subject:"\[PHP\] Re\: Login\/Security Problem"

[PHP] Re: Login/Security Problem

2001-11-14 Thread Daniel Masur


set a cookie, and delete it with a logout button or when the user leaves
your domain


Joe Van Meer [EMAIL PROTECTED] schrieb im Newsbeitrag
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hi there. I'm new to php and would like some insight on securing a
website.
 Upon successful login to my site (checks against database for username and
 password) I assign a session variable called '$islogged' to 'yes'. On all
 other pages throughout my site I use the following code to determine if
this
 variable is set, and if not redirect them to the login page.

 if($islogged = = no){

 header(Location:index.php);
 }
 elseif(EMPTY($islogged))
 {
 header(Location:index.php);
 }


 This seems to work, however, if I close out my browser and say type in
 main.php (this page has the above code) in the address bar I can still
 access the page. How can I fix this? Is there something else I could be
 doing to improve the functionality?
 Any insights would greatly be appreciated.

 Cheers Joe:)





-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

[PHP] Re: Login/Security Problem

2001-11-14 Thread Joe Van Meer


Thx for replying, so I can do away with the session variable that I was
setting and just set a cookie on their machine and delete it when they
logout? I don't have to check on each page?

Cheer Joe:)


Daniel Masur [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 set a cookie, and delete it with a logout button or when the user leaves
 your domain


 Joe Van Meer [EMAIL PROTECTED] schrieb im Newsbeitrag
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Hi there. I'm new to php and would like some insight on securing a
 website.
  Upon successful login to my site (checks against database for username
and
  password) I assign a session variable called '$islogged' to 'yes'. On
all
  other pages throughout my site I use the following code to determine if
 this
  variable is set, and if not redirect them to the login page.
 
  if($islogged = = no){
 
  header(Location:index.php);
  }
  elseif(EMPTY($islogged))
  {
  header(Location:index.php);
  }
 
 
  This seems to work, however, if I close out my browser and say type in
  main.php (this page has the above code) in the address bar I can still
  access the page. How can I fix this? Is there something else I could be
  doing to improve the functionality?
  Any insights would greatly be appreciated.
 
  Cheers Joe:)
 
 





-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] Re: Login/Security Problem

2001-11-14 Thread Daniel Masur


so set an md5() of each user name as yes.
islogged=Ehyfoa74a23gfd
or whatever is good i think. but sessions are the most secure way, so think
about both (sessions and cookies) and decide what you really need.

you have linux?
you could make an .htaccess, and make real users with no bash, and let them
login with real usernames and passwords.

windows?
on win2k you could do this too. but be shure to not grant access to local
hd's. major security risk...

Stefan Rusterholz [EMAIL PROTECTED] schrieb im Newsbeitrag
009f01c16d13$bfd6b4d0$3c01a8c0@quasimodo">news:009f01c16d13$bfd6b4d0$3c01a8c0@quasimodo...
 I don't think this is a secure method.
 If I do only a little effort an find out, that it's this variable
$islogged
 which has to set to yes (or whatever) I can gain access by simply typing
 into the browsers addressbar
 www.yourdomain.com/theFileIWantToGo.php?islogged=yes and I will gain
 access.

 I'm sorry, but I can't tell you a better way to do it.

 Stefan Rusterholz, [EMAIL PROTECTED]
 --
 interaktion gmbh
 Stefan Rusterholz
 Zürichbergstrasse 17
 8032 Zürich
 --
 T. +41 1 253 19 55
 F. +41 1 253 19 56
 W3 www.interaktion.ch
 --

 - Original Message -
 From: Daniel Masur [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Wednesday, November 14, 2001 2:33 PM
 Subject: [PHP] Re: Login/Security Problem


  set a cookie, and delete it with a logout button or when the user leaves
  your domain
 
 
  Joe Van Meer [EMAIL PROTECTED] schrieb im Newsbeitrag
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   Hi there. I'm new to php and would like some insight on securing a
  website.
   Upon successful login to my site (checks against database for username
 and
   password) I assign a session variable called '$islogged' to 'yes'. On
 all
   other pages throughout my site I use the following code to determine
if
  this
   variable is set, and if not redirect them to the login page.
  
   if($islogged = = no){
  
   header(Location:index.php);
   }
   elseif(EMPTY($islogged))
   {
   header(Location:index.php);
   }
  
  
   This seems to work, however, if I close out my browser and say type in
   main.php (this page has the above code) in the address bar I can still
   access the page. How can I fix this? Is there something else I could
be
   doing to improve the functionality?
   Any insights would greatly be appreciated.
  
   Cheers Joe:)
  
  
 
 
 
  --
  PHP General Mailing List (http://www.php.net/)
  To unsubscribe, e-mail: [EMAIL PROTECTED]
  For additional commands, e-mail: [EMAIL PROTECTED]
  To contact the list administrators, e-mail: [EMAIL PROTECTED]
 
 
 




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] Re: Login/Security Problem

2001-11-14 Thread Tamas Arpad


On Wednesday 14 November 2001 14:58, you wrote:
I think mixing of the web application's and the host's operating 
system's authantication is not the best thing (if you don't exactly 
need that)

The $isLogged variable that is stored in the session is perfect as 
long as you check that it is came from the session 
($HTTP_SESSION_VARS) and you know that no one can access and write 
into your session files (open_basedir, and safe_mode in php.ini).

Arpi

 so set an md5() of each user name as yes.
 islogged=Ehyfoa74a23gfd
 or whatever is good i think. but sessions are the most secure way,
 so think about both (sessions and cookies) and decide what you
 really need.

 you have linux?
 you could make an .htaccess, and make real users with no bash, and
 let them login with real usernames and passwords.

 windows?
 on win2k you could do this too. but be shure to not grant access to
 local hd's. major security risk...

 Stefan Rusterholz [EMAIL PROTECTED] schrieb im
 Newsbeitrag 009f01c16d13$bfd6b4d0$3c01a8c0@quasimodo">news:009f01c16d13$bfd6b4d0$3c01a8c0@quasimodo...

  I don't think this is a secure method.
  If I do only a little effort an find out, that it's this variable

 $islogged


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

[PHP] Re: Login/Security Problem

[PHP] Re: Login/Security Problem

Re: [PHP] Re: Login/Security Problem

Re: [PHP] Re: Login/Security Problem

4 matches

Site Navigation

Mail list logo

Footer information