SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Evangelist
    Join Date
    Mar 2011
    Posts
    423
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Admin pages at web site with restricted access

    Hi,

    I have designed an admin login page. Once the user enters there username and password they then go from login.php to admin.php.

    The code I am using to prevent people without a username and password to access admin.php is:

    PHP Code:
    <?php
    session_start
    (); //Start the session
    define(ADMIN,$_SESSION['name']); //Get the user name from the previously registered super global variable
    if(!session_is_registered("admin")){ //If session not registered
    header("location:login.php"); // Redirect to login.php page
    }
    else 
    //Continue to current page
    header'Content-Type: text/html; charset=utf-8' );
    ?>
    So if they came to the admin.php page without a username and password it goes to the login page instead.

    I now intend to design another page in the admin part of the web site called "add content". How to I prevent access without a password with further pages like this add content page?

    In my code on the admin page I am using "Start Session". I do not think it is wise to start sessions for every page...if the user has entered their username and password and been approved on the Admin.php page via the "start session" code above then how should they access further web pages in the admin part of the site?

    Furthermore, how do I provide limited access? So they can access "Add Content" pages but not "Processed Transactions" pages?

    May be i need more code on my admin page to establish what they can and cannot do? Or is it just a case of adding code at the beginning of each page, like the code above?!

    Matt.

  2. #2
    Non-Member
    Join Date
    Apr 2011
    Location
    no fixed address
    Posts
    851
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    session_is_registered is deprecated.

    Normally what is done is when the username and password match what is in the database, a session variable is set to show the user is legitimate.

    Code:
    $legitUser = 'qwerty';
    Then on every page where the user must be logged in to see the content, you first check for the existence of the session variable.

    PHP Code:
    <?php
    session_start
    ();
    if(!isset(
    $_SESSION['$legitUser']) || $_SESSION['$legitUser'] != 'qwerty') {
         echo 
    '<h1>You are not an authorised user</h1>';
         
    //maybe redirect to login page
         
    die();
    }
    ?>
    To restrict what users can do, you could assign access levels (integers) to users when they are created and then at the top of each page check the user's access level before allowing them to perform a task.

  3. #3
    SitePoint Evangelist
    Join Date
    Mar 2011
    Posts
    423
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I roughly understand you apart from two issues.

    1. How do I define $legitUser = 'qwerty';? Do I need a list of the legitusers somewhere? Like this:

    PHP Code:
    $legitUser 'user1';
    $legitUser 'user2';
    $legitUser 'user3';
    $legitUser 'user4'
    Can you explain how it is done a bit more please?

    2. I notice in your code you have used $_SESSION['$legitUser'] != 'qwerty'). This code has the users name in the coding! Do you suggest I start a session individually for each user?

    [php[<?php
    session_start();
    if(!isset($_SESSION['$legitUser']) || $_SESSION['$legitUser'] != 'anotheruser') {
    echo '<h1>You are not an authorised user</h1>';
    //maybe redirect to login page
    die();
    }
    ?>[/php]

    above i have coded it for username: anotheruser

    Again, can you explain with a bit more detail, please.

    Thanks,

    Matt.

  4. #4
    Non-Member
    Join Date
    Apr 2011
    Location
    no fixed address
    Posts
    851
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ok, let me try to make it a little clearer.

    1) I assume you have a login page where a user enters a username and password.

    2) When the user clicks the "login" button, the username and password are sent to a server side script - for example validateUser.php

    3) validateUser.php runs a query on the database to check if the username and password exist. If the username and password exist then validateUser.php creates a session variable which can be called anything you like and have any value you like. In my example I set

    Code:
    $_SESSION['legitUser'] = 'qwerty';
    (I just noticed I didn't set the session variable correctly in my previous post - sorry )

    4) Therefore, $_SESSION['legitUser'] will exist only if the user has logged in successfully with a correct username/password.

    5) Then on every page where the user must be logged in, at the top of the page you continue the session and first check if the user is logged in. If the user is logged in then $_SESSION['legitUser'] will equal 'qwerty'. If the user is not logged in, the session variable will not exist.

    PHP Code:
    <?php
    session_start
    ();
    if(!isset(
    $_SESSION['$legitUser']) || $_SESSION['$legitUser'] != 'qwerty') {
         echo 
    '<h1>You are not an authorised user</h1>';
         
    //maybe redirect to login page
         
    die();
    }
    ?>
    Step 5 checks if the user is logged in or not at the top of every page before displaying the rest of the page if the user is logged in. If they are not logged in, the "You are not an authorised user" message is displayed and the script terminates.

    You don't need to store the user's username in a session variable unless you want to actually display it somewhere like "Welcome user1".

  5. #5
    SitePoint Evangelist
    Join Date
    Mar 2011
    Posts
    423
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    OK but I still dont understand the username qwerty. If we write in the code the bit of code you have:

    $_SESSION['$legitUser'] != 'qwerty')

    then if the username is, say, username1 then it is not qwerty and the user will not be allowed to view the page!

    Am I missing something?

    Matt.

  6. #6
    Non-Member
    Join Date
    Apr 2011
    Location
    no fixed address
    Posts
    851
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by MatthewBOnline View Post
    Am I missing something?
    Unfortunately yes

    'qwerty' is not a username. It is just a random value given to a session variable if the username/password entered by the user are correct.

    For example, in validateUser.php you could have something like this

    PHP Code:
    <?php
    session_start
    ();

    $username $_POST['txtUsername'];  //user name entered by the user in in the login form

    $password $_POST['txtPassword']; //password entered in the login form.

    $query 'select * from tblUsers where fldUsername = "'.$username.'" and fldPassword = "'.$password.'"';
    $rs mysql_query($query,$conn);
    if(
    mysql_num_rows($rs) == 1) { //username/password exist in the database
         
    $_SESSION['legitUser'] = 'qwerty';
         
    // redirect to user's home page
    } else { //incorrect username/password entered
         //redirect back to login page
    }
    ?>
    The above is very simplified and doesn't include any data validation/sanitisation which must also be done, but I'm keeping it simple for now.

    So you can see in the above code that $_SESSION['legitUser'] will be created only if the user enters a correct username/password. So at the top of every page where the user must be logged in to view it, you first check if $_SESSION['legitUser'] exists as shown earlier.

  7. #7
    SitePoint Addict ketting00's Avatar
    Join Date
    Jul 2011
    Posts
    325
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    You should set a user level like:

    if($username == "John") {
    $_SESSION['admin'] = true;
    }

    but this method is not secure, just an idea to see how it work.

  8. #8
    Non-Member
    Join Date
    Apr 2011
    Location
    no fixed address
    Posts
    851
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ketting00 View Post
    You should set a user level like:

    if($username == "John") {
    $_SESSION['admin'] = true;
    }

    but this method is not secure, just an idea to see how it work.
    I think it would be easier coding/maintenance wise and more efficient if you set user access levels or roles in the database rather than in the application code itself.

    But access levels is related to the 2nd part of the op's question. He really needs to get the logging in working first without using session_is_registered.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •