...

View Full Version : How to stop access to any page



Nirbhay
09-11-2009, 11:39 AM
Hi All,

I am working on a tool where in there are different modules.After giving username and password the user is redirected to the Home page where he has different modules in drop down menu.
Now the problem is that suppose user does not enter the username and password in the login page in stead of that he just directly type the name of the file directly.. it opens that page though the menu is not visible there still
any unauthorized user can get access to the page.

Can any one tell how can I restrict any unauthorize user to get access to the tool. My requiement is that if the user name and password is not given in the login page and if somebody tries to directly access any page then it should always redirect to the login page .

I will be very thankful for any kind of suggestion or help ..

Phil Jackson
09-11-2009, 11:43 AM
This is one way, but only as a backup. Are you using sessions?



if(preg_match("#^http\:\/\/localhost\/www\.cms\.actwebdesigns\.co\.uk\/logged\.php\?state=body\&pg=(?:[0-9]|[a-z]){32}\#*$#is", $_SERVER['HTTP_REFERER']))


basically saying, if you didn't come from a certain page, get lost!

DDaku
09-11-2009, 02:00 PM
The quick & dirty process is:


On each page, check for the existence of a session var or cookie that says the user's logged in
If they're not logged in, redirect them to the login page
On the login page, if they enter a correct name/pass, set the appropriate cookie or session variable

Coyote6
09-11-2009, 10:37 PM
This is one way, but only as a backup. Are you using sessions?



if(preg_match("#^http\:\/\/localhost\/www\.cms\.actwebdesigns\.co\.uk\/logged\.php\?state=body\&pg=(?:[0-9]|[a-z]){32}\#*$#is", $_SERVER['HTTP_REFERER']))


basically saying, if you didn't come from a certain page, get lost!

This will only work for the first page they visit after the login page though. So I would recommend what DDaku said and I guess PJ was going to get to if you are using sessions. Check for a session value that you set. I would recommend something other than just user_id or anything that is just a number because someone maybe able to guess at that. Maybe use something that is hard to guess along with the user id.



// Check to see if the session info is set.
if ((isset ($_SESSION['user_id'])) && (isset ($_SESSION['user_code'])) && ($_SESSION['user_id'] != '') && ($_SESSION['user_code'])) {
// Check to make sure the user info is valid.
$q = "SELECT user_id FROM Users WHERE user_id={$_SESSION['user_id']} && user_code='{$_SESSION['user_code']}'";
$r = mysql_query ($q);
// Make sure only one result is returned.
if (mysql_num_rows ($r) != 1) {
// User is not a unique valid user. May even take them to a 403 unauthorized page if they do this.
header ('Location: ' . $link_to_login_page);
exit();
}
}
else {
// User is not logged in.
header ('Location: ' . $link_to_login_page);
exit();
}

Nirbhay
09-15-2009, 11:43 AM
Hi All,

Thanx for the response ...

I have tried using this but it is working in the case only when I clear the cookies,it is not working when I am logging out.

In logout.php page the code is like :

unset($_SESSION['BIG_ARR1']);
session_unregister('BIG_ARR1');
unset($_SESSION['BIG_ARR2']);
session_unregister('BIG_ARR2');
unset($_SESSION['BIG_ARR3']);
unset($_SESSION['BIG_ARR4']);
unset($_SESSION['menu']);


Where $_SESSION['BIG_ARR1'] is the session array with the concept of serialize and In logout page I am destroying all such sessions still after logging out if the user just copy paste the url it opens that page.

I am still not able to restrict the user from getting access to the page which should have been restricted once the user has logged out.

I will be very thank ful for any kind of help ...

DDaku
09-15-2009, 03:34 PM
At the very top of your restricted page, you should have something along the lines of:



if (!isSet($_SESSION["BIG_ARR1"])) {
header("Location: login.php");
}


Which will check for the existence of a session ("BIG_ARR1") which you should set when logging in, and destroy when logging out. If the session is NOT (!) set, PHP will perform a header-redirect to login.php, preventing the user from seeing the originally requested page.

There are a lot of other variations, but that's the general idea.

Are you trying something like this and running into a specific error?

Nirbhay
09-16-2009, 09:16 AM
ya I am doing the same but still after logging out I am getting access to each page,but when I am clearing the cokkies then it is working fine.

Coyote6
09-16-2009, 07:23 PM
Use session_destroy to empty out all of your sessions.

http://us2.php.net/session_destroy



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum