-1

I'm wondering what the most efficient way of preventing people accesing my admin page through direct links. What i'm currently doing is when the user logs in, a session will be set and on the page it checks if its set or not.

This is passed on logon:

$_SESSION['lo'] = 1;

This checks the session on admin page:

session_start();
if (!isset($_SESSION['lo']))
   header("Location: ,./login.php");

Is this the most efficient way? Are there other ways? I can imagine that you can somehow misuse this session to gain unauthorised acces. Which is what i want to prevent.

vaxzz
  • 88
  • 8
  • possible duplicate http://stackoverflow.com/questions/2848134/what-are-best-practices-for-securing-the-admin-section-of-a-website – Muhammed Imran Hussain Nov 15 '16 at 09:57
  • This is a good enough guard. – Dhaval Chheda Nov 15 '16 at 09:57
  • with some hash, when the user enter with this hash automaticaly disable it – ZiTAL Nov 15 '16 at 09:57
  • Well, basically you can't create a PHP session by yourself and out of the PHP ini hosted on the server, and you can't neither access it without using a script on the same server ! Maybe i'm wrong :p – Sinf Nov 15 '16 at 09:57
  • 1
    then your question should be "how to prevent session hijacking attacks?". however what you did is what I do to authorize access. – Accountant م Nov 15 '16 at 09:59
  • Use a framework and follow its guide, because the implementation varies. You HAVE to check the user for every single request. We can't really answer your question as it stands, because you can have a problem somewhere in the code you're not showing. Be responsible when developing software. – walther Nov 15 '16 at 10:00
  • The problem is that when someone enters my admin panel link, he gains acces if i remove that session check i posted above. My question is if there are more secure ways of protecting my admin panel instead of using this session.? – vaxzz Nov 15 '16 at 10:01
  • Session are *the* standard way of implementing a login/authentication system, and if applied correctly they're perfectly fine. If you any specific concerns we can respond to directly, please write them into your question. – deceze Nov 15 '16 at 10:21

1 Answers1

1

Better to use the ACL, but the easiest way would be below

$sess_prefix = 'app1';
if(!isset($_SESSION[$sess_prefix.".username"])){
   header("Location: index.php");
}

or 

session_start();

// Check if user is logged in
if(!isset( $_SESSION['user_id'] ))
{
    // User is not logged in
    $_SESSION['message'] = 'You\'re not logged in';

    // redirect to home page
    header('Location: \');
    exit;
}
Swatantra Kumar
  • 1,324
  • 5
  • 24
  • 32