Help with login function and redirecting

[heggenes]

I have this code shown below. And i want to redirect ADMIN to one spessiffic page and all others to another page. I cant figure i out. Please help.

 

<?php

 

if($session->logged_in){

 

   echo '<h1>Logged In</h1>';

   

   echo "Welcome <b>$session->username</b>, you are logged in. <br><br>"

       ."[<a href=\"login/userinfo.php?user=$session->username\">My Account</a>]   "

       ."[<a href=\"login/useredit.php\">Edit Account</a>]   ";

   if($session->isAdmin()){

      echo "[<a href=\"login/admin/admin.php\">Admin Center</a>]   ";

   }

   echo "[<a href=\"login/process.php\">Logout</a>]";

}

else{

?>

<?php

[cyberRobot]

Sorry, it's unclear what you're asking. If you're looking to redirect to a different page, try using header redirects:

http://php.net/manual/en/function.header.php

 

Just be sure to use the header() function before any output to the screen.

 

 

If you're looking for something else, please describe the issue a little further. Are you getting errors? If so, what are the exact errors? If you post more code, please surround it with

tags. This makes the code and your post easier to read.

[davidannis]

Taking CyberRobot's suggestion one step further I think you want something like this:

<?php
 
if($session->logged_in){
 
/*  echo '<h1>Logged In</h1>'; We commented this out because we can't have output before a header
*   
*   echo "Welcome <b>$session->username</b>, you are logged in. <br><br>"
*       ."[<a href=\"login/userinfo.php?user=$session->username\">My Account</a>]   "
*       ."[<a href=\"login/useredit.php\">Edit Account</a>]   ";
*/
   if($session->isAdmin()){
      header ("Location: http://mydomain.com/login/admin/admin.php");
   }else{
 header ("Location: http://mydomaind.com/normaluserwelcomepage.php');
}
}
else{
?>

[objnoob]

That's dumb. Be smart; try this:

 

 

if(isset($session) && get_class($session) === 'yourSessionClass' && $session->isAuth()){

     require ($session->isAdmin()) ? '../login/admin/admin.php' : '../normaluserwelcomepage.php';

}
 

 

you don't want admin.php and normaluserwelcomepage.php to be in your webserver's document root or you want to make sure you protect them with htaccess and require all denied on everything (.*)\.php except your index.php page.

[objnoob]

lol.  then:

 

1. You don't have to comment anything out, and you can show who the user is and that they are logged in all with the same lines of code.

2. You're not adding extra load on your webserver by doing unnecessary redirects.

3. You don't have to do an is logged in and isAdmin() check in your admin.php file

4. You don't have to do an is logged in and not isAdmin() check in your normaluser.php file.

5. You won't have to change those checks allllllllll over the frickin' place if you decide to change how you handle authorizing and validating permissions.

6. NO ONE CAN JUST POINT THEIR BROWSER TO http://mydomain.com/login/admin/admin.php NOR http://mydomaind.com/normaluserwelcomepage.php when you configure your http server properly.

 

Are you convinced?

Edited November 23, 2013 by objnoob

[davidannis]

Let me disagree without saying

 

That's dumb.

I assume that the OP is not doing redirects on every page, he is only doing so immediately after checking the login. Using htaccess as the login mechanism often means that you need to keep two user databases because you may want to store lots of information about each user that it is impractical to store in .htaccess and change the behavior of the website based on that information. Rather than having two separate user databases (one in htaccess and one in some SQL database) that need to both be updated every time you add/delete/change a username or password, use one database and use $_SESSION to keep track of whose logged in. Not to mention that the method of using htaccess breaks down when you have a more complex permission structure. Sure it works with two directories when you have Admin users and Normal users but then (as an example) try to give some admins permission to delete posts but not others... Very soon you end up with a very complex set of htaccess files.

[objnoob]

No one said using .htpasswd to password protect them. Most of all of your .php scripts except an index should be non-accessible through HTTP.

The only script that should be accessible is your index.php page.   When it is called, you use PHP to include other non-accessible scripts for execution at your discretion.

 

If you don't have access to httpd.conf, one way to protect them is create a directory ./private  and throw an .htaccess in there to deny all.

This will prevent someone from pointing to mysite.com/private with a 403 forbidding them.

 

In your private directory, you keep all of your application scripts.  In your public directory you keep index.php and any assets such as javascript and stylesheets, and images.

 

Since index.php is publicly accessible, I also advise you create a php script that handles the main bootstrapping in your private directory.

 

./public/index.php

keep the code out of index.php since it's publicly accessible

<?php
     require '../private/main.php';

./private/main.php

the site's bootstrapper that laces everything together  this is where you should check if a user is logged in and and has authorization to access a page before including it.

<?php

          /* here is our main application script (bootstrapper)
              it will do the necessary prepping. It will handle connecting to the database, setting up your sessions
              it will see which pages we need to include based of parameters sent with the request
           */
            $page = $_GET['page'];
            switch($page){
                   case 'contact': $script = 'contact.php'; break; # script that handles contact form and processing of the form
                   case 'auth': $script = 'auth.php'; break;  # for script that handles logging in and out
                   case 'admin':
                          // WOAH lets make sure they are allowed!! if not include the denied.php script that shows they are denied.
                          if( ! $session->authUser->isAdmin() ){
                                $script = 'denied.php';
                          }else{
                                $script = 'admin.php';
                          }
                          break;

                   default: 
                         header('HTTP/1.0 404 Not Found');
                         exit;
             }
             require '../private/' . $script;   # require the script to the appropriate page

There's nothing complex about this.

Edited November 24, 2013 by objnoob

[davidannis]

Your method is better than I thought but I still don't like it. There are a number of reasons why.

 

1. Looks to me like you end up with a lot of URLs like http://mydomain.com/index.php?page=contact. The URL is not very search engine friendly. You can get around that with rewrite rules, but that adds yet more complexity.

 

2. You then have a switch/case with a case for every page in the website. That is unwieldy in a larger site and gives you more opportunities to make errors. and you embed the security logic in a switch/case statement that could easily get more than 1,000 lines long. In your example code, you've got 14 lines (not including blank lines and comments) in a script handling just login, contact, and admin.

 

I prefer to use an include at the top of each script that does the db connections, session setup, and then check permissions for that script before execution.

 

I'm sure that there are sites where your approach makes sense, but I know it is not the optimal solution in every case. To claim that using another approach is "dumb" is a bit much.

[objnoob]

This approach makes sense for everything!  Couple this gatekeeping pattern with the MVC pattern and use a router that decides which controller to load and you eliminate the switch statement.

The idea here is every page request is handled by the same gatekeeper/bootstrapper. You'll never forget to include what's needed on every page. The bootstrapper can setup and use shared templates sections.

 

Your scripts are not accessible from HTTP,  if you barf something up the most php source code you'll ever serve up is <?php require './private/main.php';

No other remote scripts will ever be able to call your scripts directly.