0

On my website, I've got a login.php file so that I can secure my admin dashboard. It may not be the most secure, because I'm just comparing two hashes, but I'd like to know how to secure my other php files. As of right now, the php files are only ran through the admin dashboard, and those pages have a "require login.php" function at the top. However, the php files that are run by those pages don't have any sort of locking. Should I require the login.php file as well in those files, or should I not worry about them?

xSpartanCx
  • 281
  • 3
  • 10
  • 25
  • 1
    Put them outside the public webroot, so nobody can access them directly! – deceze Jan 13 '15 at 12:52
  • Sounds like you could take a look at the [front controller pattern](http://stackoverflow.com/a/6890319/3492835). As @deceze states, you could put all your php files outside your document root. Make the front controller the only accessible script in the document root, check there for a valid login and if authenticated include the correct php script from your front controller. – Sander Toonen Jan 13 '15 at 12:57
  • I answered a similar question a while back it might help you. [How to secure a php file.](http://stackoverflow.com/questions/27804184/how-to-secure-a-php-file/27804843#27804843) – Rimble Jan 13 '15 at 13:28
  • possible duplicate of [What is a Front Controller and how is it implemented in PHP?](http://stackoverflow.com/questions/6890200/what-is-a-front-controller-and-how-is-it-implemented-in-php) – kumarharsh Jan 13 '15 at 13:42

1 Answers1

1

You can simply use the $_SESSION global variable since those other pages are only available from your dashboard, meaning anyone that does not login through your admin page will not have the required session token set. Then you can simply check for the presence of such token on those pages you want secured.

More about PHP session here

Damilola Olowookere
  • 2,253
  • 2
  • 23
  • 33
  • What i'm worried about though is if someone can access those files from somewhere else on the website and modify my databases. – xSpartanCx Jan 13 '15 at 13:32
  • 1
    Make sure that you have a 'special' `$_SESSION` variable that can only be set via your logon page (your admin page). In those other php files that you want secured, simply check if `isset($_SESSION['specialToken'])` and then throw such traffic away (to maybe your homepage) if that session token is not set. You then simply ensure that the token will only be set on your admin page only when such traffic is validated – Damilola Olowookere Jan 13 '15 at 15:18
  • Okay, this is what I was thinking of; I have the `SESSION` checker in the html pages but not in the PHP files that they call, so I'll add it to the PHP files.. – xSpartanCx Jan 13 '15 at 16:37
  • Well I don't suppose that you can set php session variables in html pages, except of course if you have configured php to also parse html files (which is not cool). But I believe you get the whole picture and how handy php sessions is in your particular scenario – Damilola Olowookere Jan 14 '15 at 00:22