What's the best technique to protect my framework from visitors who are not logged in?
- by Hermet
First of all, I would like to say that I have used the search box looking for a similar question and was unsuccessful, maybe because of my poor english skills.
I have a a 'homemade' framework. I have certain PHP files that must only be visible for the admin. The way I currently do this is check within every single page to see if a session has been opened. If not, the user gets redirected to a 404 page, to seem like the file which has been requested doesn't exist.
I really don't know if this is guaranteed to work or if there's a better and more safe way because I'm currently working with kind of confidential data that should never become public.
Could you give me some tips? Or leave a link where I could find some?
Thank you very much, and again excuse me for kicking the dictionary.
EDIT
What I usually write in the top of each file is something like this
<?php
include("sesion.php");
$rs=comprueba(); //'check'
if ($rs==1) {
?>
And then, at the end
<?php
}
?>
Is it such a butched job, isn't it?
EDIT
Let's say I have a customers list in a file named customers.php
That file may be currently on http://www.mydomain.com/admin/customers.php and it must only be visible for the admin user. Once the admin user has been logged in, I create a session variable. That variable is what I check on the top of each page, and if it exists, the customers list is shown. If not, the user gets redirected to the 404 page.
Thank you for your patience. I really appreciate.
