Restrict access to admin pages

[vineet]

hi

i am working on admin section which has a login page with login id and pasword form.
in my admin section i have many pages say like manage_products.php, description.php, user.php etc.

if i have to access the manage_products.php page then i can access it just typing like the link below

http://localhost/vineet/admin/manage_products.php

without entering login user and pasword.

i want to restrict the access of this page through admin panel only. No one should able to access any of the page by typing the url directly. how is it possible.

vineet

[JasonDFR]

Hi,

You could do a couple of things.

First, you could use an .htaccess file to limit access to the entire directory.

Create a .txt file and insert the following code:

Code:

AuthName "My Website"
AuthType Basic
AuthUserFile "C:\xampp\safedirectory\mysite.users"
require valid-user
<Files .htaccess>
order allow,deny
deny from all
</Files>

Name this file .htaccess and place it in the directory you want to protect.

Next, create another .txt file, I called this one "mysite.users" and type in the following:

Code:

username:password

Place the "mysite.users" file in the "safedirectory" referenced in the .htaccess file you created in the first step.

The safe directory should be one level above your public web root. So in your case you could put the "mysite.users" file in a folder above your localhost root. Maybe in the same directory that holds "htdocs" if you are using Apache.

Now when you attempt to access any file in the directory that holds .htaccess, you will be prompted to supply a username and password. Use the username and password combination that you put in your "mysite.users" file.

The second way would be to use php $_SESSION variables and some code to check and see if the person trying to access the pages in that directory has the authority to do so.

In this case, set something like:

Code:

$_SESSION['ADMIN_ACCESS'] = true;

when the authorized user logs in. Then in everypage inside your /admin/ directory (or any other page you want to restrict access to) you'll put:

Code:

<?php session_start();
if ( isset($_SESSION['ADMIN_ACCESS']) ) {
     if ( $_SESSION['ADMIN_ACCESS'] === true ) {

        Protected content here.

     } else {

        exit("You aren't allowed");

     }

} else {

   exit("You aren't allowed");

}
?>

I am very interested in this subject too, so if anyone else has any ideas, or ways to improve what I suggested, I would love to hear them.

Good Luck!

JasonDFR

[vineet]

Hi,

You could do a couple of things.

First, you could use an .htaccess file to limit access to the entire directory.

Create a .txt file and insert the following code:

Code:

AuthName "My Website"
AuthType Basic
AuthUserFile "C:\xampp\safedirectory\mysite.users"
require valid-user
<Files .htaccess>
order allow,deny
deny from all
</Files>

Name this file .htaccess and place it in the directory you want to protect.

Next, create another .txt file, I called this one "mysite.users" and type in the following:

Code:

username:password

Place the "mysite.users" file in the "safedirectory" referenced in the .htaccess file you created in the first step.

The safe directory should be one level above your public web root. So in your case you could put the "mysite.users" file in a folder above your localhost root. Maybe in the same directory that holds "htdocs" if you are using Apache.

Now when you attempt to access any file in the directory that holds .htaccess, you will be prompted to supply a username and password. Use the username and password combination that you put in your "mysite.users" file.

The second way would be to use php $_SESSION variables and some code to check and see if the person trying to access the pages in that directory has the authority to do so.

In this case, set something like:

Code:

$_SESSION['ADMIN_ACCESS'] = true;

when the authorized user logs in. Then in everypage inside your /admin/ directory (or any other page you want to restrict access to) you'll put:

Code:

<?php session_start();
if ( isset($_SESSION['ADMIN_ACCESS']) ) {
     if ( $_SESSION['ADMIN_ACCESS'] === true ) {

        Protected content here.

     } else {

        exit("You aren't allowed");

     }

} else {

   exit("You aren't allowed");

}
?>

I am very interested in this subject too, so if anyone else has any ideas, or ways to improve what I suggested, I would love to hear them.

Good Luck!

JasonDFR

hi jason

thanks for the reply. i would like to clear my doubts

i will put the code in every admin page

Code:

<?
if ( isset($_SESSION['ADMIN_ACCESS']) ) {
     if ( $_SESSION['ADMIN_ACCESS'] === true ) {

        Protected content here.

     } else {

        exit("You aren't allowed");

     }

} else {

   exit("You aren't allowed");

}

This is my config.php that is included in every page in which i have started session

Code:

$conn=mysql_connect("localhost","root","") or die(mysql_error());
mysql_select_db("gadgets",$conn);

session_start();

so what will come in index.php that is my login page. Because i used you code but nothing happens. I think i m missing something. please help

and in this ($_SESSION['ADMIN_ACCESS']) what is admin_access. it is table name or what. please clear. i m new to it.

vineet

[JasonDFR]

$_SESSION['ADMIN_ACCESS'] = true; is just setting the variable ADMIN_ACCESS to true. $_SESSION[''] variables are just like any other variable, '$username' for example, except you can user them anywhere you have started a session ( session_start() ).

You said you have a login id and password form.

So send the information from your login form to a script something like:

Code:

session_start(); // Always put this at the top of your pages whenever you want to user $_SESSION variables

if ( $_POST['login_id'] == "A real login id" && $_POST['pass_word'] == "The matching password" ) {

$_SESSION['ADMIN_ACCESS'] = true; // This variable is now available on everypage where session_start(); is at the top.

} else {

exit("No Access");

}

The above code is a very very basic. You probably want to store your passwords and login ids in a database.

The link below looks like a decent tutorial. There are others as well. Search Google for "PHP login tutorial".

http://www.trap17.com/index.php/php-...ial_t7887.html

And if you need information about submiting information from forms to php scripts, there are a ton of tutorials online for that too.

Good luck.

[vineet]

$_SESSION['ADMIN_ACCESS'] = true; is just setting the variable ADMIN_ACCESS to true. $_SESSION[''] variables are just like any other variable, '$username' for example, except you can user them anywhere you have started a session ( session_start() ).

You said you have a login id and password form.

So send the information from your login form to a script something like:

Code:

session_start(); // Always put this at the top of your pages whenever you want to user $_SESSION variables

if ( $_POST['login_id'] == "A real login id" && $_POST['pass_word'] == "The matching password" ) {

$_SESSION['ADMIN_ACCESS'] = true; // This variable is now available on everypage where session_start(); is at the top.

} else {

exit("No Access");

}

The above code is a very very basic. You probably want to store your passwords and login ids in a database.

The link below looks like a decent tutorial. There are others as well. Search Google for "PHP login tutorial".

http://www.trap17.com/index.php/php-...ial_t7887.html

And if you need information about submiting information from forms to php scripts, there are a ton of tutorials online for that too.

Good luck.

hi JASON

Thanks a lot. its working perfect as needed.

vineet