The GET and POST redirects (part 2)

Home > Search
  by

authentication_check.php

For obvious reasons, the authentication_check.php page is not accessible by users.  The authentication_check.php page is entirely enclosed in the PHP tags so that the code is processed server-side, and the page has if/elseif/else statements that redirect to other pages based on the outcome of the check.  The scope of this article is not to deep dive the authentication_check.php page.  Instead, we are just looking at the GET and POST redirects.  Unlike the content.php, edit_content.php and signin.php pages, the authentication_check.php page does not display id=$id&topic=$topic in the URL.  This is because the form on the authentication_signin.php used POST instead of GET, which prevented the ID and Topic from showing in the URL.  This also prevented the username and password from showing in the URL.  Because of this, the authentication_check.php page uses POST instead of GET to obtain the ID and Topic (and username and password as well).

If the user is able to successfully authenticate, the user is redirected to the edit_content.php page.  If the user is not able to authenticate, the user remains on the authentication_check.php page.

<?php
$id = $_POST['id'];
$topic = $_POST['topic'];
?>

Admin Page

We need a method to distinguish the admin.php page from the edit_content.php page.  As an example, let's say you are the administrator of the website, and you have 20 users authorized to edit the content of the website.  As the admin, you have permission to access both the admin.php and edit_content.php pages.  However, the 20 users should only be able to access the edit_content.php page, and should not be able to access the admin.php page.  How do we prevent the 20 users from accessing the admin.php page?  This is accomplished by first writing code that flags admin.php as an admin page.  We will place the following code in the admin.php page.

<?php
$uri = $_SERVER['REQUEST_URI'];

session_start();
if(isset($_SESSION["id"]) && !empty($_SESSION["id"])) { }
else{header("location:authentication_signin.php?uri=$uri");}
?>

 


 

    The first line of code sets a variable with the server name and request uri.  Because this code is placed on the admin.php, this variable becomes /admin.php
    The second line of code starts the session
    The last two lines of code are the logic
        If the session ID is set, nothing is echoed.  In another words, we do nothing and remain on the admin page.
        Else, if the session ID is not set, we redirect to authentication_signing.php and append the $uri.  This makes the recirect url http://www.yourdomain.com/authentication_signin.php?uri=/admin.php.

The reason we append uri=/admin.php to the URL is because the next page, authentication_signin.php will use uri=/admin.php to make a decision.


authentication_signin.php

If the user does not have a cookie with a matching session ID number, the user is redirected to the authentication_signin.php page.  If the user came from the admin page, the authentication_signin.php page will have uri=/admin.php.  If the user did not come from the admin page, the authentication_signin.php page will have uri=.   The authentication_signin.php page contains the variable $uri = $_GET['url'], which reads the uri in the address bar.  Also, inside of the form which passes the input values to the next page, there is an input value where the uri value is /admin.php.

<?php
$uri = $_GET['uri'];
?>

<input type='hidden' name='uri' id='uri' value="<?php echo $uri; ?>" >

 


 

authentication_check.php

For obvious reasons, the authentication_check.php page is not accessible by users.  The authentication_check.php page is entirely enclosed in the PHP tags so that the code is processed server-side, and the page has if/elseif/else statements that redirect to other pages based on the outcome of the check.  The scope of this article is not to deep dive the authentication_check.php page.  Instead, we are just looking at the GET and POST redirects.  Unlike the content.php, edit_content.php and signin.php pages, the authentication_check.php page does not display uri= in the URL.  This is because the form on the authentication_signin.php used POST instead of GET, which prevented the ID and Topic from showing in the URL.  This also prevented the username and password from showing in the URL.  Because of this, the authentication_check.php page uses POST instead of GET to obtain the ID and Topic (and username and password as well).

If the user is able to successfully authenticate, the user is redirected to the edit_content.php page.  If the user is not able to authenticate, the user remains on the authentication_check.php page.

PROBLEM! I'm missing logic to know which users are allowed admin access.

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments