As you can see, in panel.php I have href of coworkersmain.php. I want this link to be accessable only in the case when username is "admin".
This is panel.php:
<!DOCTYPE html>
<!-- opens after logging in -->
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Panel</title>
</head>
<body>
<h1>Welcome to the Panel</h1>
<p>You are <?php session_start(); echo $_SESSION['username']; ?>.</p>
<a href="./coworkersmain.php" action="./checkadmin.php">Co-workers</a>
<form method="post" action="./logout.php">
<input type="submit" value="Logout" name="logout" class="logout-button"/>
</form>
</body>
</html>
And this is checkadmin.php:
<?php
session_start();
if ($_SESSION['username'] !== 'admin') {
// Redirect to panel page or display an error message
echo"zdfsdgfdsfd";
header("Location: panel.php");
exit();
} else {
header("Location: coworkersmain.php");
exit();
}
?>
>Solution :
- There is no such thing as an
actionattribute on an<a>element. - Even if there was and it functioned like you think it would,
checkadmin.phpis functionally useless as there is nothing stopping anyone from simply going directly tocoworkersmain.php. You need to put the access control inside the script you’re actually trying to control access to.
Eg, at the top of coworkersmain.php use only:
session_start();
if ($_SESSION['username'] !== 'admin') {
header("Location: panel.php");
exit();
}
Remember that the user controls the browser, and anything that you send to it, either HTML or Javascript, can be read, modified, or ignored entirely by the user.
If you want to enforce access control it must be server-side.