error redirect for separate admin login from user login

[perspolise]

I add login page for separate admin login page from user login page. I edit Auth class line 60:

header('location: ' . Config::get('URL') . 'login');
to
header('location: ' . Config::get('URL') . 'admin/login/');

But in output i see this error:

 The page isn’t redirecting properly

 Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

  This problem can sometimes be caused by disabling or refusing to accept cookies.

How do fix this problem?!

[CaptainKarma]

Hi,

You have two options already built in the framework;

First Option

Redirect::to("admin/login");
exit(); // <- DONT forget this

Second Option

    if ($admin_check) {
        # Admin level
        $this->View->render('admin/login');
        exit();   // <- DONT forget this
    } else {
        (do something else)
        exit();  // <- DONT forget this
    }

Either should work. Ensure you put an admin check in the admincontroller for the login function/page and all other pages you want admin locked down, otherwise someone could just go directly to the admin/login page skipping your admin redirect check

Hope that makes sense

[perspolise]

@CaptainKarma

Hi, I change Admincontroller to this:

    public function __construct()
    {
        parent::__construct();

        // special authentication check for the entire controller: Note the check-ADMIN-authentication!
        // All methods inside this controller are only accessible for admins (= users that have role type 7)
        Auth::checkAdminAuthentication();
    }
public function index()
    {   

        if (Session::userIsLoggedIn() || Session::get("user_account_type") == 7) {

            $this->View->render('admin/index','admin');


        } else {
            Session::destroy();
            Redirect::to('admin/login'); // redirect to new version of admin login
            exit();
        }
    }

    public function login()
    {   

        if (Session::userIsLoggedIn() || Session::get("user_account_type") == 7) {

            Redirect::to('admin/index');

        } else {

            $this->View->render('admin/login','admin');

        }
    }

And Edit Auth.php in core folder to:

public static function checkAdminAuthentication()
    {
        // initialize the session (if not initialized yet)
        Session::init();
    }

This worked now But I have two Question:

One: This Method is true and safe? Two: For each page authurize I need to Add if (Session::userIsLoggedIn() || Session::get("user_account_type") == 7) {}else{} this is hard work :D

[CaptainKarma]

I'm wondering if you meant AND.. (Session::userIsLoggedIn() && Session::get("user_account_type") == 7)
So is the user logged in AND they are admin

At the moment you have an OR statement
(Session::userIsLoggedIn() || Session::get("user_account_type") == 7)
Which is saying the user is logged in OR they are admin, so they would pass true just by being a logged in user.

Add exit(); after the render statement just for safety, so my original posting.

Otherwise looks as strong as I would be able to write lol testing is the only way to be sure, try something like Netsparker Community Edition

[perspolise]

You right For OR / AND But I Move This Code From Auth.php - Line 56 To index() and login(). You have Any Idea for Question Two!

[CaptainKarma]

For Question Two...

The controller as part of building the page will run the public function __construct everytime, so whatever is in the Auth::checkAdminAuthentication function will run each page load.

public function __construct()
{
    parent::__construct();
    Auth::checkAdminAuthentication();
}

So it depends what changes you make to that function

Cheers