Gilbert Posted June 5, 2018 Share Posted June 5, 2018 Hi all, I'm trying to control where a visitor enters my website. I only want a visitor to open my homepage, pass security and then continue, like a menu-driven app. I know you can enter a domain name and a slash and go to that page in the website like 'amazon.com/tools' will bring up the tool page. Is there a way to prevent this from happening? Can it be turned off or on according to a security level imposed? I only want higher level users to see pages like 'checkswritten.html' or 'incomelevel.html' and not a casual user type in 'myDomain/incomelevel'. anybody can see the links in <a href> or where buttons take you so they could learn all your pages and go directly to them. Do you need to invoke security precautions on every page? Thank you for responses, Gil Link to comment Share on other sites More sharing options...
Ingolme Posted June 5, 2018 Share Posted June 5, 2018 If your system requires a login then you should program a login system using a server-side language. If you already have a login system, each page on your site needs to check whether the user is logged in or not. If they are logged in then show the page, otherwise show a "Forbidden access" page or redirect them to the login page. Link to comment Share on other sites More sharing options...
Gilbert Posted June 6, 2018 Author Share Posted June 6, 2018 OK thank you very much. I have the log in in php and at the same time I set a $_SESSION var called userLogStatus to 'loggedIn' - so I have to check that global in php when each page opens. Or do you suggest I copy 'userLogStatus' to a sessionStorage to make it more accessible for checking. Would that compromise my security by being in the browser? Thanx, Gil Link to comment Share on other sites More sharing options...
Ingolme Posted June 6, 2018 Share Posted June 6, 2018 Don't do anything in the browser, anybody can hack that. All session information should remain on the server side. You do have to check the $_SESSION variable on every page where the user needs to be logged in. 1 Link to comment Share on other sites More sharing options...
Gilbert Posted June 6, 2018 Author Share Posted June 6, 2018 Thank you very much! I appreciate you helping me get this basic stuff under my belt from the start so I can do it right. Gil Link to comment Share on other sites More sharing options...
Gilbert Posted June 6, 2018 Author Share Posted June 6, 2018 I'm still a bit fuzzy on how to go about checking every page. Can you give me a typical example of how to check if a user has permission to view it. I came up with the following code but got stymied as to how to break off gracefully and return to whereever. Is this the right approach to start with - where do I go from here? Or am I not seeing the whole picture? Thank you!! <?php session_start(); $pageLevel = "4"; if ($pageLevel > $_SESSION["userUserLevel"]) { // userUserLevel is a single string digit created at log in echo "You do not have permission to view this page"; // where does it echo to? return; // where do I return to? } ?> <!DOCTYPE html> etc Link to comment Share on other sites More sharing options...
justsomeguy Posted June 6, 2018 Share Posted June 6, 2018 The first thing you need to do is check that the values in the session are actually set, like their user ID or whatever you're tracking. Once you figure out who the user is, that's authentication. Then, you need to figure out if they have permission to do whatever they're trying to do, that's authorization. There are a variety of ways you can track permissions like that depending on what your needs are. In general, if someone fails authentication or authorization they are usually redirected to a login page or something with an error message. 1 Link to comment Share on other sites More sharing options...
davej Posted June 12, 2018 Share Posted June 12, 2018 <?php session_start(); $pageLevel = "4"; $user = isset($_SESSION['user']) ? $_SESSION['user'] : ''; $userLevel = isset($_SESSION['userlevel']) ? $_SESSION['userlevel'] : ''; ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>title</title> </head> <body> <?php if ($user == '' || $userLevel == ''){ ?> <h1>Forbidden. You do not have permission to view this page.</h1> <?php }else if($pageLevel > $userLevel){ ?> <h1>Sorry <?php echo $user ?>. You do not have permission to view this page.</h1> <?php }else{ ?> <div id="content"> <h1>Welcome <?php echo $user ?></h1> <h4>This is the protected content.</h4> </div> <?php } ?> </body> </html> Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now