Jump to content
Gilbert

only allow visitors to enter website thru main page (index)

Recommended Posts

Hi all,   I'm trying to control where a visitor enters my website.   I only want a visitor to open my homepage, pass security and then continue, like a menu-driven app.   I know you can enter a domain name and a slash and go to that page in the website like 'amazon.com/tools' will bring up the tool page.  Is there a way to prevent this from happening?  Can it be turned off or on according to a security level imposed?   I only want higher level users to see pages like 'checkswritten.html' or 'incomelevel.html' and not a casual user type in 'myDomain/incomelevel'.   anybody can see the links in <a href> or where buttons take you so they could learn all your pages and go directly to them.   Do you need to invoke security precautions on every page?    Thank you for responses,  Gil

 

Share this post


Link to post
Share on other sites

If your system requires a login then you should program a login system using a server-side language. If you already have a login system, each page on your site needs to check whether the user is logged in or not. If they are logged in then show the page, otherwise show a "Forbidden access" page or redirect them to the login page.

Share this post


Link to post
Share on other sites

OK thank you very much.  I have the log in in php and at the same time I set a $_SESSION var called userLogStatus to 'loggedIn' - so I have to check that global in php when each page opens.   Or do you suggest I copy 'userLogStatus' to a sessionStorage to make it more accessible for checking.   Would that compromise my security by being in the browser?   Thanx,  Gil

 

Share this post


Link to post
Share on other sites

Don't do anything in the browser, anybody can hack that. All session information should remain on the server side. You do have to check the $_SESSION variable on every page where the user needs to  be logged in.

  • Thanks 1

Share this post


Link to post
Share on other sites

Thank you very much!   I appreciate you helping me get this basic stuff under my belt from the start so I can do it right.  Gil

 

Share this post


Link to post
Share on other sites

I'm still a bit fuzzy on how to go about checking every page.   Can you give me a typical example of how to check if a user has permission to view it.  I came up with the following code but got stymied as to how to break off gracefully and return to whereever.   Is this the right approach to start with - where do I go from here?  Or am I not seeing the whole picture?  Thank you!!

<?php
session_start();
$pageLevel = "4";
if ($pageLevel > $_SESSION["userUserLevel"]) {   // userUserLevel is a single string digit created at log in
    echo "You do not have permission to view this page";  // where does it echo to?
    return;  // where do I return to?
}
?>
<!DOCTYPE html>
etc

 

Share this post


Link to post
Share on other sites

The first thing you need to do is check that the values in the session are actually set, like their user ID or whatever you're tracking.  Once you figure out who the user is, that's authentication.  Then, you need to figure out if they have permission to do whatever they're trying to do, that's authorization.  There are a variety of ways you can track permissions like that depending on what your needs are.  In general, if someone fails authentication or authorization they are usually redirected to a login page or something with an error message.

  • Thanks 1

Share this post


Link to post
Share on other sites
<?php
session_start();
$pageLevel = "4";
$user = isset($_SESSION['user']) ? $_SESSION['user'] : '';
$userLevel = isset($_SESSION['userlevel']) ? $_SESSION['userlevel'] : '';
?>

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>title</title>
</head>
<body>

<?php
if ($user == '' || $userLevel == ''){ 
?>

<h1>Forbidden. You do not have permission to view this page.</h1>

<?php
}else if($pageLevel > $userLevel){
?>

<h1>Sorry <?php echo $user ?>. You do not have permission to view this page.</h1>

<?php
}else{
?>

<div id="content">

<h1>Welcome <?php echo $user ?></h1>
<h4>This is the protected content.</h4>

</div>

<?php
}
?>

</body>
</html>

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×