FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


protect my administration pages.





rockkornman
so my question is can any one tell me how to protct a page with a pass word , so that i can manage my news from this page Confused .
rvec
try sessions.
You can find a lot more info on google, but here's one to start with:
http://www.webpronews.com/topnews/2005/02/14/password-protection-with-php-mysql-and-session-variables
CosmicDisturbance
There's plenty of them out there, just google it... you should also use php/mysql instead of headers because I've always had problems with them.
Aredon
In some ways sessions are risky, as if you rely only on sessions and someone manages to get a hold of the SID they can reach your admin pages. I would suggest adding a white list function to your pages with some user id or other user identifier pulled from the database.

You'll want this function in some other module... for our purposes we're going to call it whitelist.php
Code:

<?
function whitelist_check($userid){
   // List any user_id you want to have admin powers in the array below (seperated by comas.)
   $whitelist=array(2,5,73);
   // The below will check the given userid against your whitelist
   if(in_array($userid,$whitelist)){
      $admin_powers=TRUE;
   }else{
      $admin_powers=FALSE;
   }
   return $admin_powers;
}
?>


Then you'll want to shove this before any content you want to be admin only (as after the function everything else will be cut if admin==false)

Code:

include_once 'modules/whitelist.php'; //change to the path of your module.
if(!whitelist_check($userid)){
   echo "Error: you cannot access this page<br>";
   echo "<a href=\"INSERT BACK LINK\" title=\"back\">Back</a>";
   echo "</body></html>"; //insert additional closing tags as needed - but im presuming here that you placed the function in the body of the page.
   exit;
}

You will of course want to edit the link to send people back to where you want them. This trick works quite well if you add sessions into it. However, I'm not entirely familiar with sessions yet so I won't comment. Smile (theoretically you could add a session check to the whitelist function as well, just to be absolutely certain).

Also, this is running under the assumption that you have a login system with the global variable for "$userid" set. If not you'll have to add a query to check userid from the database and such...

It is also possible to make the whitelist array a query from the database, so that you could set who you wanted to have admin powers from a form or something, store it to the database, call it, check it, etc.
rvec
that's one useless function. If someone gets a SID with that system they be logged in just like without that system.
Aredon
rvec wrote:
that's one useless function. If someone gets a SID with that system they be logged in just like without that system.
Please explain in more detail.

With just session I have to only get the session ID and I'm in.
With session and a userid check you can add any number of checks:
- Require cookied login information generated by the login script
- Check the login information against the database
- Get a userid based on login information (you could also check usernames if you don't have userid's set up with your login system)
- THEN require a correct session.

With this method to break in I must have spoofed cookies with correct login information(sha1 of course), and the correct session. Which... if they have the login information they're basically in anyway and wouldn't need to go to the trouble.

I suppose I fail to see how it is useless, but you're welcome to let me know. I'm always ready to revise my methods Smile.
rvec
it's nearly impossible to guess a sid, so if a hacker can get a sid he can probably also get a cookie.

Quote:
Require cookied login information generated by the login script

so you want to use cookies and sessions :S

Quote:
Check the login information against the database

you should always do this

Just store the userid, ip, username and browser in a session. If the ip or browser changes there's something wrong. That's about the only security you can use.

To check if a user is an admin you shouldn't hardcode some userid, better to make a special column for that in the usertable (or a whole new table if you want to work with more than admin/not-admin).
Related topics
Prevent my website from being downloaded
Justification for War in Iraq
Password Protect my site
Shorturls
Installing Custamizable P-word Protect CHEAP...
Password protect pages with phpbb
State your Political Philosophy! (1000 FRIH$ to the best!)
Protecting members area?
Free Rich Text Editor
My new site
Login Script
xoops main page
PHP
Comments disappearing randomly (!?)
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.