homepage Welcome to WebmasterWorld Guest from 54.237.98.229
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
How to block direct access to certain pages
impact

5+ Year Member



 
Msg#: 4111809 posted 4:13 am on Apr 8, 2010 (gmt 0)

Hello,

I have few pages in my site to which I want to block direct access. For example. a visitor can only go to login page [login.php] when he has submitted the form available at index page [index.php].

I have two types of user in my site. In the index.php i ask the user to select the type of user they want to be.

To do this when the form is submitted in the index page, I am adding session value to the url. In the login page I am checking the session value from the url with current session value.

< INDEX.php page >

# Get current session values
session_start();
$session = session_id();

if($radiobutton == 'c'){
header("Location:http://account.domain.com/signup?session=$session&user=c");
exit();
}else if ($radiobutton == 'o'){
header("Location:http://account.domain.com/signup?session=$session&user=o");
exit();
}else{
header('Location:http://account.domain.com');
exit();
}


< LOGIN.php >

session_start(); // Start session

$user = $_REQUEST['user']; // Get user type
$session = $_REQUEST['session'];// Get session value

$current_session = session_id();// Get current session value

if (!$current_session = $session){
header("Location:http://account.domain.com");
exit();
}



Is there any other better way to prevent user landing in the second page without being in the first page?


Thank you.

 

Matthew1980

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4111809 posted 7:32 am on Apr 8, 2010 (gmt 0)

Hi there impact,

Just a quick note really, this:-

if (!$current_session = $session){

Your just assigning the value there (=) your not evaluating it ie:-

if ($current_session != $session){

That compares and if not equal to the first part of the clause is true.

I assume that elsewhere in the script, you are assigning the $_POST/$_GET and not using registered globals ?

Cheers,
MRb

jatar_k

WebmasterWorld Administrator jatar_k us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4111809 posted 3:33 pm on Apr 8, 2010 (gmt 0)

let's cover one quickie

don't use $_REQUEST, test $_POST or $_GET, be specific about what you are testing, if something could come in both ways then test both explicitly instead of reverting to $_REQUEST, that includes a lot more than you think.

the login.php kinda makes my head implode, partially because of the REQUEST instead of GET but also if this works, which it actually might, I really don't think it is doing what you meant it to.

are you just trying to ensure they choose one of the types? if so then the session id really doesn't matter, drop the thought but you can put the selected value into the actual session and then test for it on the following page

session_start();
$_SESSION['usertype'] = $radiobutton;
header('Location:http://account.domain.com');
die;

then on the next page

session_start();
if ($_SESSION['usertype'] != 'o' || $_SESSION['usertype'] != 'c') {
// send them away, they haven't selected yet
} else {
// show them the proper content here
}

that's pretty much it

impact

5+ Year Member



 
Msg#: 4111809 posted 8:50 am on Apr 9, 2010 (gmt 0)

Thank you.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved