4

I have a website where only a user with admin privileges can view certain pages. When I login logging into my admin account $_session["is_admin"] = true is set. Then on the pages that I want only users with admin privileges to be able to view I check if is_admin is true else I redirect them to the index page.

if(!$_SESSION["is_admin"]){ //redirect to index.Php} Is there a better way of protecting webpages in these circumstances?

Thanks

crmepham
  • 4,676
  • 19
  • 80
  • 155
  • 2
    That should be fine, as long as your login script is properly secured. Also you should be using SSL (https) if security is truly important. – Dave Apr 14 '13 at 22:31
  • 1
    Make sure to kill the script after the redirect – Musa Apr 14 '13 at 22:32
  • @musa how do you mean kill the script? After the redirect takes the user to the index.php page isn't any script "killed" as soon as the page loads? – crmepham Apr 14 '13 at 22:37
  • 3
    `header('Location: where ever'); exit;` – Musa Apr 14 '13 at 22:40

3 Answers3

3

The code is more secure if it's somewhere not public (above public folder), so it's more difficult that problems happen. What'd happen here?

</php
  // Code

The whole page's content would be shown in plain text if it's in the public folder. While that is rare, missing a php tag is not THAT uncommon, even more in included files (and then an attacker could access that included file directly).

Also, check out this other SO question about session hijacking, it concerns to your question directly.

EDIT. I just read the facebook's Criticism Wikipedia page and is very relevant, so I quote it:

In August 2007, the code used to generate Facebook's home and search page as visitors browse the site was accidentally made public, according to leading internet news sites. A configuration problem on a Facebook server caused the PHP code to be displayed instead of the web page the code should have created, raising concerns about how secure private data on the site was.

Had they asked this somewhere else back in the day, they might not have been exposed.

Community
  • 1
  • 1
Francisco Presencia
  • 8,732
  • 6
  • 46
  • 90
2

Relying strictly on the $_SESSION global is not very secure. There are applications capable of "hijacking" sessions and manipulating SESSION IDs which are stored client-side. Take a look at FireSheep.

What I would recommend would be to implement some type of extra level of security. The extra level of security could include whitelisting IP Addresses, or a short expiry time on your SESSIONs.

Also see is storing data in php session insecure (it's not the same question but similar).

White-listing IP Addresses:

As mentioned in white list ip address for admin access, you could keep a record of the IP Addresses that have permission to access your page. If the IP Address does not fall in the allowed addresses, access to the page is denied. You can store the addresses in a database or hardcode them into the script (I'd stay away from hardcoding).

Here is a modified example taken from zerkms in the link above, incorporating your SESSION test:

$whitelist = array('192.168.0.1', '192.168.0.2');

if ($_SESSION['is_admin'] !== true || !in_array($_SERVER['REMOTE_ADDR'], $whitelist)) {
    //Admin denied.
    header('Location: denied.php'); exit();
}

echo "You're an admin!"

Shorten Session Expiry Time:

I'd recommend reading Gumbo's answer here.

More reading material:

Community
  • 1
  • 1
noahnu
  • 3,479
  • 2
  • 18
  • 40
1

This is OK if you only have admin and non-admin users in terms of access to pages. You could alternatively implement roles if you have more user levels.

Mike
  • 1,332
  • 2
  • 10
  • 14