How to prevent opening an authenticated php web page?

Question

I have admin pages. I need to allow users to access the admin pages if the user is logged in to the admin with correct credentials only. I already checking user is logged in by using session variable in all the admin pages.

But still through tools like burp suite, by changing the response code of 300 to 200 and able to open the admin pages with out logging to admin.

Please tell me how to prevent the user to view the authenticated pages with out logging.

score 2 · Answer 1 · answered Dec 31 '14 at 06:39

2

You can add a field in your user's table that declare whether the user is an admin or not.

Then, you can use PHP to ask if the current user is admin, and if you should display the page or not.

answered Dec 31 '14 at 06:39

Naor Hadar

537
1
6
19

Thanks Hadar. Please see the example scenario: I have login.php and news.php files. I need to login as admin to access news.php, in browser directly typing news.php it should not open if I am not logged in. Normally if I type news.php it is redirecting to login.php file if I am not logged in. By using Burp Suite tool's Intercept we are changing response code 300 to 200 and able to open news.php file. I want to prevent opening the news.php file even opening by 200 response code. Please help me out. – BVL KIRAN Dec 31 '14 at 07:03
The answer stay's the same, you need to use something to declare whether the user is an admin or not, in my example you can achieve that by using your table. you can use sessions too after the login page and add another session that determinant if the user is an admin (like @SHADOWS suggested). – Naor Hadar Dec 31 '14 at 07:07
You will need to use this: header('Location: /login.php'); And then use 'exit()' to prevent access to that page. – Naor Hadar Dec 31 '14 at 07:09

score 1 · Answer 2 · answered Dec 31 '14 at 06:59

1

Use additional session variables like user type so that you can easily get user type after logged in and this variable should be check in every admin page. If the type is not admin then redirect to another page.

answered Dec 31 '14 at 06:59

Thanks. Please see my comment to Hadar. Help me to fix. – BVL KIRAN Dec 31 '14 at 07:07
@BVLKIRAN Adding additional session variables is apossible solution. Also use .htaccess file to protect your directory. – Dec 31 '14 at 07:18

score 0 · Accepted Answer · answered Jan 13 '15 at 09:09

0

The problem is fixed, data got posting before header call. that why this issue came. Thanks.

answered Jan 13 '15 at 09:09

BVL KIRAN

1
4

How to prevent opening an authenticated php web page?

3 Answers3