Results 1 to 5 of 5

Thread: Restrict access to admin pages

  1. #1
    Join Date
    Jun 2008
    Posts
    121
    Thanks
    4
    Thanked 0 Times in 0 Posts

    Default Restrict access to admin pages

    hi

    i am working on admin section which has a login page with login id and pasword form.
    in my admin section i have many pages say like manage_products.php, description.php, user.php etc.

    if i have to access the manage_products.php page then i can access it just typing like the link below

    http://localhost/vineet/admin/manage_products.php

    without entering login user and pasword.

    i want to restrict the access of this page through admin panel only. No one should able to access any of the page by typing the url directly. how is it possible.

    vineet

  2. #2
    Join Date
    Apr 2008
    Location
    Limoges, France
    Posts
    395
    Thanks
    13
    Thanked 61 Times in 61 Posts

    Default

    Hi,

    You could do a couple of things.

    First, you could use an .htaccess file to limit access to the entire directory.

    Create a .txt file and insert the following code:

    Code:
    AuthName "My Website"
    AuthType Basic
    AuthUserFile "C:\xampp\safedirectory\mysite.users"
    require valid-user
    <Files .htaccess>
    order allow,deny
    deny from all
    </Files>
    Name this file .htaccess and place it in the directory you want to protect.

    Next, create another .txt file, I called this one "mysite.users" and type in the following:

    Code:
    username:password
    Place the "mysite.users" file in the "safedirectory" referenced in the .htaccess file you created in the first step.

    The safe directory should be one level above your public web root. So in your case you could put the "mysite.users" file in a folder above your localhost root. Maybe in the same directory that holds "htdocs" if you are using Apache.

    Now when you attempt to access any file in the directory that holds .htaccess, you will be prompted to supply a username and password. Use the username and password combination that you put in your "mysite.users" file.

    The second way would be to use php $_SESSION variables and some code to check and see if the person trying to access the pages in that directory has the authority to do so.

    In this case, set something like:
    Code:
    $_SESSION['ADMIN_ACCESS'] = true;
    when the authorized user logs in. Then in everypage inside your /admin/ directory (or any other page you want to restrict access to) you'll put:
    Code:
    <?php session_start();
    if ( isset($_SESSION['ADMIN_ACCESS']) ) {
         if ( $_SESSION['ADMIN_ACCESS'] === true ) {
    
            Protected content here.
    
         } else {
    
            exit("You aren't allowed");
    
         }
    
    } else {
    
       exit("You aren't allowed");
    
    }
    ?>
    I am very interested in this subject too, so if anyone else has any ideas, or ways to improve what I suggested, I would love to hear them.

    Good Luck!

    JasonDFR

  3. #3
    Join Date
    Jun 2008
    Posts
    121
    Thanks
    4
    Thanked 0 Times in 0 Posts

    Default

    Quote Originally Posted by JasonDFR View Post
    Hi,

    You could do a couple of things.

    First, you could use an .htaccess file to limit access to the entire directory.

    Create a .txt file and insert the following code:

    Code:
    AuthName "My Website"
    AuthType Basic
    AuthUserFile "C:\xampp\safedirectory\mysite.users"
    require valid-user
    <Files .htaccess>
    order allow,deny
    deny from all
    </Files>
    Name this file .htaccess and place it in the directory you want to protect.

    Next, create another .txt file, I called this one "mysite.users" and type in the following:

    Code:
    username:password
    Place the "mysite.users" file in the "safedirectory" referenced in the .htaccess file you created in the first step.

    The safe directory should be one level above your public web root. So in your case you could put the "mysite.users" file in a folder above your localhost root. Maybe in the same directory that holds "htdocs" if you are using Apache.

    Now when you attempt to access any file in the directory that holds .htaccess, you will be prompted to supply a username and password. Use the username and password combination that you put in your "mysite.users" file.

    The second way would be to use php $_SESSION variables and some code to check and see if the person trying to access the pages in that directory has the authority to do so.

    In this case, set something like:
    Code:
    $_SESSION['ADMIN_ACCESS'] = true;
    when the authorized user logs in. Then in everypage inside your /admin/ directory (or any other page you want to restrict access to) you'll put:
    Code:
    <?php session_start();
    if ( isset($_SESSION['ADMIN_ACCESS']) ) {
         if ( $_SESSION['ADMIN_ACCESS'] === true ) {
    
            Protected content here.
    
         } else {
    
            exit("You aren't allowed");
    
         }
    
    } else {
    
       exit("You aren't allowed");
    
    }
    ?>
    I am very interested in this subject too, so if anyone else has any ideas, or ways to improve what I suggested, I would love to hear them.

    Good Luck!

    JasonDFR
    hi jason

    thanks for the reply. i would like to clear my doubts

    i will put the code in every admin page

    Code:
    <?
    if ( isset($_SESSION['ADMIN_ACCESS']) ) {
         if ( $_SESSION['ADMIN_ACCESS'] === true ) {
    
            Protected content here.
    
         } else {
    
            exit("You aren't allowed");
    
         }
    
    } else {
    
       exit("You aren't allowed");
    
    }
    This is my config.php that is included in every page in which i have started session
    Code:
    $conn=mysql_connect("localhost","root","") or die(mysql_error());
    mysql_select_db("gadgets",$conn);
    
    session_start();
    so what will come in index.php that is my login page. Because i used you code but nothing happens. I think i m missing something. please help

    and in this ($_SESSION['ADMIN_ACCESS']) what is admin_access. it is table name or what. please clear. i m new to it.

    vineet

  4. #4
    Join Date
    Apr 2008
    Location
    Limoges, France
    Posts
    395
    Thanks
    13
    Thanked 61 Times in 61 Posts

    Default

    $_SESSION['ADMIN_ACCESS'] = true; is just setting the variable ADMIN_ACCESS to true. $_SESSION[''] variables are just like any other variable, '$username' for example, except you can user them anywhere you have started a session ( session_start() ).

    You said you have a login id and password form.

    So send the information from your login form to a script something like:

    Code:
    session_start(); // Always put this at the top of your pages whenever you want to user $_SESSION variables
    
    if ( $_POST['login_id'] == "A real login id" && $_POST['pass_word'] == "The matching password" ) {
    
    $_SESSION['ADMIN_ACCESS'] = true; // This variable is now available on everypage where session_start(); is at the top.
    
    } else {
    
    exit("No Access");
    
    }
    The above code is a very very basic. You probably want to store your passwords and login ids in a database.

    The link below looks like a decent tutorial. There are others as well. Search Google for "PHP login tutorial".

    http://www.trap17.com/index.php/php-...ial_t7887.html

    And if you need information about submiting information from forms to php scripts, there are a ton of tutorials online for that too.

    Good luck.

  5. #5
    Join Date
    Jun 2008
    Posts
    121
    Thanks
    4
    Thanked 0 Times in 0 Posts

    Default restrict access to admin

    Quote Originally Posted by JasonDFR View Post
    $_SESSION['ADMIN_ACCESS'] = true; is just setting the variable ADMIN_ACCESS to true. $_SESSION[''] variables are just like any other variable, '$username' for example, except you can user them anywhere you have started a session ( session_start() ).

    You said you have a login id and password form.

    So send the information from your login form to a script something like:

    Code:
    session_start(); // Always put this at the top of your pages whenever you want to user $_SESSION variables
    
    if ( $_POST['login_id'] == "A real login id" && $_POST['pass_word'] == "The matching password" ) {
    
    $_SESSION['ADMIN_ACCESS'] = true; // This variable is now available on everypage where session_start(); is at the top.
    
    } else {
    
    exit("No Access");
    
    }
    The above code is a very very basic. You probably want to store your passwords and login ids in a database.

    The link below looks like a decent tutorial. There are others as well. Search Google for "PHP login tutorial".

    http://www.trap17.com/index.php/php-...ial_t7887.html

    And if you need information about submiting information from forms to php scripts, there are a ton of tutorials online for that too.

    Good luck.

    hi JASON

    Thanks a lot. its working perfect as needed.

    vineet

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •