PHP assistance?

Vanhishikha

Vanhishikha

Vanhishikha

Associate
Joined
22 Aug 2011
Posts
240
How would I go about the following problem?

For my final project for Univesity, I chose to create an E-commerce based wbesite and I have a login page for the Admin back-end, but obviously if you know the extensions such as link_here/admin.php you can still access the back-end through that page.

How would I go about forcing the user to log-in through the log-in page created if you try to just type in that URL?

As obviously (this is for a real world client) and that would be a major security flaw.

So for example:

User (somehow) knows the full link to access the admin side of the wesbite > types in www.blabla.com/admin.php > when this page loads he is linked to the Admin login page > and now he is forced to login before he can enter that admin page.
 
Last edited:
What happens when you have logged the user in? Do you start a new session for them when they have entered a correct username/password?
 
Depends how you have architected the system. If its MVC you should be able to implement it for all routes that either follow a convention (something like www.site.com/admin/) or you can specify which urls require auth.

If its just a pretty standard website with includes and php files for every url, you can simply check a session var indicating whether someone is signed in. If not, redirect them to the login page.
 
Sorry if I've got this wrong, but this is your final year Uni project? This is for a real world client? ... and only now you're thinking about back-end security?

The security logic should be comprehensively planned from day one, especially when dealing with online commerce.
 
BaJ said:
Sorry if I've got this wrong, but this is your final year Uni project? This is for a real world client? ... and only now you're thinking about back-end security?

The security logic should be comprehensively planned from day one, especially when dealing with online commerce.
Click to expand...

It's only partial e-commerce for a very small company that wants the ability for it's users to look at their products online and place a quote through a contact form.

user logs-on > browses products cat > selects product > goes to estimation page > sees how much it would be to either a.) buy a product/service or b.) use a service > using php that service is calculated and then sent to a.) the db and b.) the clients e-mail.

:)

sb89 said:
What happens when you have logged the user in? Do you start a new session for them when they have entered a correct username/password?
Click to expand...

Yeah mate, a session is started and upon successful logout the session is then ended.
 
The basic way would be to give the admin some special "mark" and then assign it to a session and check that each time someone loads the back-end page. If they have valid permission, let them in, else redirect them.
 
Vanhishikha said:
It's only partial e-commerce for a very small company that wants the ability for it's users to look at their products online and place a quote through a contact form.

user logs-on > browses products cat > selects product > goes to estimation page > sees how much it would be to either a.) buy a product/service or b.) use a service > using php that service is calculated and then sent to a.) the db and b.) the clients e-mail.

:)



Yeah mate, a session is started and upon successful logout the session is then ended.
Click to expand...

When the user logs in, check if they are an admin. If they are an admin then set a variable in the session.

When a user goes to the admin page, the admin session variable should be checked. If it is set, then don't redirect, else redirect as they are not an admin.
 
I just did a simple admin area myself, what I did was upon login a session for the user is created and set to 'authorised'.

Then on the index.php I did an if statement saying, if session is not equals to authorised, header("location: login.php");. Which I made a function, I just call it on all the pages right at the top.

So if they aren't logged in, they just get taken to the login.php page.

There's probably much better ways of doing this but I'm new to PHP myself.
 
You must log in or register to reply here.
Back
Top Bottom