Insuring proper use of a SITE and it"s pages...

Insuring proper use of a SITE and it"s pages...

am 06.11.2009 23:11:31 von Don Wieland

Hello,

I am in the process of setting up a function to help with proper page
navigation/processes and page access. Basically, the way I was hoping
it could work is every time I load a page I would set a Last Page
SESSION variable with the file name. Then when another page is
targeted, I would refer to that session variable to make sure that the
navigation is allowed and if the user's level allows access to the
page (to guard against hacking, history, and bookmarks). If the two
test are not invoked, it would then reset the "LastPage" with that
current page. I am running into issue with using the BACK button and
history.

Bottom line is I want the $_SESSION['LastPage'] with the current pages
name regardless of how it's accessed. How do developer's handle this?
The function is below:



function Validate_Page_Nav($db, $CurrentPage, $LastPage, $ErrorPage) {

$resul = $db->query("SELECT * FROM Page_Access WHERE URI =
'{$CurrentPage}'") or die("failed to get access data");
$page_access = $resul->fetch_assoc();
$pa = $page_access['User_Level'];
$URI_access = explode(",", $pa);

if($_SESSION['Last_Page'] != $LastPage) {
header("location: {$ErrorPage}?message=Unable to update user
information.");
exit();
}

if(!in_array($_SESSION['Staff_level'], $URI_access)) {
header("location: {$ErrorPage}?message=Unable to update user
information.");
exit();
}

$_SESSION['Last_Page'] = $CurrentPage;

}


Thanks for any advice you can offer.

Don Wieland
D W D a t a C o n c e p t s
~~~~~~~~~~~~~~~~~~~~~~~~~
donw@dwdataconcepts.com
Direct Line - (949) 305-2771

Integrated data solutions to fit your business needs.

Need assistance in dialing in your FileMaker solution? Check out our
Developer Support Plan at:
http://www.dwdataconcepts.com/DevSup.html

Appointment 1.0v9 - Powerful Appointment Scheduling for FileMaker Pro
9 or higher
http://www.appointment10.com

For a quick overview -
http://www.appointment10.com/Appt10_Promo/Overview.html


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Insuring proper use of a SITE and it"s pages...

am 07.11.2009 03:23:49 von John Hicks

Don Wieland wrote:
> ... I am running into issue with using the BACK button and history.
>
> Bottom line is I want the $_SESSION['LastPage'] with the current pages
> name regardless of how it's accessed.

Using the "Back" button doesn't necessarily produce a new request to the
server.
If you want to track such visits at the server, I think the conventional
wisdom is to deliver a dummy page with a redirect to the real "payload"
page. I believe the redirect will be invoked regardless of whether the
dummy page was arrived at by the "Back" button or not.

(But frankly it's been a while since I fooled with this so I may be wrong.)

John


Don Wieland wrote:
> Hello,
>
> I am in the process of setting up a function to help with proper page
> navigation/processes and page access. Basically, the way I was hoping
> it could work is every time I load a page I would set a Last Page
> SESSION variable with the file name. Then when another page is
> targeted, I would refer to that session variable to make sure that the
> navigation is allowed and if the user's level allows access to the
> page (to guard against hacking, history, and bookmarks). If the two
> test are not invoked, it would then reset the "LastPage" with that
> current page. I am running into issue with using the BACK button and
> history.
>
> Bottom line is I want the $_SESSION['LastPage'] with the current pages
> name regardless of how it's accessed. How do developer's handle this?
> The function is below:
>
>
>
> function Validate_Page_Nav($db, $CurrentPage, $LastPage, $ErrorPage) {
>
> $resul = $db->query("SELECT * FROM Page_Access WHERE URI =
> '{$CurrentPage}'") or die("failed to get access data");
> $page_access = $resul->fetch_assoc();
> $pa = $page_access['User_Level'];
> $URI_access = explode(",", $pa);
>
> if($_SESSION['Last_Page'] != $LastPage) {
> header("location: {$ErrorPage}?message=Unable to update user
> information.");
> exit();
> }
>
> if(!in_array($_SESSION['Staff_level'], $URI_access)) {
> header("location: {$ErrorPage}?message=Unable to update user
> information.");
> exit();
> }
>
> $_SESSION['Last_Page'] = $CurrentPage;
>
> }
>
>
> Thanks for any advice you can offer.
>
> Don Wieland
> D W D a t a C o n c e p t s
> ~~~~~~~~~~~~~~~~~~~~~~~~~
> donw@dwdataconcepts.com
> Direct Line - (949) 305-2771
>
> Integrated data solutions to fit your business needs.
>
> Need assistance in dialing in your FileMaker solution? Check out our
> Developer Support Plan at:
> http://www.dwdataconcepts.com/DevSup.html
>
> Appointment 1.0v9 - Powerful Appointment Scheduling for FileMaker Pro
> 9 or higher
> http://www.appointment10.com
>
> For a quick overview -
> http://www.appointment10.com/Appt10_Promo/Overview.html
>
>


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php