protecting web site, strategy help

[sasori]

Hi,

 

I was asked to create an app, wherein, the user may enter the email addresses of people manually, and it auto generates a random key.

now this key will be used access such pages e.g

 

proposal.test.com/ppc

proposal.test.com/seo

proposal.test.com/design

 

so using the key for example =>  Sa22asdf 

it should appear like this

 

proposal.test.com/ppc/Sa22asdf

proposal.test.com/seo/Sa22asdf

proposal.test.com/design/Sa22asdf

 

 

without the unique key generated during the input of email address, the URL mentioned shouldn't be accessed by anyone..

now my question is, how to approach this thing in PHP ?

 

I have done the input for email address and generation of random keys., but i don't know yet what to do or how to do the

securing of pages using those keys  ? 

[codefossa]

If you wanna be sure they put in an email and that's the correct link, you could just add the key to $_SESSION and compare it.  I don't know if I fully understand though, because no matter what email they entered, they would be able to view the page, unless you have email validation.  Also, if you want to save it past their session, you'd want to use SQL.

[the182guy]

Store the keys with the emails in a db then when the page is viewed check the key in the query strut against the db.

[sasori]

ok let me explain how the system works

 

the app that i created is at e.g

proposals.test.com/admin/

- this app is solely made for one person only, because he wanted to input email addresses of people manually by himself

- this app currently allows him to login as admin and input email addresses, once an email address was input and the form

was submitted, a random generated key is  also saved together with that email address.

 

 

now, those URL that I mentioned at my first post,

how will I approach the access of those pages?

how to check if user did has an existing and matching key from the database ?

because each unknown end user can just  type in the url to the browser bar e.g

 

proposals.test.com/seo/blahblah  <-- what if blahblah doesn't exist in db? he'll be able to see the page..

so what to do now?

[litebearer]

Since we have yet to see any of your code, here is some logic to consider...

 

page 1 -

  form used to login - username / password

  form posts to page 2

 

page 2 -

start sessions

check to see that form was submitted - if not - back to page 1

cleanse form data - if bad - back to page 1

check data base to see if form data has a match

if not - back to page 1

if yes - set session variable

direct to first secure page

 

pages 3 thru ***  (all secure pages)

start sessions

validate session variable

if bad - redirect to page 1

if good - display content

 

 

[sasori]

the 3 sample urls that i gave aren't meant to be connected to the  app that i created,

they were meant to be distributed to people, manually, like let's say

i'm the owner of the app that was build, then I input email addresses, if i want to send something to

one of the email addresses, I'll get the e.g proposal.test.com/seo and append the key to this url and send it to email.