webref.eu Posted December 12, 2008 Share Posted December 12, 2008 Any security experts out there? Are there any weaknesses in using an include file to check whether user is logged in via a logged_in session variable, and if not logged in use a redirection to the log in page (and then a redirection back if log in successful). The bit I am concerned about here security-wise is the redirection. Here's the code: <?php session_start(); if(isset($_SESSION['logged_in']) && $_SESSION['logged_in'] == 1) { //Do Nothing } else { $redirect = $_SERVER['PHP_SELF']; header("Refresh: 5; URL=user-login.php?redirect=$redirect"); echo "You are being redirected to the login page!<br/>"; echo "(If your browser doesn't support this, " . "<a href=\"user-login.php?redirect=$redirect\">click here</a>)"; die(); } ?> Thanks for any comments. Rgds Link to comment https://forums.phpfreaks.com/topic/136699-solved-using-include-to-check-user-logged-in/ Share on other sites More sharing options...
rhodesa Posted December 12, 2008 Share Posted December 12, 2008 redirecting is fine. i usually just use header('Locaiton: user-login.php'); exit; Link to comment https://forums.phpfreaks.com/topic/136699-solved-using-include-to-check-user-logged-in/#findComment-713818 Share on other sites More sharing options...
gevans Posted December 12, 2008 Share Posted December 12, 2008 you could just do <?php session_start(); if(!isset($_SESSION['logged_in']) || $_SESSION['logged_in'] != 1) { $redirect = $_SERVER['PHP_SELF']; header("Location: user-login.php?redirect=$redirect"); die(); } ?> Link to comment https://forums.phpfreaks.com/topic/136699-solved-using-include-to-check-user-logged-in/#findComment-713820 Share on other sites More sharing options...
Brian W Posted December 12, 2008 Share Posted December 12, 2008 header("Refresh: 5; URL=user-login.php?redirect=$redirect"); that'll give them 5 seconds to see your content, right? they can also disable the html ability to change their location via that method. use header('Location: destination.php'); instead. There is a great sticky topic here if you have problems using header() Link to comment https://forums.phpfreaks.com/topic/136699-solved-using-include-to-check-user-logged-in/#findComment-713821 Share on other sites More sharing options...
gevans Posted December 12, 2008 Share Posted December 12, 2008 @Brian W Look at the if loop they wont see the page content, just the redirecting text And a link is provided if redirect is disabled Link to comment https://forums.phpfreaks.com/topic/136699-solved-using-include-to-check-user-logged-in/#findComment-713829 Share on other sites More sharing options...
Brian W Posted December 12, 2008 Share Posted December 12, 2008 @Brian W Look at the if loop they wont see the page content, just the redirecting text And a link is provided if redirect is disabled sorry, missed his the fact that he does use die() and issues them a message (for whatever reason) nvm, secure, your fine with what you have. The page with the include() on it will error if it doesn't properly include the page in question, so their is no security difference between including it or putting it on every page. Link to comment https://forums.phpfreaks.com/topic/136699-solved-using-include-to-check-user-logged-in/#findComment-713833 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.