I have 2 some pages in the website I'm developing. I've also an admin page. If i want to log in to the admin page, I've to key in username and password and it will be validated and redirect me to the admin's page. The problem is, if I manually input the direct url for the admin's page, the browser will open the url without asking for any validation.

?? Question ??

1. How to disable the user to just open the admin's page with direct link without any validation?

2. How to prompt the user to key in username and password if the direct url is used?

3. How to disable the usage of direct url (for admin's page)?

I have 2 some pages in the website I'm developing. I've also an admin page. If i want to log in to the admin page, I've to key in username and password and it will be validated and redirect me to the admin's page. The problem is, if I manually input the direct url for the admin's page, the browser will open the url without asking for any validation.

?? Question ??

1. How to disable the user to just open the admin's page with direct link without any validation?

2. How to prompt the user to key in username and password if the direct url is used?

3. How to disable the usage of direct url (for admin's page)?

I've handled this problem in my applications by using a SESSION random value which is initiated at my login page itself.
Lets say your initial loading page is login.php. It would contain the following LOC

<?php
session_start();
if($_POST[úserID'])
{
$_SESSION['randomvalue']=rand();
$_SESSION['loginValue']=md5($_SESSION['randomValue']);
}
else
{
écho '<script>';
echo "document.location='logout.php'";
echo"</script>";

}
?>

Please note , this page is accessible only through login .

Lets say the URL to the adminSetting is admin.php. include these lines in the code

if($_SESSION['loginValue'])
{
$checkValue=md5($_SESSION['randomValue']);
if($checkValue==trim($_SESSION['loginValue']){
{
}
else
{
écho '<script>';
echo "alert('Enter USER NAME and PASSWORD')";
echo"</script>";
}
}

The direct usage of url can be controlled through javascript.
Hope this helped.

Thanks for the code, I will give it a try before I reply this thread.

I've handled this problem in my applications by using a SESSION random value which is initiated at my login page itself.
Lets say your initial loading page is login.php. It would contain the following LOC

<?php
session_start();
if($_POST[úserID'])
{
$_SESSION['randomvalue']=rand();
$_SESSION['loginValue']=md5($_SESSION['randomValue']);
}
else
{
écho '<script>';
echo "document.location='logout.php'";
echo"</script>";

}
?>

That works. I would change one thing, however.

instead of echoing the javascript to redirect the page, I would keep it as PHP by using the header function like so:

<?php
session_start();
if($_POST['userID'])
{
$_SESSION['randomvalue']=rand();
$_SESSION['loginValue']=md5($_SESSION['randomValue']);
}
else
{
//redirect to login
header('Location: login.php');
exit();

}
?>

using javascript to redirect will allow the user access to the page you're trying to keep secure simply by disabling javascript in their browser. The header function redirects server-side, so they never get to the page.

For additional security, you should probably also validate the $_POST against a username/password combination in a database, otherwise someone could write a script on a remote website to post any value for 'userID' and it will let them through.

This article has been dead for over six months. Start a new discussion instead.