Administrator's Page Security Settings With PHP

Question

lordx78 0 Junior Poster

16 Years Ago

I have 2 some pages in the website I'm developing. I've also an admin page. If i want to log in to the admin page, I've to key in username and password and it will be validated and redirect me to the admin's page. The problem is, if I manually input the direct url for the admin's page, the browser will open the url without asking for any validation.

?? Question ??

1. How to disable the user to just open the admin's page with direct link without any validation?

2. How to prompt the user to key in username and password if the direct url is used?

3. How to disable the usage of direct url (for admin's page)?

php

3 Contributors
3 Replies
124 Views
1 Day Discussion Span
Latest Post 16 Years Ago Latest Post by johnsquibb

web_lock 0 Newbie Poster

16 Years Ago

I have 2 some pages in the website I'm developing. I've also an admin page. If i want to log in to the admin page, I've to key in username and password and it will be validated and redirect me to the admin's page. The problem is, if I manually input the direct url for the admin's page, the browser will open the url without asking for any validation.
?? Question ??
1. How to disable the user to just open the admin's page with direct link without any validation?
2. How to prompt the user to key in username and password if the direct url is used?
3. How to disable the usage of direct url (for admin's page)?

I've handled this problem in my applications by using a SESSION random value which is initiated at my login page itself.
Lets say your initial loading page is login.php. It would contain the following LOC

<?php
session_start();
if($_POST[úserID'])
{
$_SESSION['randomvalue']=rand();
$_SESSION['loginValue']=md5($_SESSION['randomValue']);
}
else
{
écho '<script>';
echo "document.location='logout.php'";
echo"</script>";

}
?>

Please note , this page is accessible only through login .

Lets say the URL to the adminSetting is admin.php. include these lines in the code

if($_SESSION['loginValue'])
{
$checkValue=md5($_SESSION['randomValue']);
if($checkValue==trim($_SESSION['loginValue']){
{
}
else
{
écho '<script>';
echo "alert('Enter USER NAME and PASSWORD')";
echo"</script>";
}
}

The direct usage of url can be controlled through javascript.
Hope this helped.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

lordx78 0 Junior Poster · Answer 1 · 2008-02-10T10:35:04+00:00

Thanks for the code, I will give it a try before I reply this thread.

johnsquibb 3 Junior Poster in Training · Answer 2 · 2008-02-11T09:45:25+00:00

I've handled this problem in my applications by using a SESSION random value which is initiated at my login page itself.
Lets say your initial loading page is login.php. It would contain the following LOC
<?php
session_start();
if($_POST[úserID'])
{
$_SESSION['randomvalue']=rand();
$_SESSION['loginValue']=md5($_SESSION['randomValue']);
}
else
{
écho '<script>';
echo "document.location='logout.php'";
echo"</script>";

}
?>

That works. I would change one thing, however.

instead of echoing the javascript to redirect the page, I would keep it as PHP by using the header function like so:

<?php
session_start();
if($_POST['userID'])
{
$_SESSION['randomvalue']=rand();
$_SESSION['loginValue']=md5($_SESSION['randomValue']);
}
else
{
//redirect to login
header('Location: login.php');
exit();

}
?>

using javascript to redirect will allow the user access to the page you're trying to keep secure simply by disabling javascript in their browser. The header function redirects server-side, so they never get to the page.

For additional security, you should probably also validate the $_POST against a username/password combination in a database, otherwise someone could write a script on a remote website to post any value for 'userID' and it will let them through.