Security isseu

[T. Wintershoven]

Hello all,

My website is built in HTML and PHP.
On it, there is a menu wich visitors can use to go to the pages.
Some pages are secured by PHP code to make sure that only people who are
logged in can access them.
But.....
If a visitor types the address (URL) to a certain secured page directly in
the addressbar of the browser, he/she can still access this page despite
he/she is not logged in at all.

Question:
Is there a way to avoid this problem and give a visitor, who accesses a page
without using the menu, a kind of warning and redirect to the homepage.

Thanks in advance.

Regards,

Tino Wintershoven

 

[Beauregard T. Shagnasty]

Hello all,

My website is built in HTML and PHP. On it, there is a menu wich
visitors can use to go to the pages. Some pages are secured by PHP
code to make sure that only people who are logged in can access them.
But..... If a visitor types the address (URL) to a certain secured
page directly in the addressbar of the browser, he/she can still
access this page despite he/she is not logged in at all.

Question:
Is there a way to avoid this problem and give a visitor, who accesses a page
without using the menu, a kind of warning and redirect to the homepage.

Yes, you have to use a global or session variable at the start of each
of the pages. If it is false, redirect to the main page. Set it to true
on the login page.

$lauthorized = $_SESSION['gblauthorized'];
if ($lauthorized <> true ) {
header("Location: index.php");
exit;
}

You could also use "Y" or other key letter or phrase instead of true.

 

[UKuser]

Hello all,

My website is built in HTML and PHP.
On it, there is a menu wich visitors can use to go to the pages.
Some pages are secured by PHP code to make sure that only people who are
logged in can access them.
But.....
If a visitor types the address (URL) to a certain secured page directly in
the addressbar of the browser, he/she can still access this page despite
he/she is not logged in at all.

Question:
Is there a way to avoid this problem and give a visitor, who accesses a page
without using the menu, a kind of warning and redirect to the homepage.

Thanks in advance.

Regards,

Tino Wintershoven

Hi Tino,

I put a code in the top of each page to check for the presence of a
cookie I create when they login.

If its not there I redirect them to the login page or give them an
error.

Hope that helps

A

 

[UKuser]

Hi Tino,

I put a code in the top of each page to check for the presence of a
cookie I create when they login.

If its not there I redirect them to the login page or give them an
error.

Hope that helps

A

Be aware as well - sessions are fine if you're on a dedicated server
but on a shared server - sessions can be accessed by other scripts on
the same server unless the tmp folder is protected.

 

[Beauregard T. Shagnasty]

Be aware as well - sessions are fine if you're on a dedicated server
but on a shared server - sessions can be accessed by other scripts on
the same server unless the tmp folder is protected.

I've never had a problem on a shared server.

 

[Jonathan N. Little]

Be aware as well - sessions are fine if you're on a dedicated server
but on a shared server - sessions can be accessed by other scripts on
the same server unless the tmp folder is protected.

If concerned your can set the session folder to another...

session_save_path($_SERVER['DOCUMENT_ROOT'] ."/mytemp");

Just have to make sure the permissions on the folder are set...