|
Posted by J.O. Aho on 02/06/06 21:03
Dalibor wrote:
> How to protect administration pages from entering.
> I put login form on my start page (index.php), and if user put correct
> data, script redirect him on page admin/admin.php. That works fine!
> But if someone types in browser admin/admin.php it eneteres same page
> without login. How to prevent this?
When login in, save a session cookie and store the ip-number in the session,
on each page that require a login, you check if there is a session and that
the computer is connected from the ip it logged in from (makes it more
difficult to hijack a cookie/session).
another option is to use authentication made by the webserver, this will
require that the person who enters the the directory (and any subdirectories
too) to enter a login/password to be able to access the pages, this removes
you the need of making a special login for admin.
//Aho
[Back to original message]
|