page or redirect them someone else. Quote Link to comment https://forums.phpfreaks.com/topic/196384-changing-address-bar-gives-access-for-user-to-admin-page/#findComment-1031133 Share on other sites More sharing options...
scorpio22 Posted March 24, 2010 Author Share Posted March 24, 2010 it sounds like you don't set the session when the user logs in? typically when someone logs in you: -create the session (session_start()) if one hasn't been created already -put some kind of authentication variable in the session to distinguish the user (ie. username) as well as any other info you will make use of during that persons visit to your site (first name, access level, etc) Now if someone accesses a login restricted page we check the session, validate them then either show the page or redirect them someone else. Yes i have set a session once a user logs in and now i have set a variable access_level to it and checking if the user is admin or not. I have fixed that issue, thanks to you. But my question is can multiple users log in at the same time and have the same variable $_SESSION['username'] as their session or will it lead to a clash of sessions when there are multiple users logged in at the same time? Quote Link to comment https://forums.phpfreaks.com/topic/196384-changing-address-bar-gives-access-for-user-to-admin-page/#findComment-1031136 Share on other sites More sharing options...
schilly Posted March 24, 2010 Share Posted March 24, 2010 But my question is can multiple users log in at the same time and have the same variable $_SESSION['username'] as their session or will it lead to a clash of sessions when there are multiple users logged in at the same time? yes multiple users can log in at the same time. sessions are independent of each other. Quote Link to comment https://forums.phpfreaks.com/topic/196384-changing-address-bar-gives-access-for-user-to-admin-page/#findComment-1031149 Share on other sites More sharing options...
scorpio22 Posted March 24, 2010 Author Share Posted March 24, 2010 session_start(); //if they are not an admin if($_SESSION['access_level'] != 1){ header('location: user.php'); exit(); } how can i raise an alert box and then at the same time redirect it the user to his homepage?? here is the code i tried... it is not raising an alert but is redirecting. if($_SESSION['access_level'] != "admin") { echo '<script language="javascript">alert("You do not have access to this page")</script>'; header('location: ../user/user.php'); exit(); } if i comment header, then is showing me the message box and exiting. any method to get a notification that the user has no access to this page and redirect to user.php Quote Link to comment https://forums.phpfreaks.com/topic/196384-changing-address-bar-gives-access-for-user-to-admin-page/#findComment-1031154 Share on other sites More sharing options...
schilly Posted March 24, 2010 Share Posted March 24, 2010 if you use a header redirect you can't output anything to the browser before hand. Quote Link to comment https://forums.phpfreaks.com/topic/196384-changing-address-bar-gives-access-for-user-to-admin-page/#findComment-1031185 Share on other sites More sharing options...
scorpio22 Posted March 24, 2010 Author Share Posted March 24, 2010 if you use a header redirect you can't output anything to the browser before hand. ok... any other possible way to achieve what i am trying to do??? a message box or alert that you are not allowed to view this and move back to the previous page. Quote Link to comment https://forums.phpfreaks.com/topic/196384-changing-address-bar-gives-access-for-user-to-admin-page/#findComment-1031211 Share on other sites More sharing options...
schilly Posted March 24, 2010 Share Posted March 24, 2010 set a variable in the session or pass a get variable to the script you redirect them to then check for it in your script and display the appropriate message. Quote Link to comment https://forums.phpfreaks.com/topic/196384-changing-address-bar-gives-access-for-user-to-admin-page/#findComment-1031250 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.