sdanks Posted June 6, 2008 Posted June 6, 2008 I am using session variables to authenticate a user to my website. But once authenticated, I do not know how to keep them from going to a webpage that they shouldnt go to, such as a process_userupdate.php. I thought I might have seen someone suggest that you make a page index.php and have it include a indexcontent.inc and then limit how the apache server blocks .inc files except that they calling page can still somehow access the .inc page but someone could not go directly to that page. Has anyone else dealt with this? I know I cant be the first one. Is there some industry standard for how to handle this type of access? Let me know. Otherwise I will have to check at the top of each page and see who they are logged in as and have another database of pages that this user is authorized to see. Quote
OJB Posted June 8, 2008 Posted June 8, 2008 will anyone be allowed to access process_userupdate.php??? Quote
sdanks Posted June 10, 2008 Author Posted June 10, 2008 It is a webpage called when a form is filled out and the submit button is pressed. It basically massages the data and then opens the mysql database and inserts the data or updates or deletes the data based on form variables. Then it returns the user back to the previous page with a get type variable and reloads the page they are looking at. So they do not see it, but it processes and leaves the page. In essence, they can go there, but I dont want them to go there if they know the url. They should not be there without the webpages sending them there when ready. I just dont know what the industry standard is to allow this. Just asking the seasoned prfessionals here for direction. I could do a check to open a database and see if they are authorized to see that webpage, but I have another "Setup" page that lets the admins give rights to the users by checking the functions they can do. Sometimes that function is 3-4 webpage accesses, and sometimes 1 page. So it might be a nightmare to say, if they can administer all users personal data, they need access to allupdate.php, and process_allupdate.php, and allupdatecontent.php, but access to the home page is just index.php. See my dilema? (sp?)(sorry spellchecking is not enabled on this forum). Quote
OJB Posted June 10, 2008 Posted June 10, 2008 could check if the post array is non empty (hence the form has been submitted) and also check the referring page if one or more of them doesnt match what you expect then redirect somewhere else something like this: >if(!isset($_POST['input_button_name']) || $_SERVER['HTTP_REFERER'] != 'whatever_you_expect_it_to_be') { header("location: index.php"); } bare in mind though for security reasons that http_referrers are set by the user agent... which means they aren't necessarily secure Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.