I add login page for separate admin login page from user login page. I edit Auth class line 60:

header('location: ' . Config::get('URL') . 'login');
to
header('location: ' . Config::get('URL') . 'admin/login/');

But in output i see this error:

 The page isn’t redirecting properly

 Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

  This problem can sometimes be caused by disabling or refusing to accept cookies.

How do fix this problem?!

Hi,

You have two options already built in the framework;

First Option

Redirect::to("admin/login");
exit(); // <- DONT forget this

Second Option

    if ($admin_check) {
        # Admin level
        $this->View->render('admin/login');
        exit();   // <- DONT forget this
    } else {
        (do something else)
        exit();  // <- DONT forget this
    }

Either should work. Ensure you put an admin check in the admincontroller for the login function/page and all other pages you want admin locked down, otherwise someone could just go directly to the admin/login page skipping your admin redirect check

Hope that makes sense

@CaptainKarma

Hi, I change Admincontroller to this:

    public function __construct()
    {
        parent::__construct();

        // special authentication check for the entire controller: Note the check-ADMIN-authentication!
        // All methods inside this controller are only accessible for admins (= users that have role type 7)
        Auth::checkAdminAuthentication();
    }
public function index()
    {   

        if (Session::userIsLoggedIn() || Session::get("user_account_type") == 7) {

            $this->View->render('admin/index','admin');


        } else {
            Session::destroy();
            Redirect::to('admin/login'); // redirect to new version of admin login
            exit();
        }
    }

    public function login()
    {   

        if (Session::userIsLoggedIn() || Session::get("user_account_type") == 7) {

            Redirect::to('admin/index');

        } else {

            $this->View->render('admin/login','admin');

        }
    }

And Edit Auth.php in core folder to:

public static function checkAdminAuthentication()
    {
        // initialize the session (if not initialized yet)
        Session::init();
    }

This worked now But I have two Question:

One: This Method is true and safe? Two: For each page authurize I need to Add if (Session::userIsLoggedIn() || Session::get("user_account_type") == 7) {}else{} this is hard work :D

I'm wondering if you meant AND.. (Session::userIsLoggedIn() && Session::get("user_account_type") == 7)
So is the user logged in AND they are admin

At the moment you have an OR statement
(Session::userIsLoggedIn() || Session::get("user_account_type") == 7)
Which is saying the user is logged in OR they are admin, so they would pass true just by being a logged in user.

Add exit(); after the render statement just for safety, so my original posting.

Otherwise looks as strong as I would be able to write lol testing is the only way to be sure, try something like Netsparker Community Edition

You right For OR / AND But I Move This Code From Auth.php - Line 56 To index() and login(). You have Any Idea for Question Two!

For Question Two...

The controller as part of building the page will run the public function __construct everytime, so whatever is in the Auth::checkAdminAuthentication function will run each page load.

public function __construct()
{
    parent::__construct();
    Auth::checkAdminAuthentication();
}

So it depends what changes you make to that function

Cheers