Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    New Coder
    Join Date
    May 2009
    Location
    Bangalore
    Posts
    75
    Thanks
    5
    Thanked 0 Times in 0 Posts

    Question How to stop access to any page

    Hi All,

    I am working on a tool where in there are different modules.After giving username and password the user is redirected to the Home page where he has different modules in drop down menu.
    Now the problem is that suppose user does not enter the username and password in the login page in stead of that he just directly type the name of the file directly.. it opens that page though the menu is not visible there still
    any unauthorized user can get access to the page.

    Can any one tell how can I restrict any unauthorize user to get access to the tool. My requiement is that if the user name and password is not given in the login page and if somebody tries to directly access any page then it should always redirect to the login page .

    I will be very thankful for any kind of suggestion or help ..

  • #2
    Senior Coder
    Join Date
    Aug 2009
    Location
    Mansfield, Nottinghamshire, UK
    Posts
    1,555
    Thanks
    57
    Thanked 148 Times in 147 Posts
    This is one way, but only as a backup. Are you using sessions?

    PHP Code:
    if(preg_match("#^http\:\/\/localhost\/www\.cms\.actwebdesigns\.co\.uk\/logged\.php\?state=body\&pg=(?:[0-9]|[a-z]){32}\#*$#is"$_SERVER['HTTP_REFERER'])) 
    basically saying, if you didn't come from a certain page, get lost!

  • #3
    New Coder
    Join Date
    Aug 2009
    Posts
    17
    Thanks
    4
    Thanked 1 Time in 1 Post
    The quick & dirty process is:

    1. On each page, check for the existence of a session var or cookie that says the user's logged in
    2. If they're not logged in, redirect them to the login page
    3. On the login page, if they enter a correct name/pass, set the appropriate cookie or session variable

  • Users who have thanked DDaku for this post:

    Nirbhay (09-15-2009)

  • #4
    Regular Coder
    Join Date
    May 2009
    Location
    Moore, OK
    Posts
    282
    Thanks
    11
    Thanked 41 Times in 41 Posts
    Quote Originally Posted by Phil Jackson View Post
    This is one way, but only as a backup. Are you using sessions?

    PHP Code:
    if(preg_match("#^http\:\/\/localhost\/www\.cms\.actwebdesigns\.co\.uk\/logged\.php\?state=body\&pg=(?:[0-9]|[a-z]){32}\#*$#is"$_SERVER['HTTP_REFERER'])) 
    basically saying, if you didn't come from a certain page, get lost!
    This will only work for the first page they visit after the login page though. So I would recommend what DDaku said and I guess PJ was going to get to if you are using sessions. Check for a session value that you set. I would recommend something other than just user_id or anything that is just a number because someone maybe able to guess at that. Maybe use something that is hard to guess along with the user id.

    PHP Code:
    // Check to see if the session info is set.
    if ((isset ($_SESSION['user_id'])) && (isset ($_SESSION['user_code'])) && ($_SESSION['user_id'] != '') && ($_SESSION['user_code'])) {
      
    // Check to make sure the user info is valid.
      
    $q "SELECT user_id FROM Users WHERE user_id={$_SESSION['user_id']} && user_code='{$_SESSION['user_code']}'";
      
    $r mysql_query ($q);
      
    // Make sure only one result is returned.
      
    if (mysql_num_rows ($r) != 1) {
        
    // User is not a unique valid user.  May even take them to a 403 unauthorized page if they do this.
        
    header ('Location: ' $link_to_login_page);
        exit();
      }
    }
    else {
        
    // User is not logged in.
        
    header ('Location: ' $link_to_login_page);
        exit();

    Last edited by Coyote6; 09-11-2009 at 11:41 PM.

  • Users who have thanked Coyote6 for this post:

    Nirbhay (09-15-2009)

  • #5
    New Coder
    Join Date
    May 2009
    Location
    Bangalore
    Posts
    75
    Thanks
    5
    Thanked 0 Times in 0 Posts

    Question

    Hi All,

    Thanx for the response ...

    I have tried using this but it is working in the case only when I clear the cookies,it is not working when I am logging out.

    In logout.php page the code is like :

    unset($_SESSION['BIG_ARR1']);
    session_unregister('BIG_ARR1');
    unset($_SESSION['BIG_ARR2']);
    session_unregister('BIG_ARR2');
    unset($_SESSION['BIG_ARR3']);
    unset($_SESSION['BIG_ARR4']);
    unset($_SESSION['menu']);


    Where $_SESSION['BIG_ARR1'] is the session array with the concept of serialize and In logout page I am destroying all such sessions still after logging out if the user just copy paste the url it opens that page.

    I am still not able to restrict the user from getting access to the page which should have been restricted once the user has logged out.

    I will be very thank ful for any kind of help ...

  • #6
    New Coder
    Join Date
    Aug 2009
    Posts
    17
    Thanks
    4
    Thanked 1 Time in 1 Post
    At the very top of your restricted page, you should have something along the lines of:

    PHP Code:
    if (!isSet($_SESSION["BIG_ARR1"])) {
      
    header("Location: login.php");

    Which will check for the existence of a session ("BIG_ARR1") which you should set when logging in, and destroy when logging out. If the session is NOT (!) set, PHP will perform a header-redirect to login.php, preventing the user from seeing the originally requested page.

    There are a lot of other variations, but that's the general idea.

    Are you trying something like this and running into a specific error?

  • #7
    New Coder
    Join Date
    May 2009
    Location
    Bangalore
    Posts
    75
    Thanks
    5
    Thanked 0 Times in 0 Posts
    ya I am doing the same but still after logging out I am getting access to each page,but when I am clearing the cokkies then it is working fine.

  • #8
    Regular Coder
    Join Date
    May 2009
    Location
    Moore, OK
    Posts
    282
    Thanks
    11
    Thanked 41 Times in 41 Posts
    Use session_destroy to empty out all of your sessions.

    http://us2.php.net/session_destroy


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •