Posted by Gordon Burditt on 02/06/06 21:07

>How to protect administration pages from entering.
>I put login form on my start page (index.php), and if user put correct
>data, script redirect him on page admin/admin.php. That works fine!
>But if someone types in browser admin/admin.php it eneteres same page
>without login. How to prevent this?

You put login checking on *EVERY* *SINGLE* *PAGE*. (Usually it's
in one file defining a function or class included from everywhere
else). The checking usually looks at session data to see if you're
logged in, and the login hasn't expired, and if not, redirects you
to the login page.

If you're not using sessions, you probably check cookies. Remember
that session data like $_SESSION['logged_in'] = true is hard to
spoof, but $_COOKIE['logged_in'] = true is easy to spoof.

Gordon L. Burditt

• Next in forum: Re: How to I prevent a user from running a module twice (i.e. online voting) ?
• Prev in forum: Re: How to I prevent a user from running a module twice (i.e. online voting) ?
• Thread view: Re: Protection of admin pages

[Reply to this message]