Menu
Community /Pin to ProfileBookmark
@NogDogJul 18.2007 — #You can use PHP sessions to track the login status, and only display the admin page contents if a specific $_SESSION variable has been set by the login form. www.domain.com/path/admin.php? My question is how to prevent that access? Thanks.
Then check at the top of admin.php for the existence of the session var.
There are lots of ways to manage access and authentication so you might search around to find other approaches.
I tried it but it doesnt work.
This is the code of my login.php page
<html>
<body>
<table id="table1" cellspacing="0" cellpadding="10" border="1" style="border-collapse:collapse;border-color:#ccccff;">
<tr><td><a href="index.html">Home</a></td><td><a href="lunch_register.php">Lunch register</a></td><td><a href="modify.php">Modify/Cancel</a></td><td><a href="visitor.php">Your visitors</a></td><td><a href="survey.html">Survey</a></td><td><a href="faq.html">FAQ</a></td><td><a href="login.php">Administration</a></td><td><a href="contact.php">Contact us</a></td></tr>
</table>
<h3>User authentication</h3>
<form method="post" action="login_process.php">
Username:<br /><input type="text" name="username" size="30" /><br /><br />
Password:<br /><input type="password" name="password" size="30" /><br /><br />
<input type="submit" value="Login" />
<input type="button" value="Forgot password" />
</form>
</body>
</html>
This is my login_process.php:
<?php
session_start();
//session_register("db_is_logged_in");
if (isset($_POST['username']) && isset($_POST['password'])) {
?>
This is my admin.php page
<?php
session_start();
//session_register("db_is_logged_in");
if (isset($_POST['username']) && isset($_POST['password'])) {
?>
and this is the logout.php page:
<?php
session_start();
if (isset($_SESSION['db_is_logged_in'])) {
unset($_SESSION['db_is_logged_in']);
echo '<b>You have successfully logged out</b><br />';
echo '<b>You will now be redirected to the home page</b><br />';
echo "<script type="text/javascript">
var url = "index.html";
setTimeout("window.location.href=url", 2*1000);</script>";
}
?>
When I open index.html and click on admin.php link, it directed me to login.php , which is good. However, I can still access admin.php by tracing the path. Did I do anything wrong?
You only need to set the
$_SESSION['db_is_logged_in'] = true;
once - in your login_process. It doesn't need to be set on every page.
You should set a default of false however.
Before you run the qry $query_auth set the session var to false
$_SESSION['db_is_logged_in'] = false;
If the username and password are correct, set to true as you are doing.
Try this for admin.php
Now, anytime admin.php is requested, you'll get a redirect if db_is_logged_in is not set to true.
In your code, you had this check wrapped in a login qry-if the POST['username'] was not set then your check did not happen. All you need is session_start() and then run your check.Hi,
Thanks for the reply. I tried it and changed everything as you suggested. There's still one problem however. I have another page called modify.php, if I click on that page, do some stuff, and then click on the link to admin.php, the administration page still shows up without asking for login. Do you know how to fix this? Thanks.
This should only happen if a login has already been successfully checked. Why would want to ask someone to login over and over each time they request to view admin.php? Isn't once per session enough?
If they haven't logged in successfully, admin.php should send them to logout.php.
Some resources for further info
http://us.php.net/session
http://www.w3schools.com/php/php_sessions.asp
http://www.sitepoint.com/article/users-php-sessions-mysql
http://www.oreilly.com/catalog/webdbapps/chapter/ch08.html
User authentication question
Hi,
I want to make an administration page called admin.php. In order to access this page, a user has to login using a page called login.php. Is there a way to prevent the user from accessing admin.php unless he has logged in? Thanks.
Sign in
to post a comment7 Comments(s) ↴
0
@NogDogJul 18.2007 — #reply?
0
@trivektorauthorJul 18.2007 — #What if the user can just access the admin.php page by randomly trying something like reply?
0
@CrucialJul 19.2007 — #As suggested, use PHP sessions to set a session variable - perhaps 'authed_admin' = 1Then check at the top of admin.php for the existence of the session var.
[code=php]
if ($_SESSION['authed_admin'] != 1) {
header("Location: HTTP://" .$_SERVER['HTTP_HOST']);
exit;
} [/code]There are lots of ways to manage access and authentication so you might search around to find other approaches.
reply?
0
@trivektorauthorJul 19.2007 — #Hi, I tried it but it doesnt work.
This is the code of my login.php page
<html>
<body>
<table id="table1" cellspacing="0" cellpadding="10" border="1" style="border-collapse:collapse;border-color:#ccccff;">
<tr><td><a href="index.html">Home</a></td><td><a href="lunch_register.php">Lunch register</a></td><td><a href="modify.php">Modify/Cancel</a></td><td><a href="visitor.php">Your visitors</a></td><td><a href="survey.html">Survey</a></td><td><a href="faq.html">FAQ</a></td><td><a href="login.php">Administration</a></td><td><a href="contact.php">Contact us</a></td></tr>
</table>
<h3>User authentication</h3>
<form method="post" action="login_process.php">
Username:<br /><input type="text" name="username" size="30" /><br /><br />
Password:<br /><input type="password" name="password" size="30" /><br /><br />
<input type="submit" value="Login" />
<input type="button" value="Forgot password" />
</form>
</body>
</html>
This is my login_process.php:
<?php
session_start();
//session_register("db_is_logged_in");
if (isset($_POST['username']) && isset($_POST['password'])) {
include 'config.php';
include 'opendb.php';
$user = $_POST['username'];
$pass = $_POST['password'];
$query_auth = "Select * from auth_user where username='$username' and password='$password'";
$result = mysql_query($query_auth) or die('authentication failed: '.mysql_error());
if (mysql_num_rows($result) == 1) {
$_SESSION['db_is_logged_in'] = true;
header('Location:admin.php');
//session_destroy();
exit;
}
else {
echo 'Wrong username or password';
//session_destroy();
header('Location:login.php');
}
include 'closedb.php';
}?>
This is my admin.php page
<?php
session_start();
//session_register("db_is_logged_in");
if (isset($_POST['username']) && isset($_POST['password'])) {
include 'config.php';
include 'opendb.php';
$user = $_POST['username'];
$pass = $_POST['password'];
$query_auth = "Select * from auth_user where username='$username' and password='$password'";
$result = mysql_query($query_auth) or die('authentication failed: '.mysql_error());
if (mysql_num_rows($result) == 1) {
$_SESSION['db_is_logged_in'] = true;
header('Location:admin.php');
//session_destroy();
exit;
}
else {
echo 'Wrong username or password';
//session_destroy();
header('Location:login.php');
}
include 'closedb.php';
}?>
and this is the logout.php page:
<?php
session_start();
if (isset($_SESSION['db_is_logged_in'])) {
unset($_SESSION['db_is_logged_in']);
echo '<b>You have successfully logged out</b><br />';
echo '<b>You will now be redirected to the home page</b><br />';
echo "<script type="text/javascript">
var url = "index.html";
setTimeout("window.location.href=url", 2*1000);</script>";
}
?>
When I open index.html and click on admin.php link, it directed me to login.php , which is good. However, I can still access admin.php by tracing the path. Did I do anything wrong?
reply?
0
@CrucialJul 19.2007 — #Your admin page does not need the username and password checked - doesn't your login_process handle that?You only need to set the
$_SESSION['db_is_logged_in'] = true;
once - in your login_process. It doesn't need to be set on every page.
You should set a default of false however.
Before you run the qry $query_auth set the session var to false
$_SESSION['db_is_logged_in'] = false;
If the username and password are correct, set to true as you are doing.
Try this for admin.php
[code=php]
session_start(); //this brings in all session vars
if(!$_SESSION['db_is_logged_in']){ //this checks session var and redirects to logout if false
header('Location:logout.php');
exit;
}
include 'config.php';
include 'opendb.php';
// include other admin stuff
[/code]Now, anytime admin.php is requested, you'll get a redirect if db_is_logged_in is not set to true.
In your code, you had this check wrapped in a login qry-if the POST['username'] was not set then your check did not happen. All you need is session_start() and then run your check.
reply?
0
@trivektorauthorJul 21.2007 — #Thanks for the reply. I tried it and changed everything as you suggested. There's still one problem however. I have another page called modify.php, if I click on that page, do some stuff, and then click on the link to admin.php, the administration page still shows up without asking for login. Do you know how to fix this? Thanks.
reply?
0
@CrucialJul 23.2007 — #Hi trivektor,This should only happen if a login has already been successfully checked. Why would want to ask someone to login over and over each time they request to view admin.php? Isn't once per session enough?
If they haven't logged in successfully, admin.php should send them to logout.php.
Some resources for further info
reply?