[PHP] Re: Login/Security Problem
set a cookie, and delete it with a logout button or when the user leaves your domain Joe Van Meer [EMAIL PROTECTED] schrieb im Newsbeitrag [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi there. I'm new to php and would like some insight on securing a website. Upon successful login to my site (checks against database for username and password) I assign a session variable called '$islogged' to 'yes'. On all other pages throughout my site I use the following code to determine if this variable is set, and if not redirect them to the login page. if($islogged = = no){ header(Location:index.php); } elseif(EMPTY($islogged)) { header(Location:index.php); } This seems to work, however, if I close out my browser and say type in main.php (this page has the above code) in the address bar I can still access the page. How can I fix this? Is there something else I could be doing to improve the functionality? Any insights would greatly be appreciated. Cheers Joe:) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Re: Login/Security Problem
Thx for replying, so I can do away with the session variable that I was setting and just set a cookie on their machine and delete it when they logout? I don't have to check on each page? Cheer Joe:) Daniel Masur [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... set a cookie, and delete it with a logout button or when the user leaves your domain Joe Van Meer [EMAIL PROTECTED] schrieb im Newsbeitrag [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi there. I'm new to php and would like some insight on securing a website. Upon successful login to my site (checks against database for username and password) I assign a session variable called '$islogged' to 'yes'. On all other pages throughout my site I use the following code to determine if this variable is set, and if not redirect them to the login page. if($islogged = = no){ header(Location:index.php); } elseif(EMPTY($islogged)) { header(Location:index.php); } This seems to work, however, if I close out my browser and say type in main.php (this page has the above code) in the address bar I can still access the page. How can I fix this? Is there something else I could be doing to improve the functionality? Any insights would greatly be appreciated. Cheers Joe:) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Re: Login/Security Problem
so set an md5() of each user name as yes. islogged=Ehyfoa74a23gfd or whatever is good i think. but sessions are the most secure way, so think about both (sessions and cookies) and decide what you really need. you have linux? you could make an .htaccess, and make real users with no bash, and let them login with real usernames and passwords. windows? on win2k you could do this too. but be shure to not grant access to local hd's. major security risk... Stefan Rusterholz [EMAIL PROTECTED] schrieb im Newsbeitrag 009f01c16d13$bfd6b4d0$3c01a8c0@quasimodo">news:009f01c16d13$bfd6b4d0$3c01a8c0@quasimodo... I don't think this is a secure method. If I do only a little effort an find out, that it's this variable $islogged which has to set to yes (or whatever) I can gain access by simply typing into the browsers addressbar www.yourdomain.com/theFileIWantToGo.php?islogged=yes and I will gain access. I'm sorry, but I can't tell you a better way to do it. Stefan Rusterholz, [EMAIL PROTECTED] -- interaktion gmbh Stefan Rusterholz Zürichbergstrasse 17 8032 Zürich -- T. +41 1 253 19 55 F. +41 1 253 19 56 W3 www.interaktion.ch -- - Original Message - From: Daniel Masur [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 14, 2001 2:33 PM Subject: [PHP] Re: Login/Security Problem set a cookie, and delete it with a logout button or when the user leaves your domain Joe Van Meer [EMAIL PROTECTED] schrieb im Newsbeitrag [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi there. I'm new to php and would like some insight on securing a website. Upon successful login to my site (checks against database for username and password) I assign a session variable called '$islogged' to 'yes'. On all other pages throughout my site I use the following code to determine if this variable is set, and if not redirect them to the login page. if($islogged = = no){ header(Location:index.php); } elseif(EMPTY($islogged)) { header(Location:index.php); } This seems to work, however, if I close out my browser and say type in main.php (this page has the above code) in the address bar I can still access the page. How can I fix this? Is there something else I could be doing to improve the functionality? Any insights would greatly be appreciated. Cheers Joe:) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Re: Login/Security Problem
On Wednesday 14 November 2001 14:58, you wrote: I think mixing of the web application's and the host's operating system's authantication is not the best thing (if you don't exactly need that) The $isLogged variable that is stored in the session is perfect as long as you check that it is came from the session ($HTTP_SESSION_VARS) and you know that no one can access and write into your session files (open_basedir, and safe_mode in php.ini). Arpi so set an md5() of each user name as yes. islogged=Ehyfoa74a23gfd or whatever is good i think. but sessions are the most secure way, so think about both (sessions and cookies) and decide what you really need. you have linux? you could make an .htaccess, and make real users with no bash, and let them login with real usernames and passwords. windows? on win2k you could do this too. but be shure to not grant access to local hd's. major security risk... Stefan Rusterholz [EMAIL PROTECTED] schrieb im Newsbeitrag 009f01c16d13$bfd6b4d0$3c01a8c0@quasimodo">news:009f01c16d13$bfd6b4d0$3c01a8c0@quasimodo... I don't think this is a secure method. If I do only a little effort an find out, that it's this variable $islogged -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]