Welcome to WebmasterWorld Guest from 184.73.3.107

Forum Moderators: coopster & jatar k

How to block direct access to certain pages

   
4:13 am on Apr 8, 2010 (gmt 0)

5+ Year Member



Hello,

I have few pages in my site to which I want to block direct access. For example. a visitor can only go to login page [login.php] when he has submitted the form available at index page [index.php].

I have two types of user in my site. In the index.php i ask the user to select the type of user they want to be.

To do this when the form is submitted in the index page, I am adding session value to the url. In the login page I am checking the session value from the url with current session value.

< INDEX.php page >

# Get current session values
session_start();
$session = session_id();

if($radiobutton == 'c'){
header("Location:http://account.domain.com/signup?session=$session&user=c");
exit();
}else if ($radiobutton == 'o'){
header("Location:http://account.domain.com/signup?session=$session&user=o");
exit();
}else{
header('Location:http://account.domain.com');
exit();
}


< LOGIN.php >

session_start(); // Start session

$user = $_REQUEST['user']; // Get user type
$session = $_REQUEST['session'];// Get session value

$current_session = session_id();// Get current session value

if (!$current_session = $session){
header("Location:http://account.domain.com");
exit();
}



Is there any other better way to prevent user landing in the second page without being in the first page?


Thank you.
7:32 am on Apr 8, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



Hi there impact,

Just a quick note really, this:-

if (!$current_session = $session){

Your just assigning the value there (=) your not evaluating it ie:-

if ($current_session != $session){

That compares and if not equal to the first part of the clause is true.

I assume that elsewhere in the script, you are assigning the $_POST/$_GET and not using registered globals ?

Cheers,
MRb
3:33 pm on Apr 8, 2010 (gmt 0)

WebmasterWorld Administrator jatar_k is a WebmasterWorld Top Contributor of All Time 10+ Year Member



let's cover one quickie

don't use $_REQUEST, test $_POST or $_GET, be specific about what you are testing, if something could come in both ways then test both explicitly instead of reverting to $_REQUEST, that includes a lot more than you think.

the login.php kinda makes my head implode, partially because of the REQUEST instead of GET but also if this works, which it actually might, I really don't think it is doing what you meant it to.

are you just trying to ensure they choose one of the types? if so then the session id really doesn't matter, drop the thought but you can put the selected value into the actual session and then test for it on the following page

session_start();
$_SESSION['usertype'] = $radiobutton;
header('Location:http://account.domain.com');
die;

then on the next page

session_start();
if ($_SESSION['usertype'] != 'o' || $_SESSION['usertype'] != 'c') {
// send them away, they haven't selected yet
} else {
// show them the proper content here
}

that's pretty much it
8:50 am on Apr 9, 2010 (gmt 0)

5+ Year Member



Thank you.
 

Featured Threads

My Threads

Hot Threads This Week

Hot Threads This Month