i'm creating a simple CMS for myself. There is a register form, i can register as the admin of the cms and then with login form, i can enter into admin area to write a new post or edit or delete posts.
But there is a problem. I typed the link of the admin page into browser from my cellphone to see if i can enter into admin area without login, and i faced with the admin page then!
So how can i fix it? For example in wordpress if i type the link of my friend's admin page in the browser, i can't access there and will face with login form, right?
Now how should i solve this security problem?
Use sessions to stored the logged in user.
When the users logs in you need to save that info(UserId for example) on the Session.
And in every page load you must check if the session is valid.
If there's no session it means that the user did not logged in, so you can redirect him to the login page.
You should be checking to see if the user is logged in and if the user is an admin.
What i would recommend is that when a user logs into your system and you check the credentials and roles, you should be storing some information in session variables. Then on the admin page or any other page that requires security, check the session variables to see if the 1) user is logged on AND 2) is the user an admin. If both are NOT true, then redirect the user to the login page.