SitePoint Sponsor

User Tag List

Results 1 to 3 of 3

Thread: login breach

  1. #1
    SitePoint Enthusiast adamschroeder's Avatar
    Join Date
    Mar 2011
    Location
    World
    Posts
    80
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    login breach

    I have this login code that directs "civilians" to a certain page and "hosts" to a different page. Now the log-in part works. But if I log in as "civilian" and then change the URL to the host page (ciubab.com/host.php) I am able to access it, which is something I cannot allow.

    So how do I block "civilians" from entering a page only for hosts?

    I tried using a while loop in the host page to block civilians but that didn't work. I tried reading about sessions and security but I haven't found anything similar.
    Can someone help me?


    login code: I only published the relevant part.
    PHP Code:
    <?php 
    if($username==$dbusername&&md5($password)==$dbpassword)
       {
          if(
    $who=='host')
          {
            
    $_SESSION['username']=$username;
          
    header("Location: http://ciubab.com/host.php");
          }
            if(
    $who=='civilian')
            {
              
    $_SESSION['username']=$username;
             
    header("Location: http://ciubab.com/civilian.php");
       }
            }
    ?>

  2. #2
    SitePoint Enthusiast adamschroeder's Avatar
    Join Date
    Mar 2011
    Location
    World
    Posts
    80
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok, I solved it finally.
    I just had to add $_SESSION['who']=$who; to the login page,
    and then I added another piece of code into my host and civilian page and it worked.
    The code I added was:

    if($_SESSION['who'] != 'host'){
    session_destroy();
    header('Location: ciubab.com/mustlogin.php');]
    exit();
    }

    Hopefully this can help other beginners.

  3. #3
    SitePoint Enthusiast webdesignhouston's Avatar
    Join Date
    Dec 2010
    Posts
    58
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Good to hear that you've solved it. Remember that you should check login/permissions on every relevant page. Otherwise users can bypass the login using bookmarks, by directly typing the url in the browser address bar, by emailing private links to another person, by extracting interesting urls from website log files and so on.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •