tags:

views:

61

answers:

4

I have a page that I restrict access to by checking if a certain session variable is set. But then again, users can clear that session variable and now have access to the page.

What can I do to prevent this? I am using php

+5  A: 

...you set the session variable for people who are allowed to access the page, instead of vice-versa?

Anon.
+2  A: 

Well normally users can't clear the variable itsself (unless your code does it for them) but only delete the session cookie itsself, which would destroy the whole session (And now you could restrict access).

tDo
+3  A: 

Deny all, allow some.

Assume people without a session are not allowed.

Oli
A: 

In a PHP header at the TOP of the various pages you want to restrict access to, you'd put something like the following:

<?php
   session_start(); // start the session
   if (!isset($_SESSION['allowaccess']) || ($_SESSION['allowaccess'] == FALSE)) {
      // if the access token is not present or the token is false, then...
      echo "Access denied."
      exit();
   }
?>

<h1>Super Seekrit Data</h1>

<p>yada yada yada</p>

This way, if the users clear their cookies or log out or whatever, the pages with this type of code will now deny access. Of course, they might still have a cached copy present on their end and can see the content until such time as the cache expires, but that's another problem to solve.

Marc B