What's the best technique to protect my framework from visitors who are not logged in?

Question

First of all, I would like to say that I have used the search box looking for a similar question and was unsuccessful, maybe because of my poor english skills.

I have aa 'homemade' framework. I have certain PHP files that must only be visible for the admin. The way I currently do this is check within every single page to see if a session has been opened. If not, the user gets redirected to a 404 page, to seem like the file which has been requested doesn't exist.

I really don't know if this is guaranteed to work or if there's a better and more safe way because I'm currently working with kind of confidential data that should never become public.

Could you give me some tips? Or leave a link where I could find some?

Thank you very much, and again excuse me for kicking the dictionary.

What I usually write in the top of each file is something like this

<?php
include("sesion.php");
$rs=comprueba(); //'check'

if ($rs) { 
?> 

And then, at the end

<?php 
}
else { header("Location: err404.html"); }
?>

Is it such a butched job, isn't it?

Let's say I have a customers list in a file named customers.php

That file may be currently on http://www.mydomain.com/admin/customers.php and it must only be visible for the admin user. Once the admin user has been logged in, I create a session variable. That variable is what I check on the top of each page, and if it exists, the customers list is shown. If not, the user gets redirected to the 404 page.

Thank you for your patience. I really appreciate.

Answer 1

Apologies if I'm incorrect in interpreting your question but I think you're asking the best way to protect individual PHP pages used in the framework from people typing in the URL to view them?

If so, the best route I've found is to declare a constant in your master file (usually index.php).

<?php
define( '_MYAPP', 1 );

Then, at the top of each PHP file ( before you define your classes) put -

<?php
defined( '_MYAPP' ) or die( 'No access.' );

Answer 2

I strongly recommend you use sessions.

Now, i think there's two ways to do this.

Easiest way I can think of is: make a session.php file and include/require it in every file in your application.

In this session.php do a session check for security tokens you can define when the user succesfully logs in (preferably an encrypted salted string).

Edit: What I do in session.php file is die(); or redirect with header(); if no correct session is detected.

If you want, you can add an array of "public" files so that session check is skipped if one of those files is currently being executed.

The other harder way to do this (still using sessions and token verification) would be creating a dispatcher file that checked sessions and then redirected requests to a view that rendered the requested action.

If security is vital in your app, You should read this guide: PHP Security Guide: Overview by the php security consortioum.

Answer 3

<?php
$logged_in = 'no';
include("session.php"); // changes $logged_in to yes if logged in

if($logged_in == 'no'){
header("Location: login.php?error=notloggedin");
exit;
}
?>

you can either put this at the top of all of your pages, or simply put this in your session.php file, or make a header.php file to include in all pages.