Block direct access to a page

6

Good afternoon, I'm developing a PHP site in which there is a login screen, which redirects to the admin screen, but if I try to access the admin screen directly through the url, it opens normally.

I'd like to block this direct access through the url, redirecting to the login screen. How can I do this?

Thank you.

    
asked by Ricardo Afonso 07.10.2015 в 19:17

1 answer

9

More simply, if you use pure PHP, you can do this:

session_start();

if (empty($_SESSION['admin'])) {
    return header('location: login.php');
}

The empty will already evaluate whether the value of admin exists and at the same time whether it is a boolean. If it is false and / or if it does not exist, the user will be redirected to login page (or any other page you want to redirect);

Note : Because of the critical comments regarding the use of empty , I clarify: I do not use isset because it would generate unnecessary code and would not apply to the case. >

Using the empty function, we deal with two problems at the same time: The person's case is not logged, ie the $_SESSION['admin'] variable does not exist; And the case of the variable has value false , because in this case empty returns false for values of type false - and if the user is not admin can not see the page.

I would use isset only to handle two different types of cases.

For example: differentiate unlogged user from logged in user who is not admin.

session_start();

if (! isset($_SESSION['admin']) {
   return header('location: pagina_de_usuario_nao_logado.php');
} elseif (isset($_SESSION['admin']) && $_SESSION['admin'] == false) {
    return header('location: pagina_de_logado_mas_nao_eh_admin.php');
}

If I used the same form I used in the first example, dealing with isset , the code would have to look like this:

if (! isset($_SESSION['admin']) || $_SESSION['admin'] == false) {
     // ...
}

See how it would be unnecessary to use isset , if we were to replace the first form.

    
07.10.2015 / 19:23