changing address bar gives access for user to admin page.

[scorpio22]

I have developed a website, where i have 2 access levels, users and admin. on the server, i have admin folder with all admin stuff and user folder with all user stuff. based on the username,password combination from login page, i am redirecting the user to appropriate location.

 

Everything is fine, but when user logs in and if he changes or types into the address bar, the pages from the admin folder then he is able to access them. How do i prevent this from happening?

 

like if the user is redirected to User.php and he changes the address to Admin.php he is getting access to all the admin stuff from there on.

 

I want to know how i can prevent a user from entering the Admin folder  and all its pages completely, even by changing the address bar.

Thanks.

[premiso]

Add verification to the admin.php to require a valid administrator. However you are redirecting the user to the correct page, use that logic to validate the user on each admin page.

[PFMaBiSmAd]

You must enforce security on each page, not just by outputting links or redirecting. You cannot achieve security by hiding pages. Sooner or later someone will find them.

 

Each page must check if the current visitor is both logged in and has permission to access that page.

[scorpio22]

is there no other way to achieve this, because there are so many pages in the admin (obviously because admin has access to everything), so i was wondering if there was any other simple solution???

[schilly]

you need an authentication file which is checked every time a user or admin page loads. there is no point in validating a login if there is no access check on your pages.

 

any admin file needs a check in it that looks for a specific admin variable in the session and the same for the user area.

 

so if you're setting an access level in the session when the person logs in, you check this and either display the page or redirect them somewhere.

 

session_start();

//if they are not an admin
if($_SESSION['access_level'] != 1){ 

header('location: user.php');
exit();
}

 

put that in a file and include it in all your admin pages. create something similar for users as well. that's just an example but it really all depends on how you set your session.

[scorpio22]

Thanks schilly, i can do that. I have set Username as a session when a user logs in.

so based on that session i can find out the username and find out if he has admin access or not.

 

But when i upload it to a website, then there will be multiple users accessing the website at the same time, in that case, having only one session will it be overwritten or something like that???

 

if admin and user log in at the same time, then what will the session variable be? or is the session dependent only on the local system from which the user is accessing?

[schilly]

each session is assigned to each user. session can be hijacked but that is another story.

 

it sounds like you don't set the session when the user logs in?

 

typically when someone logs in you:

 

-create the session (session_start()) if one hasn't been created already

-put some kind of authentication variable in the session to distinguish the user (ie. username) as well as any other info you will make use of during that persons visit to your site (first name, access level, etc)

 

Now if someone accesses a login restricted page we check the session, validate them then either show the page or redirect them someone else.

[scorpio22]

it sounds like you don't set the session when the user logs in?

 

typically when someone logs in you:

 

-create the session (session_start()) if one hasn't been created already

-put some kind of authentication variable in the session to distinguish the user (ie. username) as well as any other info you will make use of during that persons visit to your site (first name, access level, etc)

 

Now if someone accesses a login restricted page we check the session, validate them then either show the page or redirect them someone else.

 

Yes i have set a session once a user logs in and now i have set a variable access_level to it and checking if the user is admin or not. I have fixed that issue, thanks to you. But my question is can multiple users log in at the same time and have the same variable $_SESSION['username'] as their session or will it lead to a clash of sessions when there are multiple users logged in at the same time?

[schilly]

But my question is can multiple users log in at the same time and have the same variable $_SESSION['username'] as their session or will it lead to a clash of sessions when there are multiple users logged in at the same time?

 

yes multiple users can log in at the same time. sessions are independent of each other.

[scorpio22]

session_start();

//if they are not an admin
if($_SESSION['access_level'] != 1){ 

header('location: user.php');
exit();
}

 

 

how can i raise an alert box and then at the same time redirect it the user to his homepage??

here is the code  i tried... it is not raising an alert but is redirecting.

 

if($_SESSION['access_level'] != "admin")
{
    echo '<script language="javascript">alert("You do not have access to this page")</script>';
    header('location: ../user/user.php');
    exit();
}

 

if i comment header, then is showing me the message box and exiting. any method to get a notification that the user has no access to this page and redirect to user.php

[schilly]

if you use a header redirect you can't output anything to the browser before hand.

[scorpio22]

if you use a header redirect you can't output anything to the browser before hand.

 

ok... any other possible way to achieve what i am trying to do???

a message box or alert that you are not allowed to view this and move back to the previous page.

[schilly]

set a variable in the session or pass a get variable to the script you redirect them to then check for it in your script and display the appropriate message.