unable to restrict session for administration pager

Question

i am working on admin section which has a login page with login id and pasword form. in my admin section i have many pages say like login.php, st_admin.php, tmg_admin.php etc.

if i have to access the st_admin.php page then i can access it just typing the link without entering login user and password.

i want to restrict the access of all pages through admin panel only. No one should able to access any of the page by typing the url directly. how is it possible??

The login.php code :

 <?php require_once('conn/conn.php'); ?>
 <?php
  // *** Validate request to login to this site.
  session_unset();
  session_start();

  $loginFormAction = $_SERVER['PHP_SELF'];
  if (isset($accesscheck)){
     $GLOBALS['PreUrl']=$accesscheck;
     session_register('PreUrl');
   }

  if (isset($_POST['staffid'])) {
  $loginUsername=$_POST['staffid'];
  $password=md5($_POST['password']);
  $MM_fldUserAuthorization = "accessid";
  $MM_redirectLoginSuccess = "staff/st_admin.php";
  $MM_redirectLoginFailed = "login.php?error=1";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_conn, $conn); 

  $LoginRS__query=sprintf("SELECT staffid, password, teamcode, accessid FROM tbl_staff WHERE staffid='%s' AND password='%s'",
   get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername),   get_magic_quotes_gpc() ? $password : addslashes($password)); 
   $LoginRS = mysql_query($LoginRS__query, $conn) or die(mysql_error());
   $loginFoundUser = mysql_num_rows($LoginRS);

 if ($loginFoundUser) {

  $loginStrGroup  = mysql_result($LoginRS,0,'accessid');

  //declare two session variables and assign them
  $GLOBALS['MM_Username'] = $loginUsername;
  $GLOBALS['MM_UserGroup'] = $loginStrGroup;          

  //register the session variables
  session_register("MM_Username");
  session_register("MM_UserGroup");

  if (isset($_SESSION['PrevUrl']) && false) {
  $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];  
 }
switch ($loginStrGroup) {
    case $MM_fldUserAuthorization='2':
$_SESSION['staffid']=$loginUsername;
     header("Location: tutor/tr_admin.php");
     break;
case $MM_fldUserAuthorization='3':
$_SESSION['staffid'] = $loginUsername;
header("Location: manager/mg_calendar.php");
break;
default:
$_SESSION['staffid'] = $loginUsername;
header("Location: " . $MM_redirectLoginSuccess );
}
  } else {
  header("Location: ". $MM_redirectLoginFailed );
  }
 }
 ?>

the st_admin.php code is :

 <?php
 session_start();
 $MM_authorizedUsers = "";
 $MM_donotCheckaccess = "true";

  // *** Restrict Access To Page: Grant or deny access to this page
 function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) { 
 // For security, start by assuming the visitor is NOT authorized. 
 $isValid = False; 

 // When a visitor has logged into this site, the Session variable MM_Username set equal to their username. 
 // Therefore, we know that a user is NOT logged in if that Session variable is blank. 
if (!empty($UserName)) { 
 // Besides being logged in, you may restrict access to only certain users based on an ID established when they login. 
 // Parse the strings into arrays. 
$arrUsers = Explode(",", $strUsers); 
$arrGroups = Explode(",", $strGroups); 
if (in_array($UserName, $arrUsers)) { 
  $isValid = true; 
} 
// Or, you may restrict access to only certain users based on their username. 
if (in_array($UserGroup, $arrGroups)) { 
  $isValid = true; 
} 
if (($strUsers == "") && true) { 
  $isValid = true; 
  } 
} 
return $isValid; 
}
?>

I am really appreciated for any advices.

Answer 1

if someone types in the URL directly the referer is empty so maybe do a check for that

if (!isset($_SERVER["HTTP_REFERER"]))
{
    header("Location: index.php");
    return;
}

This will send them to anywhere you wish if their http referer is not set

Answer 2

Usually I have an authentication.php file which is included on every page which needs to be authenticated. This class should check the session is authenticated before loading the page.

If the user is not authenticated, you can set globals, or simply die with an error message.

If you have an admin back-end then you might want a second authentication.php just to handle admin.

If every page of your site has this then no one will be able to access URL's directly.

There may also be other/better ways to do this via apache HTTP authentication.

Answer 3

if you have a file that you can or do include in all your other pages you can do:

define("NOACCESS", "dkgjeifnt");//just some random text

Now in your pages you wish to cease direct access to you can add:

if (! defined("NOACCESS"));
{
    echo "You can not access this page directly"
    return;
}