Jump to content

Recommended Posts

  Hi Freaks,

I have an admin area to a project I'm working on. No links show up for it anywhere on the site if the logged in user isn't an 'admin'.

But I realized that it can still be accessed through the URL. Any guidance on the correct, most secure methods to disallow this? Thanks

Edited by TechnoDiver

The best way to do that is to have a login to the secure area. Here's an example from my website -

 

<?php
require_once "../assets/config/config.php";
require_once "../vendor/autoload.php";

use PhotoTech\Resize;
use PhotoTech\CMS;
use PhotoTech\Login;

Login::is_login($_SESSION['last_login']);

Login::securityCheck();

and the class that check it:

    public function __construct($args = [])
    {
        static::$searchItem = 'username';
        static::$searchValue = htmlspecialchars($args['username']);
        $this->password = htmlspecialchars($args['hashed_password']);
    }

    public static function username()
    {
        static::$searchItem = 'id';
        static::$searchValue = $_SESSION['id'];
        $sql = "SELECT username FROM " . static::$table . " WHERE id = :id LIMIT 1";
        $user = static::fetch_by_column_name($sql);
        return $user['username'];
    }

    public static function full_name(): string
    {
        static::$searchItem = 'id';
        static::$searchValue = $_SESSION['id'];
        $sql = "SELECT first_name, last_name FROM " . static::$table . " WHERE id =:id LIMIT 1";
        $user = static::fetch_by_column_name($sql);

        return $user['first_name'] . " " . $user['last_name'];
    }

    public static function securityCheck()
    {
        static::$searchItem = "id";
        static::$searchValue = $_SESSION['id'];
        $sql = "SELECT security FROM " . static::$table . " WHERE id=:id LIMIT 1";
        $result =  static::fetch_by_column_name($sql);
        /*
         * Only Sysop privileges are allowed.
         */
        if ($result['security'] !== 'sysop') {
            header("Location: ../game.php");
            exit();
        }

    }

// more code.....

It's my own personal website and I'm no security "expert", but I feel it pretty secure in what I do. Something like that will keep people from accessing those pages.

Yea, I thought about going down that road but I'm not sure it's the way that I want to go. There's already a login and registration form and I have users 'roles' saved in the database. I'm looking for some direction on users just logging in normally and having access dependent on their role (security clearance, so to speak). And I have that except for the URL vulnerability and was looking for a different way. Do you happen to have a different ideas I can look into??

You can have a single login system with roles if you want, just have a role that enables access to the admin section of the site and if either no user is logged in or the current user does not have that role then redirect them to the login page.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.