views:

264

answers:

7

If someone knows my url of the admin page such as www.example.com/admin.php, then they will easily access the page by directly accesing that url. How to restrict this. Please help

+2  A: 

Require Authentication. (and Authorization - as commented below !)

10x @Just Somebody !

Dani
+1 except it's Authorization
just somebody
Generally speaking — it's both. You don't want to authorize an unauthenticated user :)
David Dorward
+1  A: 

if you use apache web server you can restrict access using .htaccess p.s. Take a look here: htaccess tutorial

igorp1024
+1  A: 

I will try to put a few of these answers together for you, depending on how your website is setup.

If it is a simpler website and you don't do any user handling or admin authentication, your main option is to do as igorp said and restrict based on the .htaccess file. You will get a popup asking for a predefined username and password, and only then will you have access to that particular page.

Again, this is good for a simpler website.

If it is more complex and you allow user logins to your site, you can setup access rights to various pages, based on the users access level.

For instance, in your administrative page(s), you would check the user's access level to see if he/she should be allowed to access the page. If he doesn't, redirect to an access denied type page. Otherwise, let them in.

With both of these methods, a user can browse directly to your administration pages and be required to go through some sort of validation. Either way, your admin pages will be protected.

espais
+7  A: 

You should never make the admin section public. You can't rely on obscurity for this, authorisation is the way to go. You can do this by using .htacces, as described here, or by relying on PHP. A crude example follows below.

Below is a simple login implementation. If the password is correct it will allow the user to go to admin.php. You should read the PHP manual on sessions though, because the session header should be present on every page behind the login page. The password handling could be handled more secure as well.

<?php
  session_name('MyAdminSession');
  session_start();

  if (isset($_POST['userid']) && isset($_POST['password'])) {
    $userid = $_POST['userid'];
    $password = md5($_POST['password']);

    if ($userid == 'myusername' && $password == md5('mypassword')) {
      $_SESSION['logged_in'] = true;
      header('location: admin.php');
      exit;
    }
  }
?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"&gt;
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="nl">
  <head>
    <meta http-equiv="content-type" content="text/html; charset=utf-8" />
    <title>My login page</title>
  </head>
  <body>
    <form action="index.php" method="post">
    <label for="userid">Username: </label><br />
    <input name="userid" type="text" id="userid" /><br />
    <label for="password">Password: </label><br />
    <input name="password" type="password" id="password" /><br />
    <p><input type="submit" name="submit" class="button" value="Log In" /></p>
    </form>
  </body>
</html>
mensch
A: 

Hello. You can block all IP to go in admin panel except your admins IPs Write something like this:

order allow,deny
deny from all
allow from {your IP}
allow from {your other admin's IP}

This should be work

HektoR
A: 

If you have cPanel (or a similar control panel) access, you can easily create password protected directories as well. This method uses htpasswd and htaccess files. If you set it up this way, anyone trying to access the protected directory will have to enter a user/pass. The only down side to it is that your admin files need to be in a directory of their own.

sachleen
A: 

If I ever need quick authentication I use HTTP authentication which is pretty simple assuming you're on an Apache webserver:

$USERS = array( 'foo' => 'bar' );

$user = (isset($_SERVER['PHP_AUTH_USER'])) ? $_SERVER['PHP_AUTH_USER'] : '';
$pass = (isset($_SERVER['PHP_AUTH_PW'])) ? $_SERVER['PHP_AUTH_PW'] : '';

if( !$user || !isset($USERS[$user]) || $USERS[$user] != $pass ) {
    header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    print '<h1>Error</h1>Authentication failed!';
    exit;
}

// if we made it this far the user logged in successfully!
Rob