Hello,
I know this will be pretty basic to most of you and perhaps this ought to be posted in the theory section but so help would really be appreciated...
I have a user login box and multiple users. An Authenticate class is going to check the username and password against a database and stored along side their name in an address for them to be re-directed to.
So different users get forwarded to different webpages after they login.
How do I stop one user being able to access another users page simply by adjusting the domain in the address bar?
At the moment my pages check that there is a valid user in the Session. But any user who logs in is valid, just not for the whole website.
I want to try and avoid cookies if I can and I don't really want to hard wire it into the pages. So for example I don't want to say "If the user ID is 3" - because when I adjust my database the whole thing will break.
I know there is a simple method for this, but I'm new and don't know it!
any clues?
Mant thanks!
Multiple Back ends One Server
Moderator: General Moderators
-
wibblywobbly
- Forum Newbie
- Posts: 17
- Joined: Mon Oct 19, 2009 10:11 am
- AbraCadaver
- DevNet Master
- Posts: 2572
- Joined: Mon Feb 24, 2003 10:12 am
- Location: The Republic of Texas
- Contact:
Re: Multiple Back ends One Server
You'll have to explain more about what the pages are/what they are named, what you mean by the domain in the address bar, what does it contain? What kind of correlation can we make between these things, username, userid, etc.?
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
-
wibblywobbly
- Forum Newbie
- Posts: 17
- Joined: Mon Oct 19, 2009 10:11 am
Re: Multiple Back ends One Server
Ok, forgive me...
So. I have 5 users. Each one has a username and password. The website has a login page that has a username and password input box.
Then I have 5 "Backend" pages. so let's call them
/backend1.php
/backend2.php
/backend3.php
/backend4.php
/backend5.php
So user 1 can ONLY view /backend1.php. If they attempt to type into the address bar "/backend2.php" - they get booted back to the original login page. This goes for user 2 also, they only have access to /backend2.php and user 3, 4, 5 etc.
I'm going to have a table in a database with "ID", "username", "password" and "redirect". So when a user authenticates the address of the page they get redirected to comes from the "redirect" row in the column.
But how do I stop them looking at the other pages on the server? What is it about /backend1.php that kicks "user 2" out?
I hope I'm a little clearer, let me know if not and many thanks in advance for any advice!
-- wibblywobbly.
So. I have 5 users. Each one has a username and password. The website has a login page that has a username and password input box.
Then I have 5 "Backend" pages. so let's call them
/backend1.php
/backend2.php
/backend3.php
/backend4.php
/backend5.php
So user 1 can ONLY view /backend1.php. If they attempt to type into the address bar "/backend2.php" - they get booted back to the original login page. This goes for user 2 also, they only have access to /backend2.php and user 3, 4, 5 etc.
I'm going to have a table in a database with "ID", "username", "password" and "redirect". So when a user authenticates the address of the page they get redirected to comes from the "redirect" row in the column.
But how do I stop them looking at the other pages on the server? What is it about /backend1.php that kicks "user 2" out?
I hope I'm a little clearer, let me know if not and many thanks in advance for any advice!
-- wibblywobbly.
- AbraCadaver
- DevNet Master
- Posts: 2572
- Joined: Mon Feb 24, 2003 10:12 am
- Location: The Republic of Texas
- Contact:
Re: Multiple Back ends One Server
If I assume correctly that the redirect for user 1 is backend1.php, then just save the redirect in the session when they login and then at the top of each page (this is very simplistic and not scalable):
If you need this to be extensible then give more details and we can probably come up with a scalable / flexible permissions solution.
Code: Select all
if($_SESSION['redirect'] != basename(__FILE__)) {
die("KEEP OUT!");
}mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
-
wibblywobbly
- Forum Newbie
- Posts: 17
- Joined: Mon Oct 19, 2009 10:11 am
Re: Multiple Back ends One Server
Ah, now that is very interesting.
If I wanted my users to be able to move around in an entire folder, so for example the structure was:
User 1 can access:
/backend1/index.php
/backend1/home.php
/backend1/page.php
/backend1/page2.php
User 2 can access:
/backend2/index.php
/backend2/home.php
/backend2/page.php
/backend2/page2.php
and so on...
I could presumably write a similar code except the end part of the path was saved in the session at authentication, and then checked later on if it's the same.
Thanks a lot for your help I've been hurting my head thinking about this.
--wibbly
If I wanted my users to be able to move around in an entire folder, so for example the structure was:
User 1 can access:
/backend1/index.php
/backend1/home.php
/backend1/page.php
/backend1/page2.php
User 2 can access:
/backend2/index.php
/backend2/home.php
/backend2/page.php
/backend2/page2.php
and so on...
I could presumably write a similar code except the end part of the path was saved in the session at authentication, and then checked later on if it's the same.
Thanks a lot for your help I've been hurting my head thinking about this.
--wibbly
- AbraCadaver
- DevNet Master
- Posts: 2572
- Joined: Mon Feb 24, 2003 10:12 am
- Location: The Republic of Texas
- Contact:
Re: Multiple Back ends One Server
Again, I don't know what you're doing, but use PHP to create things dynamically and reduce duplication of files and code. If for example all of the index.php file for each user were the same except they displayed info from the DB based on that particular user, then you could have 1 index.php and call it with the user id as a parameter: index.php?user=1 and then in index.php use $_GET['id'] and pull only info from the DB where id = $_GET['id'].
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
-
wibblywobbly
- Forum Newbie
- Posts: 17
- Joined: Mon Oct 19, 2009 10:11 am
Re: Multiple Back ends One Server
Thanks a lot Shawn,
This is very helpful. Essentially the different folders will have very little they can share between them. There'll be a folder of common classes but apart from that I'm going to be working with very different files. It's the permissions and single login box that I was most interested in. As you highlight, it seems the key to that is checking the address bar for file endings, or functions or folders compared with what's stored in a session at the login stage.
Many thanks!
This is very helpful. Essentially the different folders will have very little they can share between them. There'll be a folder of common classes but apart from that I'm going to be working with very different files. It's the permissions and single login box that I was most interested in. As you highlight, it seems the key to that is checking the address bar for file endings, or functions or folders compared with what's stored in a session at the login stage.
Many thanks!