PHP assistance?

Vanhishikha · 2 Apr 2013 at 18:22

How would I go about the following problem?

For my final project for Univesity, I chose to create an E-commerce based wbesite and I have a login page for the Admin back-end, but obviously if you know the extensions such as link_here/admin.php you can still access the back-end through that page.

How would I go about forcing the user to log-in through the log-in page created if you try to just type in that URL?

As obviously (this is for a real world client) and that would be a major security flaw.

So for example:

User (somehow) knows the full link to access the admin side of the wesbite > types in www.blabla.com/admin.php > when this page loads he is linked to the Admin login page > and now he is forced to login before he can enter that admin page.

sb89 · 2 Apr 2013 at 18:48

What happens when you have logged the user in? Do you start a new session for them when they have entered a correct username/password?

fez · 2 Apr 2013 at 19:09

Depends how you have architected the system. If its MVC you should be able to implement it for all routes that either follow a convention (something like www.site.com/admin/) or you can specify which urls require auth.

If its just a pretty standard website with includes and php files for every url, you can simply check a session var indicating whether someone is signed in. If not, redirect them to the login page.

BaJ · 2 Apr 2013 at 20:03

Sorry if I've got this wrong, but this is your final year Uni project? This is for a real world client? ... and only now you're thinking about back-end security?

The security logic should be comprehensively planned from day one, especially when dealing with online commerce.

Vanhishikha · 2 Apr 2013 at 20:14

BaJ said:
Sorry if I've got this wrong, but this is your final year Uni project? This is for a real world client? ... and only now you're thinking about back-end security?

The security logic should be comprehensively planned from day one, especially when dealing with online commerce.

It's only partial e-commerce for a very small company that wants the ability for it's users to look at their products online and place a quote through a contact form.

user logs-on > browses products cat > selects product > goes to estimation page > sees how much it would be to either a.) buy a product/service or b.) use a service > using php that service is calculated and then sent to a.) the db and b.) the clients e-mail.

sb89 said:
What happens when you have logged the user in? Do you start a new session for them when they have entered a correct username/password?

Yeah mate, a session is started and upon successful logout the session is then ended.

Nymins · 2 Apr 2013 at 20:42

The basic way would be to give the admin some special "mark" and then assign it to a session and check that each time someone loads the back-end page. If they have valid permission, let them in, else redirect them.

sb89 · 2 Apr 2013 at 20:47

Vanhishikha said:
It's only partial e-commerce for a very small company that wants the ability for it's users to look at their products online and place a quote through a contact form.

user logs-on > browses products cat > selects product > goes to estimation page > sees how much it would be to either a.) buy a product/service or b.) use a service > using php that service is calculated and then sent to a.) the db and b.) the clients e-mail.

Yeah mate, a session is started and upon successful logout the session is then ended.

When the user logs in, check if they are an admin. If they are an admin then set a variable in the session.

When a user goes to the admin page, the admin session variable should be checked. If it is set, then don't redirect, else redirect as they are not an admin.

martin9887 · 3 Apr 2013 at 10:53

I just did a simple admin area myself, what I did was upon login a session for the user is created and set to 'authorised'.

Then on the index.php I did an if statement saying, if session is not equals to authorised, header("location: login.php");. Which I made a function, I just call it on all the pages right at the top.

So if they aren't logged in, they just get taken to the login.php page.

There's probably much better ways of doing this but I'm new to PHP myself.

Vanhishikha · 3 Apr 2013 at 16:30

Sorted it out using sessions, thanks guys, much obliged.