Jump to content


Photo

Not redirecting properly.


  • Please log in to reply
23 replies to this topic

#1 treilad

treilad
  • Members
  • PipPipPip
  • Advanced Member
  • 58 posts

Posted 15 July 2006 - 02:50 AM

Index2.php is a script I wrote that checks for a cookie. If the cookie is present, it sends them to the page they wanted, but if not, it redirects them to the login page. Index.php is my webpage. When I logout, it logs out, but when I click 'back', I can still see index.php. That shouldn't happen (so I thought) because I put:

<?php
include ('index2.php');
?>

at the top of index.php, so that it would run the script and redirect to login if they weren't logged in. It still let's me see index.php. I thought it was because I had to refresh for it to load, but it still didn't.

Perhaps an "if" would do it?

Also, I'm quite sure I'll have to code it to auto-refresh every time the page is visited, so that once the script is working it will run and keep people not logged in from seeing it, so in addition I need to know how to do that. Keep things in one topic.

#2 BillyBoB

BillyBoB
  • Members
  • PipPipPip
  • Advanced Member
  • 630 posts

Posted 15 July 2006 - 02:51 AM

yea it should happen becuase u dont refresh your page in the script im sure once u press back and refresh it will send them to wherever

#3 pixy

pixy
  • Members
  • PipPipPip
  • Advanced Member
  • 295 posts

Posted 15 July 2006 - 02:53 AM

I would think it's because the file is cached?

This is a .44 Caliber Loveletter straight through my heart.

Tabulas + Threadless + Hire Me!


#4 treilad

treilad
  • Members
  • PipPipPip
  • Advanced Member
  • 58 posts

Posted 15 July 2006 - 02:55 AM

That would make sense.  :-[

But if I coded it to refresh each time, it would be cached with that code so it wouldn't be a problem. Right?

#5 akitchin

akitchin
  • Staff Alumni
  • Advanced Member
  • 2,516 posts
  • LocationCalgary, AB, Canada

Posted 15 July 2006 - 02:55 AM

it would help to see the code you use to "logout" the user.  it could be that your cookie was improperly removed or reset, so the server thinks you're still logged in when you've been told that you're logged out.  in fact, it would be helpful to see index.php, index2.php, and your logout function if they're not too long.

#6 treilad

treilad
  • Members
  • PipPipPip
  • Advanced Member
  • 58 posts

Posted 15 July 2006 - 02:56 AM

Can do. Will edit them into this post...

index.php
<?psp
include ('index2.php');
?>

<html>

<head>

<title="Untitled">

</head>

<body>

<center>

<table border="0" cellspacing="0" cellpadding="0" width="752">

<tr>

<td width="752" height="150" colspan="8" background="http://www.geocities.com/runelodge/header.jpg"></td>

</tr>

<tr>

<td width="94" height="15">

<a href="./index2.php"><img src="http://www.geocities.com/runelodge/button1.jpg" border="0"></a>

</td>

<td width="94" height="15">

<a href="./about.php"><img src="http://www.geocities.com/runelodge/button2.jpg" border="0"></a>

</td>

<td width="94" height="15">

<a href="./forum2.php"><img src="http://www.geocities.com/runelodge/button3.jpg" border="0"></a>

</td>

<td width="94" height="15">

<a href="./clans2.php"><img src="http://www.geocities.com/runelodge/button4.jpg" border="0"></a>

</td>

<td width="94" height="15">

<a href="./members2.php"><img src="http://www.geocities.com/runelodge/button5.jpg" border="0"></a>

</td>

<td width="94" height="15">

<a href="./links2.php"><img src="http://www.geocities.com/runelodge/button6.jpg" border="0"></a>

</td>

<td width="94" height="15">

<a href="./register.php"><img src="http://www.geocities.com/runelodge/button7.jpg" border="0"></a>

</td>

<td width="94" height="15">

<a href="./loginpage.php"><img src="http://www.geocities.com/runelodge/button8.jpg" border="0"></a>

</td>

</tr>

</table>

<table border="0" width="752" cellspacing="0" cellpadding="20">

<tr>

<td width="752" style="border: 1px solid grey;">

Testing, Testing, 1 - 2 - 3.

</td>

</tr>

</table>

</center>

</body>

</html>

Index2.php
<?php

include ('db.php');

if(isset($_COOKIE['ID_my_site']))
{
$username = $_COOKIE['ID_my_site'];
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());
while($info = mysql_fetch_array( $check ))
{

if ($pass != $info['password'])
{ header("Location: loginpage.php");
}

else
{
echo ('<meta http-equiv="refresh" content="1;url=./index.php">');

}
}
}
else

{
header("Location: loginpage.php");
}
?>

Logout.php
<?php
$past = time() - 100;
setcookie(ID_my_site, gone, $past);
setcookie(Key_my_site, gone, $past);
header("Location: login.php");
?>

Thar they be.



#7 pixy

pixy
  • Members
  • PipPipPip
  • Advanced Member
  • 295 posts

Posted 15 July 2006 - 02:56 AM

When you go back to the index after logging out, refresh the page and see if it kicks you off. Then, the worst that can happen is they see the main page after logging out--but if they click something it will load that page and kick them off anyways.

This is a .44 Caliber Loveletter straight through my heart.

Tabulas + Threadless + Hire Me!


#8 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 15 July 2006 - 02:58 AM

also i think you can set the cookie time if the user leaves a page not sure theo.
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#9 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 15 July 2006 - 03:02 AM

read the below please ok.

The fact is that the browser must close before the cookie deletes.

using time()-1 to delete (expire) a cookie only works if the client's clock is set exact. my testing showed some weird results with my clock set 1 second or so behind the server. 1 day or even just a few seconds ahead of the server's time and the cookie doesn't expire when it's suposed to.

my test:
setcookie('k',$k+1,time()-1);
echo $k;

setting the expire time to 0 makes it a browser session cookie, lasting forever, until the browser is closed. but setting the expire time to 1 is the lowest timestamp possible and is most likely to expire the cookie without any problems.

my fix:
setcookie('k',$k+1,1);
echo $k;

this is my theory. I'm not sure why no one else has thought of this problem or solution, and I'm still testing, but please email me your questions or comments.

Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#10 treilad

treilad
  • Members
  • PipPipPip
  • Advanced Member
  • 58 posts

Posted 15 July 2006 - 03:05 AM

When you go back to the index after logging out, refresh the page and see if it kicks you off. Then, the worst that can happen is they see the main page after logging out--but if they click something it will load that page and kick them off anyways.


That's what I thought. I said in my first post that that didn't work.  :P

#11 pixy

pixy
  • Members
  • PipPipPip
  • Advanced Member
  • 295 posts

Posted 15 July 2006 - 03:05 AM

you could use this...
if ((isset($_COOKIE['user']) && (!strpos("$_SERVER['php_self']", "logout.php") {
   echo 'You wanna log out?';
}
else {
   echo 'You wanna log in?';
}

Just an idea.

This is a .44 Caliber Loveletter straight through my heart.

Tabulas + Threadless + Hire Me!


#12 treilad

treilad
  • Members
  • PipPipPip
  • Advanced Member
  • 58 posts

Posted 15 July 2006 - 03:08 AM

if ((isset($_COOKIE['user']) && (!strpos("$_SERVER['php_self']", "logout.php") {
    echo 'You wanna log out?';
}
else {
    echo 'You wanna log in?';
}


my fix:
setcookie('k',$k+1,1);
echo $k;


Both look promising. I'll try the simpler of the two first.

#13 pixy

pixy
  • Members
  • PipPipPip
  • Advanced Member
  • 295 posts

Posted 15 July 2006 - 03:09 AM

Mine's better, I got it out of a book. :D Well, I remembered reading it in a book, so you might have to fix my syntax.

Lol, just let us know if it worked.

This is a .44 Caliber Loveletter straight through my heart.

Tabulas + Threadless + Hire Me!


#14 akitchin

akitchin
  • Staff Alumni
  • Advanced Member
  • 2,516 posts
  • LocationCalgary, AB, Canada

Posted 15 July 2006 - 03:12 AM

alright, first things first:  ensure that your setcookie() in your logout function matches EXACTLY your login setcookie(), with the exception of the expiry time.  second, make sure that you give it ample time difference, as pixy mentioned.  can never be too sure when annihilating cookies.

third:  your index.php logic is flawed.  say a user with a cookie set goes to index.php, and their credentials check out.  they are then sent to index.php again, and lo and behold, index2.php is run again.  it checks their info again.  it checks out again.  they're sent to index.php again.  lo and behold, index2.php is run again... (and so on).  if this hasn't happened to you already, it's a marvel of technology.

i would suggest simply checking the cookie against the database.  if their credentials check out, don't do anything.  they're on the page they want to access, no need to send them to it again.  if the credentials DON'T check out (or the cookie isn't set), however, header() them to the login page.  use exit; after the header() to ensure they're booted.

EDIT:  haha whoopsie, it was redarrow that mentioned the time difference.

#15 pixy

pixy
  • Members
  • PipPipPip
  • Advanced Member
  • 295 posts

Posted 15 July 2006 - 03:18 AM

^ I didn't know I mentioned time difference, but okie dokey.

I have a question: Couldn't someone go in and edit their cookie? The whole reason I switched coding to sessions was because I didn't want someone to go into their cookie, edit the file, and try to log in as someone else...?

This is a .44 Caliber Loveletter straight through my heart.

Tabulas + Threadless + Hire Me!


#16 akitchin

akitchin
  • Staff Alumni
  • Advanced Member
  • 2,516 posts
  • LocationCalgary, AB, Canada

Posted 15 July 2006 - 03:22 AM

they could hypothetically speaking, but it would be just like using the login form with random variables.  they still have to pass through the authentication part, which means it's a shot in the dark with whatever values they've given their cookie, much like it would be with a form.  if the cookie stores the password in hashed form, they have to go the extra step and hash whatever they think might be the password.  hackers don't have that kind of patience, they'd have some other, more efficient underhanded trick.

#17 heckenschutze

heckenschutze
  • Members
  • PipPipPip
  • Advanced Member
  • 257 posts
  • LocationAustralia

Posted 15 July 2006 - 03:23 AM

Yes, but you usually store the encrypted password in the cookie and check it against the database. <-- slow but meh :)

#18 pixy

pixy
  • Members
  • PipPipPip
  • Advanced Member
  • 295 posts

Posted 15 July 2006 - 03:33 AM

^ When I used only cookies I did md5() on their username and saw if it matched the md5($_COOKIE['user']), but someone could change that...

Do you have to do anything like that with sessions? I just store $_SESSION['user'] as their username, uncoded...but it doesn't show up on their computer so they can't change it...right?

And heckenschutze, why do you say that suppressing errors with @ is not lazy? O_O

This is a .44 Caliber Loveletter straight through my heart.

Tabulas + Threadless + Hire Me!


#19 treilad

treilad
  • Members
  • PipPipPip
  • Advanced Member
  • 58 posts

Posted 15 July 2006 - 03:34 AM

I tried pixy's and I tried to try akitchin's. Only been using PHP for a week or so so I don't have all the syntax down. Can somebody point out my mistake(s) here?

<?php

include ('db.php');

if(isset($_COOKIE['ID_my_site']))
{
$username = $_COOKIE['ID_my_site'];
$pass = $_COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());
while($info = mysql_fetch_array( $check ))
{

if ($pass != $info['password'])
{ header("Location: loginpage.php");
}

else
{
header("Location: index.php");
exit;
}
}
}
?>

Is there an "if" statement ya'll can think of that would make sure that the page runs a script everytime? I realize I'd have to fix the script so it didn't cause the looping problem that akitchin mentioned, but that shouldn't be hard.

#20 pixy

pixy
  • Members
  • PipPipPip
  • Advanced Member
  • 295 posts

Posted 15 July 2006 - 03:39 AM

What error are you getting? Or are you just wanting for us to look at it and see if it's right?

What I would do is check if the cookie IS NOT set, instead of if it is. That way you handle it first and die() the script...

if (!isset($_COOKIE['my_site_id'])) {
    echo 'Dude, log your butt into the system!';
    header("location: loginpage.php");
}
else {
    // Do what you want
}

This is a .44 Caliber Loveletter straight through my heart.

Tabulas + Threadless + Hire Me!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users