homepage Welcome to WebmasterWorld Guest from 54.198.148.191
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
How to block direct access to certain pages
impact




msg:4111811
 4:13 am on Apr 8, 2010 (gmt 0)

Hello,

I have few pages in my site to which I want to block direct access. For example. a visitor can only go to login page [login.php] when he has submitted the form available at index page [index.php].

I have two types of user in my site. In the index.php i ask the user to select the type of user they want to be.

To do this when the form is submitted in the index page, I am adding session value to the url. In the login page I am checking the session value from the url with current session value.

< INDEX.php page >

# Get current session values
session_start();
$session = session_id();

if($radiobutton == 'c'){
header("Location:http://account.domain.com/signup?session=$session&user=c");
exit();
}else if ($radiobutton == 'o'){
header("Location:http://account.domain.com/signup?session=$session&user=o");
exit();
}else{
header('Location:http://account.domain.com');
exit();
}


< LOGIN.php >

session_start(); // Start session

$user = $_REQUEST['user']; // Get user type
$session = $_REQUEST['session'];// Get session value

$current_session = session_id();// Get current session value

if (!$current_session = $session){
header("Location:http://account.domain.com");
exit();
}



Is there any other better way to prevent user landing in the second page without being in the first page?


Thank you.

 

Matthew1980




msg:4111867
 7:32 am on Apr 8, 2010 (gmt 0)

Hi there impact,

Just a quick note really, this:-

if (!$current_session = $session){

Your just assigning the value there (=) your not evaluating it ie:-

if ($current_session != $session){

That compares and if not equal to the first part of the clause is true.

I assume that elsewhere in the script, you are assigning the $_POST/$_GET and not using registered globals ?

Cheers,
MRb

jatar_k




msg:4112422
 3:33 pm on Apr 8, 2010 (gmt 0)

let's cover one quickie

don't use $_REQUEST, test $_POST or $_GET, be specific about what you are testing, if something could come in both ways then test both explicitly instead of reverting to $_REQUEST, that includes a lot more than you think.

the login.php kinda makes my head implode, partially because of the REQUEST instead of GET but also if this works, which it actually might, I really don't think it is doing what you meant it to.

are you just trying to ensure they choose one of the types? if so then the session id really doesn't matter, drop the thought but you can put the selected value into the actual session and then test for it on the following page

session_start();
$_SESSION['usertype'] = $radiobutton;
header('Location:http://account.domain.com');
die;

then on the next page

session_start();
if ($_SESSION['usertype'] != 'o' || $_SESSION['usertype'] != 'c') {
// send them away, they haven't selected yet
} else {
// show them the proper content here
}

that's pretty much it

impact




msg:4112835
 8:50 am on Apr 9, 2010 (gmt 0)

Thank you.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved