currentdb
asked on
protect a web page from non authorized access
Dear experts,
I found out that one web page that I thought was protected from unauthorized access is in fact non protected.
An user can copy the link, then still can access this page without having to be logged in.
How I can force the user to log in even if he tries to do a copy/paste ? (he knows what the link looks like).
Thanks in advance for you help
I found out that one web page that I thought was protected from unauthorized access is in fact non protected.
An user can copy the link, then still can access this page without having to be logged in.
How I can force the user to log in even if he tries to do a copy/paste ? (he knows what the link looks like).
Thanks in advance for you help
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
There's one major problem. Only login page, logout page, membership page and shopping cart pages are in php. The rest are just html.
I am wondering if I have to convert some of them from html to php or if there's another way around.
I am wondering if I have to convert some of them from html to php or if there's another way around.
I suggest to convert it. You don't need to modify all the code, rename the file to php and then add the detection of that the user is logged on the top and this should work.
Regards
Regards
If you are to protect them with a login, you need to convert all of them to use PHP to check the login. Put it first and you can leave the HTML part of it alone. But it does need to be a *.php file.
ASKER
I made renamed just one page from .html to .php and added the code suggested by MadShiva. I added this code at the top of the page. I made a test but the page is still unprotected. If I copy the link to this page in the browser, hoping that it will re-direct me to the login page, well, here it does not. I am wondering what does not work.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi MadShiva, Ray_Paseur
Thank you for your code. It helped to protect the page that was just renamed from .html to .php.
I changed the header location as it is:
Basically if anyone knows the url and wants to access the fable4.php page, he's forced to go to the login form first. This redirect url worked before, but as I added it here, it began to fail apart. What happens is once the user is logged in is that he's not redirected anymore to this page fable4.php
Again I am lost :(
Thank you for your code. It helped to protect the page that was just renamed from .html to .php.
I changed the header location as it is:
<?php
session_start();
if(!isset($_SESSION['login']))
{
header("Location: http://yoursite.com/amember/login?amember_redirect_url=http://yoursite.com/fable4.php");
exit;
}
?>
Basically if anyone knows the url and wants to access the fable4.php page, he's forced to go to the login form first. This redirect url worked before, but as I added it here, it began to fail apart. What happens is once the user is logged in is that he's not redirected anymore to this page fable4.php
Again I am lost :(
Dear currentdb,
This code that I post, will redirect people if the value of the session["login"] is not set, then it force the redirection to the page login.
I'm not sure what you have set from your page login, personnaly I use this after control of the login/password, maybe the session is not set correctly in your code, or another variable is used (from the article of Ray Paster it didn't use login but uid) :
After I redirect the people to the index.php for example page.
Regards
This code that I post, will redirect people if the value of the session["login"] is not set, then it force the redirection to the page login.
I'm not sure what you have set from your page login, personnaly I use this after control of the login/password, maybe the session is not set correctly in your code, or another variable is used (from the article of Ray Paster it didn't use login but uid) :
session_start();
$_SESSION['login'] = $login;
After I redirect the people to the index.php for example page.
Regards
ASKER
Dear MadShiva,
When I used your code without modifications to this line header("Location: login.php"); it did not work. Then I understood that the server was not able to locate the login.php page.
Then I changed it to header("Location: http://yoursite.com/amember/login and it forces the user to go to the login page first.
Last, I had to redirect the user back to the desired page, hence the second change header("Location: http://yoursite.com/amember/login?amember_redirect_url=http://yoursite.com/fable4.php");
exit;
From your code, what I don't understand is where the user is redirected. When I changed the header for a second time, I really hoped that the user will be finally redirected to this page but for reasons that I don't understand, it ends into a server loop.
When I used your code without modifications to this line header("Location: login.php"); it did not work. Then I understood that the server was not able to locate the login.php page.
Then I changed it to header("Location: http://yoursite.com/amember/login and it forces the user to go to the login page first.
Last, I had to redirect the user back to the desired page, hence the second change header("Location: http://yoursite.com/amember/login?amember_redirect_url=http://yoursite.com/fable4.php");
exit;
From your code, what I don't understand is where the user is redirected. When I changed the header for a second time, I really hoped that the user will be finally redirected to this page but for reasons that I don't understand, it ends into a server loop.
Dear,
Ok . I'm not sure if I understand correctly, but you could try like this :
This will redirect to http://yoursite.com/amember/login if the user is not logged, and http://yoursite.com/fable4.php if the user is logged.
Ok . I'm not sure if I understand correctly, but you could try like this :
<?php
session_start();
if(!isset($_SESSION['login']))
{
header("Location: http://yoursite.com/amember/login");
exit;
}
else
{
header("Location: http://yoursite.com/fable4.php");
}
?>
This will redirect to http://yoursite.com/amember/login if the user is not logged, and http://yoursite.com/fable4.php if the user is logged.
ASKER
It does not work. At least there is no server loop.
It's better if you see by yourself.
Login ID: serge6
PW: bader6
You will notice that the member is still not redirected to the proper page, but will be redirected to member's area.
PLease use this link to access this page:
http://www.signipedia.com/fable4.php
I hope you understand better this problem :)
It's better if you see by yourself.
<?php
session_start();
if(!isset($_SESSION['login']))
{
header("Location: http://signipedia.com/amember/login");
exit;
}
else
{
header("Location: http://signipedia.com/fable4.php");
}
?>
Login ID: serge6
PW: bader6
You will notice that the member is still not redirected to the proper page, but will be redirected to member's area.
PLease use this link to access this page:
http://www.signipedia.com/fable4.php
I hope you understand better this problem :)
Dear,
You need to set the value of the login after that you have check the password in the file, the session could exist but the variable $_SESSION['login'] is not set.
You should modifiy the page of the form of the login by doing this:
Then you set the value of the login with :
The variable $login should be set like abow from the value of amember_login form that you have posted after the control of the password, also you need to start the session with session_start();
Hope that's clear for you.
Regards
You need to set the value of the login after that you have check the password in the file, the session could exist but the variable $_SESSION['login'] is not set.
You should modifiy the page of the form of the login by doing this:
Then you set the value of the login with :
session_start();
$_SESSION['login'] = $login;
The variable $login should be set like abow from the value of amember_login form that you have posted after the control of the password, also you need to start the session with session_start();
Hope that's clear for you.
Regards
Please see line 44 of the RAY_EE_config code snippet in the article I linked above. That is 100% of what you need to know to find the original entry point to the web site. It really is that easy!
ASKER
Finally made it to work! I had to make some calls to my hosting company and ask them for help. They told me that kind of access should be in the root server directory.
So here's what the code looks like:
It was not that easy, but at least it works :)
Thanks to both of you for your great help.
So here's what the code looks like:
<?php
require_once '/xxx/xxx/xxx/public_html/amember/library/Am/Lite.php'; // Adjust path to aMember folder
if (!Am_Lite::getInstance()->isLoggedIn()) {
header("Location: http://signipedia.com/amember/login?amember_redirect_url=http://signipedia.com/fable4.php");
exit;
}
?>
It was not that easy, but at least it works :)
Thanks to both of you for your great help.
You have some choice, the first more easy to install is to secure the access of the link with .htaccess but it will also protect the whole folder.
One other choice, would be to do a login / password for the user with a session, and check for every page that you want access that the session is valid.
Example login.php :
Open in new window
Example anypage.php :
Open in new window
Regards