phpinfo() Posted April 28, 2008 Share Posted April 28, 2008 I have a page with a login form called sign_in.php. The form is: method=post onsubmit=_login.php Then _login.php executes some functions then on success forwards to the network.php I would like to add some code to the _login.php page to ensure users are logging in from sign_in.php and not other spoofed pages. I tried a few things different things, but couldn't get them to work: if(!eregi("domain.com/sign_in.php",$_SERVER['HTTP_REFERER'])) { mail("email@domain.net", "Non-Form Attempt", "A login relay was attempted from the Web site and was blocked.", "From:Monitor"); die(); } and <?php if (!$_POST['login']) { header("location: sign_in.php"); exit; } ?> Quote Link to comment Share on other sites More sharing options...
dptr1988 Posted April 28, 2008 Share Posted April 28, 2008 Set a session varible in the 'sign_in.php' page and check for it in the '_login.php' page. http://us2.php.net/manual/en/function.session-start.php http://us2.php.net/manual/en/reserved.variables.session.php Quote Link to comment Share on other sites More sharing options...
phpinfo() Posted April 28, 2008 Author Share Posted April 28, 2008 Yeah, but if I do this, like : session_start(); $_SESSION['memberlogin'] = "memberlogin"; on the sign_in.php - and then put: if($_SESSION['memberlogin']!="memberlogin") { print "Access Denied!"; exit; } on the _login.php page - all I have to do is go to sign_in.php so the session starts, then go to my spoofed.php page and it will let me log in, since the session started. How do I get around this. - I only want the login to come from page sign_in.php Quote Link to comment Share on other sites More sharing options...
samlingsu Posted April 28, 2008 Share Posted April 28, 2008 Could you try post a special variable from sign_in.php to _login.php ? like this : in the sign_in.php form add <input type="hidden" name="test" value="test" /> and then validate the $POST['test'] in _login.php , if ok forwards to the network.php if no forwards back to the sign_in.php I am php beginner from china and new in this forum , please don't mind my pool english. Quote Link to comment Share on other sites More sharing options...
dptr1988 Posted April 28, 2008 Share Posted April 28, 2008 phpinfo(): You are correct! My mistake. I really don't think that you can control where a form submission comes from. Why do you want to control where the form submission comes from? What is the problem that you are trying to solve by controlling where the form submission comes from? Is there another way that you could solve this problem? samlingsu: All form names/values can be spoofed Quote Link to comment Share on other sites More sharing options...
phpinfo() Posted April 30, 2008 Author Share Posted April 30, 2008 I know I have had contact forms that used the above if eregi referrer code to prevent contact forms from being submitted if they didn't come from a certain page. But i tried adding this code to the _login.php page and it didn't seem to work. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.