Jump to content

Archived

This topic is now archived and is closed to further replies.

DaveLinger

security, php referrer variable

Recommended Posts

Hello all! I've done a lot of PHP coding in the past, and have a "staff" section for the site I'm currently working on, which just has an HTML page which submits the user inputted password to a php file which says if the POST password = the password in the file then it echos the available links (add news, edit/delete news, upload a file, etc.) and when you click on a link, it links to the appropriate page. The problem is that if by chance the URL of a certain page (for instance, the "add a news article" page), they could bypass the password page to add news. The page with links to all of those locations is protected by the initial password, but how would I protect the other pages? I guess I could make an if statement at the beginning of each page I want protected that checks the refferer, like (excuse my ignorance of the php variable for refferrer)

[code]if($PHP_REFER == http://www.PCritics.com/staff/go.php)

{

echo "page contents";

}ELSE{

echo "Please login through the staff page to access this page."

}[/code]

Yeah? Whats the php variable for referrer, and what does it contain?

Share this post


Link to post
Share on other sites
If you use sessions it'll be much better as the referer variabled can be spoofed and sometimes it is not set by the clients web browser.

So if you have sessions you'll have this block of code:
[code]<?php
session_start();

if(!isset($_SESSION['loggedIn'] || !$_SESSION['loggedIn'] == 1)
{
    die("Please login you are not authorised to access this page");
}

// rest of code here[/code]
WHen they login use this:
[code]session_start();
$_SESSION['loggedIn'] = 1;[/code]
Thats is a far better way of doing what you want to do.

Share this post


Link to post
Share on other sites
[code]Parse error: parse error, unexpected T_BOOLEAN_OR, expecting ',' or ')' in /home/content/D/l/i/Dlinger/html/modules/calendar/addevent.php on line 8[/code]

(thats the "if" line)

Share this post


Link to post
Share on other sites
[code]<?php
session_start();

if(!isset($_SESSION['loggedIn']) || !$_SESSION['loggedIn'] == 1)
{
    die("Please login you are not authorised to access this page");
}

// rest of code here [/code]

missing a paren after SESSION['loggedIn']

Share this post


Link to post
Share on other sites
[code]
Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/content/D/l/i/Dlinger/html/modules/calendar/addevent.php:4) in /home/content/D/l/i/Dlinger/html/modules/calendar/addevent.php on line 6[/code]

Share this post


Link to post
Share on other sites
you must have session_start before any headers are sent... place it at the very start of your script

Share this post


Link to post
Share on other sites
well, here's my code:

[code]
<?php
session_start();

if(!isset($_SESSION['loggedIn']) || !$_SESSION['loggedIn'] == 1)
{
    die("Please login you are not authorised to access this page");
}
?>
<html>
<head>
<title>PCritics.com</title>
<?php
include('../../header.php');
?>

//the rest of my code here[/code]

and when I access the file directly, it acts like before, like the code isnt there, lets me right in without starting the session =/

actually scratch that it works, but how do I close the session when they're done?

Share this post


Link to post
Share on other sites
so that code is everything on your addevent.php page?

I tried that same code on my server and it worked fine.

[!--quoteo(post=387260:date=Jun 23 2006, 01:02 PM:name=DaveLinger)--][div class=\'quotetop\']QUOTE(DaveLinger @ Jun 23 2006, 01:02 PM) [snapback]387260[/snapback][/div][div class=\'quotemain\'][!--quotec--]
well, here's my code:

[code]
<?php
session_start();

if(!isset($_SESSION['loggedIn']) || !$_SESSION['loggedIn'] == 1)
{
    die("Please login you are not authorised to access this page");
}
?>
<html>
<head>
<title>PCritics.com</title>
<?php
include('../../header.php');
?>

//the rest of my code here[/code]

and when I access the file directly, it acts like before, like the code isnt there, lets me right in without starting the session =/

actually scratch that it works, but how do I close the session when they're done?
[/quote]

Share this post


Link to post
Share on other sites
ends up I just already had the session in firefox, tried it in IE and it worked.

Share this post


Link to post
Share on other sites
Why do you need that?
Anyway, it's done using session_destroy(), or when the browser window is being closed.

Orio.

Share this post


Link to post
Share on other sites
by closing your browser. or, you can do this:

[code]
session_start();
unset($_SESSION['blah']); //explicitly destroy the var
$_SESSION = array(); //reset the entire session array for good measure
session_destroy(); //destroy the session
[/code]
though, i honestly don't know if this will work with tabbed browsing...

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.