How to Prevent from illegal access in PHP Web page?

Question

I have a problem regarding access in my web pages. In log in it can already distinguish if the user is admin or not. admin has different page with ordinary.

my problem is if the user change the address in the address bar for example:

home.php -> ordinary user
home_admin.php -> administrator 

Ordinary can also access the home_admin.php if the user change the address in the address bar. All my pages are using sessions.

any suggestion how can I solve my problem.

TIA

Answer 1

a simple solution is to add an attribute in the user table that is for example user_type that can take 0 : if the user is ordinary one 1 : if it is the administrator

and then when you get the user information (once he is logged in) you can verify if he is a ordinary or administrator

for example let's store this is a session variable $userinfo = the retrieved data from the database

$_SESSION['user_type'] = $userinfo['user_type'];

and in the both home.php and home_admin.php put this simple test to redirect the user to the appropriate page

if ($_SESSION['user_type'] == 0){
 // redirect to the home page cause this is a simple user
  header('Location:home.php');
}else if ($_SESSION['user_type'] == 1){
// redirect to the home_admin cause this is an admin
  header('Location:home_admin.php');
}

Answer 2

In php you can check it for a logged in user , if the user has access to the page using sessions or roles .

Using sessions

if( $_SESSION['role'] == 'admin') {
// access to admin page
} else {
//redirect to home page
}

Assign role to each user and save a map of this in your database. when user is logged in , you probably has to check the role id for that particular user and redirect to destination page, making sure you have set permissions for each of your modules user wise.

If the user is other than admin for example then if he changes the address in url redirect him to your home page by default or give a message "Access Denied".On every request you need to check if user has access to the page or not.

Answer 3

If you're using sessions, you can acheive that via the following flow:

1. When logging a user in, store whether a user is admin or not. You can do that by $_SESSION['admin'] = FALSE (or TRUE if a user is an admin). You don't have to use the exact syntax as I did. But something like that, something that identify a user to be either an admin or a normal user.

2. If a user is an admin, i.e. $_SESSION['admin'] = TRUE, allow them to home_admin.php. You can do that by adding the following code block in your home_admin.php file:

   session_start(); if($_SESSION['admin'] == FALSE){ header('Location: home.php'); exit(); } // Rest of your page.

PS: make sure you add the code in point 2 on top of your page, before rendering any HTML or calling any PHP code.

Hope it answers your question.

Answer 4

You have to save the current state of access rights in your session. After that you can make a condition and if he has not enough rights to retrieve the content of the page, redirect him to another site.

Like this example

<?php

if($_SESSION['user_role'] !== 'administrator') {
   // redirect him
}

?>

Answer 5

You can't stop people asking for things. You have to authenticate and authorise them before giving them what they ask for.

The admin PHP program must:

1. Check that a session exists
2. Use the session data to check that a user is logged in
3. Use the session data to check that that user is an admin user

… and if any of those is not true, it should return an error message instead of the admin content.