close ad
 
Important WebAssist Announcement
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

unverified user is able to access secure pages?

Thread began 3/01/2014 2:14 pm by Mags | Last modified 3/04/2014 12:20 pm by Jason Byrnes | 1513 views | 7 replies |

Mags

unverified user is able to access secure pages?

I've set up a slightly modified double opt-in user registration system. Instead of the person verifying themselves via email, I've set it up so that an email goes to the administrator who then decides whether or not to allow access. This changes the "userVerified" column from a 0 to 1 and the user then gets access. All works fine, apart from one thing which I discovered by accident - immediately after registering (at which point the user gets a screen telling them they will be emailed when their account is approved), if they then try to access any of the secure pages directly, they can view them. This is while their userVerified state is still set to 0. If they logout and then try to login again however, they can't get access (until of course their status is set to 1 by the administrator). Any idea why this would be?

Sign in to reply to this post

sysop349733

It sounds to me as if you have not updated the access rule on the pages in question. Have you used Security Assist Access Page Manager to change the allow rule from allowed if logged in to allowed if verified?

There is a new tutorial that may help you: http://www.webassist.com/tutorials/User-level-authentication-with-SecurityAssist

Sign in to reply to this post

Mags

Yes, I used the Access Pages Manager to secure the pages and it does work in all other circumstances - if the userVerified value is 0, the user can't access the pages and if it's 1, they can. When the user first registers, their account is set to 0 and when approved it changes to 1. In Access Pages Manager, I have a Verified User rule applied to the secure pages as follows:

Restrict if: <?php echo $_SESSION['SecurityAssist_UserID']; ?> =
Allow if: <?php echo $_SESSION['userVerified']; ?> = 1
Restrict if: <?php echo $_SESSION['userVerified']; ?> = 0

What seems to be happening is that, when the user registers, it's logging them in at the same time and before their account has been approved, they can access the secure pages. However, if they logout and then try to login again, they can't, until someone approves their account.

It seems to be a similar issue which was reported in the post here: http://www.webassist.com/forums/posts.php?id=33668 however most of the replies are in PMs so I can't see how or if it was resolved.

Sign in to reply to this post

sysop349733

You probably need help from someone with Webassist on this (which I am not -- just another user), but I wonder about the restrict if userID = [blank] , if that's not part of the problem, I'd also check to make sure that the session variable userVerified is being properly set on the login page. Sorry if that's not much help.

Sign in to reply to this post

Mags

I wondered that too, but that bit of the system was taken directly from the tutorial on setting up a double opt-in registration. I tried removing it to see what would happen but it removed the protection completely. Thanks for your suggestions, hopefully someone at WebAssist can help!

Sign in to reply to this post

Jason ByrnesWebAssist

remove the third condition of the rule:
Restrict if: <?php echo $_SESSION['userVerified']; ?> = 0

When the user registers the userVerified session is not set, so it evaluates the conditions as:
Restrict if: <?php echo $_SESSION['SecurityAssist_UserID']; ?> =

SecurityAssist_UserID Has a value, so look at next rule

Allow if: <?php echo $_SESSION['userVerified']; ?> = 1

userVerified does not have a value, so is not = to 1, look at next rule

Restrict if: <?php echo $_SESSION['userVerified']; ?> = 0

userVerified does not have a value, so is not = to 0. Since this is the last rule it will allow access since it cant restrict access.

Sign in to reply to this post

Mags

Many thanks Jason, that fixed it!

Sign in to reply to this post

Jason ByrnesWebAssist

you're welcome.

Sign in to reply to this post

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...