Jump to content

Restrict Access To Page() Behaviour Problem!


anb_newbie

Recommended Posts

Hi there,

I'm trying to make a backend for a website i'm working on so that the owner can update the info easily. I have created a login.php file which checks for the right username and password which is working fine.

<?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
session_start();
}
$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
$_SESSION['PrevUrl'] = $_GET['accesscheck'];
}
if (isset($_POST['username'])) {
$loginUsername=$_POST['username'];
$password=$_POST['password'];
$MM_fldUserAuthorization = "";
$MM_redirectLoginSuccess = "myadminpage.html";
$MM_redirectLoginFailed = "login.php";
$MM_redirecttoReferrer = false;
mysql_select_db($database_claudechalhoubconx, $claudechalhoubconx);

$LoginRS__query=sprintf("SELECT username, password FROM admins WHERE username=%s AND password=%s",
GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text"));

$LoginRS = mysql_query($LoginRS__query, $claudechalhoubconx) or die(mysql_error());
$loginFoundUser = mysql_num_rows($LoginRS);
if ($loginFoundUser) {
 $loginStrGroup = "";

if (PHP_VERSION >= 5.1) {session_regenerate_id(true);} else {session_regenerate_id();}
//declare two session variables and assign them
$_SESSION['MM_Username'] = $loginUsername;
$_SESSION['MM_UserGroup'] = $loginStrGroup;	
if (isset($_SESSION['PrevUrl']) && false) {
 $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];
}
header("Location: " . $MM_redirectLoginSuccess );
}
else {
header("Location: ". $MM_redirectLoginFailed );
}
}
?>

 

If the user logs in successfully, he is taken to myadminpage.html where he gets to pick what to update(videos, press articles, etc...). For example, If he chooses videos, he is taken to the updatevideos.php page where he can view/add/delete/modify videos etc... Note that I have not included any session checks in myadminpage.html.

All was working properly, until I added the Restrict Access to Page() behaviour to all the update pages. Note that I've been working in dreamweaver cs5. In this behaviour, if the user doesn't have access to this page, he should be directed back to the login page. Otherwise, he goes to the updatevideos.php (for example)

The problem is, even after a successful login and getting to myadminpage.html, I click on videos(for example) and instead of getting to the update videos page, I am going back to the login page. I am guessing something is going wrong with the session variable.

 

The following is the code on the updatevideos.php. (I have pasted above the code of the login.php. I have no code for session variables on myadminpage.html (in case that could be causing the problem)).

<?php
if (!isset($_SESSION)) {
session_start();
}
$MM_authorizedUsers = "";
$MM_donotCheckaccess = "true";
// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {
// For security, start by assuming the visitor is NOT authorized.
$isValid = False;
// When a visitor has logged into this site, the Session variable MM_Username set equal to their username.
// Therefore, we know that a user is NOT logged in if that Session variable is blank.
if (!empty($UserName)) {
// Besides being logged in, you may restrict access to only certain users based on an ID established when they login.
// Parse the strings into arrays.
$arrUsers = Explode(",", $strUsers);
$arrGroups = Explode(",", $strGroups);
if (in_array($UserName, $arrUsers)) {
 $isValid = true;
}
// Or, you may restrict access to only certain users based on their username.
if (in_array($UserGroup, $arrGroups)) {
 $isValid = true;
}
if (($strUsers == "") && true) {
 $isValid = true;
}
}
return $isValid;
}
$MM_restrictGoTo = "login.php";
if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {
$MM_qsChar = "?";
$MM_referrer = $_SERVER['PHP_SELF'];
if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
if (isset($_SERVER['QUERY_STRING']) && strlen($_SERVER['QUERY_STRING']) > 0)
$MM_referrer .= "?" . $_SERVER['QUERY_STRING'];
$MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
header("Location: ". $MM_restrictGoTo);
exit;
}
?>

Any help is greatly appreciated! Thanks in advance.

Link to comment
Share on other sites

if(!$_SESSION) {
session_start();
}

 

session_start(); should be the first thing you should put at the script, because you aren't starting the session it will never say that there's a session, which makes that line invalid and allow a user to bypass it everytime

 

function isAuthorized($strUsers,$strGroups,$UserName,$UserGroup){

 

Where are you getting those variables?

Edited by ExtremeGaming
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.