Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 306
  • Last Modified:

Restricting access to PHP pages

I am building (or trying to!) a password restricted site where different user-levels see different content.

I am using the code attached below to start the session, login and display the relevant pages according to the users status.

The problem is that none of the pages are restricted so for example if a member logs in they are shown the links...'Change Password', 'Log out', and 'Admin'

But non members can still see these pages if they navigate directly to the URL.

It seems as if the code below only displays links according to user level but does not offer any restrictions to those pages.

How would I add this? It would simply need to be a function that redirects users to a login page if they are not logged in.





<div id="AdminMenu">

<?php # Script 16.1 - header.html
// This page begins the HTML header for the site.

// Start output buffering:
ob_start();

// Initialize a session:
session_start();


?><?php

// Displaylinks based upon thelogin status:

if (isset($_SESSION['user_id'])) {
	
	echo 'Welcome';
	
	if (isset($_SESSION['first_name'])) {
		echo ", {$_SESSION['first_name']}!&nbsp";
		
		}

echo '<a href="logout.php" title="Logout">Logout</a>&nbsp;

<a href="change_password.php" title="Change Password">Change Password</a>

';

// Add links if the user is an administrator:

if ($_SESSION['user_level'] == 1) {

echo '<a href="admin/test.php" title="Admin">Admin</a>&nbsp;

';

}

} else

 { // Not loggin in.



echo '<a href="joinanjoman.php" title="Join Anjoman">Join</a>&nbsp;

<a href="login.php"
title="Login">Login</a><br />


';

}

?>

</div>

Open in new window

0
BrighteyesDesign
Asked:
BrighteyesDesign
3 Solutions
 
Hugh McCurdyCommented:
Put the restrictions on each page you want protected.
0
 
Hugh McCurdyCommented:
What I suggest is you create a script which is included with include_once or require_once.  Include it near the beginning of your page.  That script verifies authentication.  If accepted, just load the page normally.  If not, I use header() to redirect the user to the login page.

Do you need help with how header() works?
0
 
Gary ColtharpSr. Systems EngineerCommented:
How are you keeping track of your users? Are using a database connection of some sort?

PHP is server side so you can query the logged in user against the database and display links based on the return.

Hope this helps.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Marco GasiFreelancerCommented:
Yes. You could enclose the check code within a script and require it inm every page needs to have a restricted access:

 
//login.php
if (isset($_SESSION['user_id'])) {
	
	echo 'Welcome';
	
	if (isset($_SESSION['first_name'])) {
		echo ", {$_SESSION['first_name']}!&nbsp";
		
		}

echo '<a href="logout.php" title="Logout">Logout</a>&nbsp;

<a href="change_password.php" title="Change Password">Change Password</a>

';

// Add links if the user is an administrator:

if ($_SESSION['user_level'] == 1) {

echo '<a href="admin/test.php" title="Admin">Admin</a>&nbsp;

';

}

} else

 { // Not loggin in.



echo '<a href="joinanjoman.php" title="Join Anjoman">Join</a>&nbsp;

<a href="login.php"
title="Login">Login</a><br />


';

}

Open in new window


and then write you file this way:
<div id="AdminMenu">

<?php # Script 16.1 - header.html
// This page begins the HTML header for the site.

// Start output buffering:
ob_start();

// Initialize a session:
session_start();

require("login.php");
?>

Open in new window


I also suggets to read this good article by Ray Paseur: http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html?sfQueryTermInfo=1+10+30+40+login

Cheers
0
 
Ray PaseurCommented:
The general design pattern is shown in this article.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

It has only one level of control: thumbs up or thumbs down.  However you could add an additional field to the user's record and use that field to provide a multi-layer security check.  You would modify the access_control() function to do this.
0
 
maeltarCommented:
Ensure your

session_start();

Open in new window


is at the very beginning of the page, no white space at all for it to be effective..
0
 
BrighteyesDesignAuthor Commented:
Thanks all, i'll look at this tomorrow and let you know how I get on!
0
 
BrighteyesDesignAuthor Commented:
Thanks, all helped get closer to the solution!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now