Newbie here,
Is this enough / safe to keep people out of my admin panel?
<?php if (isset($_SESSION["AccountLevelStandard"])) {
echo "<script>location.href='home.php'</script>";
}
Asked
Active
Viewed 43 times
1 Answers
5
Not even remotely. All someone has to do is disable JavaScript and they have full access to the page.
Use an HTTP redirect and exit the PHP script after sending it.
header("Location: home.php");
exit();
You shouldn't redirect people with standard level access, since that won't catch people who aren't logged in at all and so don't have any kind of access.
Test for people who are not admins instead.
Quentin
- 914,110
- 126
- 1,211
- 1,335
-
I'm unable to edit headers due to an already active session. I saw someone said to not close their php tags to avoid this, is that feasible? Also thanks for the exit tip. – Pon Jun 29 '20 at 10:56
-
1@Pon — It depends on why the headers were already sent. You might need to restructure your code. [See this question](https://stackoverflow.com/questions/8028957/how-to-fix-headers-already-sent-error-in-php). – Quentin Jun 29 '20 at 10:58