Restrict access to a folder on the server after login

Asked

Viewed 232 times

2

I have the following problem: I have 1 application used by 5 users...

For each user there is a folder on the server, because for each one there is a configuration and some files are different, so the authentication links are:

user1 = www.meuservidor.com.br/pasture1
user2 = www.meuservidor.com.br/pasta2
user3 = www.meuservidor.com.br/pasta3
user4 = www.meuservidor.com.br/pasta4
user5 = www.meuservidor.com.br/pasta5

In the index of each folder, has a login screen that makes via ajax the authentication in the login database and password passed by the user, with the following conditions:

//Caso o usuário não esteja autenticado, abre tela de login
if ( !isset($_SESSION['login']) and !isset($_SESSION['senha']) ) {
    //exibe form de login
}else{
    //exibe a pagina restrita
}

Situation of Example:

If I am already in user1...my session is started normally, but if I modify the url I can access the index of the other folders...because the session has already started.

I need help blocking this.

php session login
  • 2

    Make a central index file that includes the other files for navigation and a URL validation for each user type before displaying the folder, if /paster1 and

  • Charles Fay, when the user logs in, save another element in the session that is the folder ... By the time the user enters in different folder you have more this rule to restrict access, although your business rule is completely wrong in my view, because, should have only one login and the same have the decisions of users.

  • Rethink your system and your process logic, because the problem is if you increase the number of users, it can be disastrous ...

  • Well put @Cezar’s suggestion, what is in these folders? what does the user see? the ideal would be to create a single login and a single folder, determining what each user can see from rules.

  • So, actually this would not work for my case, because for each folder has a php script, with different parameters and files...the user sees the result processed by the php files contained inside his folder

  • @Mastria, the same files you have in one folder have also in the other, however they are not dynamic...as I thought it best. But if there’s no way I’ll have to change everything.

  • This will only give you trouble, it would be better to set the privileges during the login, but leaving the administration configuration in a single directory, restricting only the menus, and options.

  • The structure in general is wrong, as commented. I only reinforce the warnings. Try to build a better structure because you are creating a monster that will give you a headache. This problem of login logic is the result of what you created and, is the least of the problems.

Show 3 more comments

2 answers

1


Come on, according to what you’ve been through, the nominee would be to create a rule within each php file that is in each folder (somewhat repetitive, and less practical, but meets its rule):

Inside each file, make the rule if it is not logged redirects to the screen /login, example:

if (!isset($_SESSION['login']) and !isset($_SESSION['senha']) ) {
    header('Location: ./login'); // ou a forma como desejar redirecionar
}

Also check the user for each folder, getting:

if (!isset($_SESSION['login']) and !isset($_SESSION['senha']) ) {
    header('Location: ./login'); // ou a forma como desejar redirecionar
} else if($_SESSION['tipo_usuario'] != 1) { // digamos que estamos no arquivo da pasta1, guarde o tipo do usuario ao realizar login
   header('Location: ./pasta'.$_SESSION['tipo_usuario']); // concatena o nome da pasta pra jogar para a pasta do usuário correspondente
}

And in login (single) do same thing to redirect when login:

header('Location: ./pasta'.$_SESSION['tipo_usuario']);

This is one of the ways for your application, I hope it helps.

Hugs

  • Thank you very much! I understand it’s less practical, but since this is an application for a very specific case of my client, this form fits perfectly.

  • If you get complicated with "Cannot Modify header information" errors, ask @Maestria to explain why of the problem.

0

In fact I did so:

But the credits are for @Mastria

$user = $_SESSION['login'];

//Caso o usuário não esteja autenticado, abre tela de login
if ( !isset($_SESSION['login']) and !isset($_SESSION['senha']) ) {
    //exibe form de login
}else{
    if($user == 'user1'){
        //exibe a pagina restrita
    }else{
        echo "Acesso negado!";
    }        
}

I implemented this code on each user’s index... As there are only 5 not so much work, but I understand that if it increases the number of users I will have to reformulate the logic of the application.

Thank you to all who participated!

  • A tip is not to keep the user password in session, I see no need. Note that before checking if the login session exists you have already assigned it to the variable $user this can generate an error as well. Hug

Browser other questions tagged php session login

You are not signed in. Login or sign up in order to post.