Shopping Cart Tutorial PHP Shopping Cart Tutorial
Learn how to create an online store with PHP and MySQL
Free shopping cart    Download:
Shop-Script FREE
Shop-Script FREE User Guide (PDF; 0 Kb)
View Live Demo    View online store demo
 Introduction
 Basic concepts
 Technologies
 File structure
 Database structure
 Back end
   Password protection
   Products catalog: structure
   Product catalog: viewing
   Managing categories
   Managing products
   Special offers
   Managing orders
 Front end
   Viewing products catalog
   Product search
   Shopping cart
   Checkout
   PayPal integration
 Security
 Live Demo
 Author
 Terms Of Use

Shopping cart software

 

Password-protecting administrative mode

For simplicity here we shall assume that there is only one administrative mode access level, in other words, there will be only one user who has full access to all back end facilities. Thus there will be only one combination of login and password allowing to access back end.

In Shop-Script FREE administrative mode is accessible through admin.php script.
We will use sessions to protect back end from unauthorized access. This is how the protection is implemented.

When someone runs admin.php, script checks whether authorization form was passed or not:

<?php
    //CHECK #1
    //Check whether or not session data match data in the configuration file.
    //In $_SESSION variable we store administrator Login name and MD5-hashed password.
    if ((isset($_SESSION["log"]) && isset($_SESSION["pass"])) &&
        (strcmp($_SESSION["log"], ADMIN_LOGIN) ||
         strcmp($_SESSION["pass"], ADMIN_PASS)))
    { //information does not match - unset session variables
        unset($_SESSION["log"]);
        unset($_SESSION["pass"]);
    }

    //CHECK #2
    //in case of unauthorized access redirect customer to authorization form
    if (!isset($_SESSION["log"]) || !isset($_SESSION["pass"])) //unauthorized
    {
        //show authorization form
        header("Location: access_admin.php");
    }
?>

Here ADMIN_LOGIN and ADMIN_PASS (in CHECK #1) are constants which define a combination of administrator login and password. These constants are defined during Shop-Script FREE script installation and saved in the file connect.inc.php located in protected cfg/ folder.
To enhance security, ADMIN_LOGIN is stored and saved in session variables in BASE64 (encoded with base64_encode() function), and ADMIN_PASS is stored in this file and in sessions as MD5 hash ( function md5() ).

Variable $_SESSION["log"] indicates whether visitor input correct login/password and has been authorized as administrator or not.
As you may see, CHECK #1 (see source code fragment above) will unset $_SESSION["log"] in case it does not match ADMIN_LOGIN information from configuration file.
If $_SESSION["log"] variable is not defined, CHECK #2 will redirect customer to authorization form (access_admin.php):

When user inputs login and password in this form, provided information is saved into $_SESSION array and user is redirected to admin.php to pass CHECKs #1 and #2:

<?php
    if (isset($_POST["authorize"]))
    {
        if (!strcmp(base64_encode($_POST["login"]), ADMIN_LOGIN) &&
            !strcmp(md5($_POST["password"]), ADMIN_PASS))
        { //login ok
            $_SESSION["log"] = ADMIN_LOGIN;
            $_SESSION["pass"] = ADMIN_PASS;
            //redirect to the admin interface
            header("Location: admin.php");
        }
        else
            $errorStr "Incorrect login and/or password";
    }
?>

In case correct login information is provided, customer will be granted to access backend resources and will see back end homepage:

 

 


Copyright © 2006 WebAsyst LLC