Login breach

adamschroeder · March 22, 2011, 7:03am

I have this login code that directs “civilians” to a certain page and “hosts” to a different page. Now the log-in part works. But if I log in as “civilian” and then change the URL to the host page (ciubab.com/host.php) I am able to access it, which is something I cannot allow.

So how do I block “civilians” from entering a page only for hosts?

I tried using a while loop in the host page to block civilians but that didn’t work. I tried reading about sessions and security but I haven’t found anything similar.
Can someone help me?

login code: I only published the relevant part.


<?php 
if($username==$dbusername&&md5($password)==$dbpassword)
   {
      if($who=='host')
      {
        $_SESSION['username']=$username;
      header("Location: http://ciubab.com/host.php");
      }
        if($who=='civilian')
        {
          $_SESSION['username']=$username;
         header("Location: http://ciubab.com/civilian.php");
   }
        }
?>

adamschroeder · March 22, 2011, 8:22am

Ok, I solved it finally.
I just had to add $_SESSION[‘who’]=$who; to the login page,
and then I added another piece of code into my host and civilian page and it worked.
The code I added was:

if($_SESSION[‘who’] != ‘host’){
session_destroy();
header(‘Location: ciubab.com/mustlogin.php’);]
exit();
}

Hopefully this can help other beginners.

webdesignhouston · March 22, 2011, 9:25am

Good to hear that you’ve solved it. Remember that you should check login/permissions on every relevant page. Otherwise users can bypass the login using bookmarks, by directly typing the url in the browser address bar, by emailing private links to another person, by extracting interesting urls from website log files and so on.