TechnoDiver Posted August 19, 2021 Share Posted August 19, 2021 (edited) Hi Freaks, I have an admin area to a project I'm working on. No links show up for it anywhere on the site if the logged in user isn't an 'admin'. But I realized that it can still be accessed through the URL. Any guidance on the correct, most secure methods to disallow this? Thanks Edited August 19, 2021 by TechnoDiver Quote Link to comment Share on other sites More sharing options...
Strider64 Posted August 19, 2021 Share Posted August 19, 2021 The best way to do that is to have a login to the secure area. Here's an example from my website - <?php require_once "../assets/config/config.php"; require_once "../vendor/autoload.php"; use PhotoTech\Resize; use PhotoTech\CMS; use PhotoTech\Login; Login::is_login($_SESSION['last_login']); Login::securityCheck(); and the class that check it: public function __construct($args = []) { static::$searchItem = 'username'; static::$searchValue = htmlspecialchars($args['username']); $this->password = htmlspecialchars($args['hashed_password']); } public static function username() { static::$searchItem = 'id'; static::$searchValue = $_SESSION['id']; $sql = "SELECT username FROM " . static::$table . " WHERE id = :id LIMIT 1"; $user = static::fetch_by_column_name($sql); return $user['username']; } public static function full_name(): string { static::$searchItem = 'id'; static::$searchValue = $_SESSION['id']; $sql = "SELECT first_name, last_name FROM " . static::$table . " WHERE id =:id LIMIT 1"; $user = static::fetch_by_column_name($sql); return $user['first_name'] . " " . $user['last_name']; } public static function securityCheck() { static::$searchItem = "id"; static::$searchValue = $_SESSION['id']; $sql = "SELECT security FROM " . static::$table . " WHERE id=:id LIMIT 1"; $result = static::fetch_by_column_name($sql); /* * Only Sysop privileges are allowed. */ if ($result['security'] !== 'sysop') { header("Location: ../game.php"); exit(); } } // more code..... It's my own personal website and I'm no security "expert", but I feel it pretty secure in what I do. Something like that will keep people from accessing those pages. Quote Link to comment Share on other sites More sharing options...
TechnoDiver Posted August 19, 2021 Author Share Posted August 19, 2021 Yea, I thought about going down that road but I'm not sure it's the way that I want to go. There's already a login and registration form and I have users 'roles' saved in the database. I'm looking for some direction on users just logging in normally and having access dependent on their role (security clearance, so to speak). And I have that except for the URL vulnerability and was looking for a different way. Do you happen to have a different ideas I can look into?? Quote Link to comment Share on other sites More sharing options...
kicken Posted August 20, 2021 Share Posted August 20, 2021 You can have a single login system with roles if you want, just have a role that enables access to the admin section of the site and if either no user is logged in or the current user does not have that role then redirect them to the login page. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.