Jump to content

Session basics: Independent sessions


webmaster1

Recommended Posts

I have a log-in form that starts a session by checking the input against a database:

 

// Mysql_num_row is counting table row.
$count=mysql_num_rows($result);

if($count==1){
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
header("location:success.php");
}

 

If the inputs match the user is redirected to success.php which checks for the session as follows:

 

<?php
// Begin session. Function must remain at top.
session_start();

// If the session is not registered.
if(!session_is_registered(username)){

// Redirects when the url of this page is directly accessed without a registered session.
header("location:fail.php");

}
?>

 

[Q1] Let's say I have two users who are each redirected to a different success page. How do I prevent them from accessing each others success pages? Here's what I'm trying to achieve in simpler terms:

 

SESSION A allows USER A to access SUCCESS PAGE A but not PAGE B

 

SESSION B allows USER B to access SUCCESS PAGE B but not PAGE A

 

How do I distinguish between sessions?

 

[Q1] If users listed in my username/password mysql table are each to be redirected to an individual url, should I just save this as a third column in my username/password table (or is it bad practice to use this table for anything other than checking the username and password?)

 

Link to comment
Share on other sites

Thanks Zagga. I don't want each user to have their own page. I need group a to be redirected to page a and group b to be redirected to page b. Group a and b cannot access each others pages.

 

I'm going to add a third column to my username/password table to assign values for the variable to be used in redirect url e.g. $direct-to = "page-a.php" header("location:/$direct-to")

 

 

 

Link to comment
Share on other sites

You cannot enforce security using redirects anyway. You must either enforce security on each page (assuming you are the only one with the ability to put .php files on the server) or through file/folder permissions through the operating system/web server (assuming you will allow the users to place any kind of files on the server.)

 

If you implement a general purpose ACL like JAY6390 suggested, you can assign users to groups with each group having their own specific content on a single page (which is basically what you see in front of you in this Forum.) Non-logged in guests, regular members, banned members, new members with less than 10 posts, supporters, gurus, recommended members, mods, admins, owners, and any other group you would want to define can all see and access specific content on the Forum's single index.php page.

Link to comment
Share on other sites

There's a lot of code involved with some of the acl tutorials/demo I've come across.

 

Can anyone reccomend a simple and light ACL tutorial?

 

Note: I'm currently looking into Zend if anyone has any thoughts on their framework.

 

I've also found a straight forward tutorial for anyone starting out with ACL: http://net.tutsplus.com/tutorials/php/a-better-login-system/

Link to comment
Share on other sites

One more question:

 

Let's say two different companies use different sections of the one site.

 

Should I use an ACL per section of the site or should I only ever have the one ACL to manage the entire site?

 

i.e. should the ACL tables have their own database or do I have a set of ACL tables for each database that requires it?

Link to comment
Share on other sites

LOL. The tutsplus code, while someone went to a lot of trouble to design and write, is actually not secure because there are no exit; statements after the header() redirects. All a hacker needs to do is ignore the header() redirects and he can access the pages the same as if the security checks were not present.

 

If you use that code, add exit; statements after every header() redirect.

Link to comment
Share on other sites

If you use that code, add exit; statements after every header() redirect.

 

Thanks for spotting that.I'll exit(); following my headers.

 

@all:

 

I've installed the ACL and now want to implement it. The index of my admin panel starts with:

 

<?php 
include("assets/php/database.php"); 
include("assets/php/class.acl.php");

$userID = $_GET['userID'];
$_SESSION['userID'] = 1;
$myACL = new ACL();
?>

 

As it stands, the page is publicly accesible. The tutorial explains that I need to add the following to make it private:

 

<?php  
include("assets/php/database.php");  
include("assets/php/class.acl.php");  
$myACL = new ACL();  
if ($myACL->hasPermission('access_admin') != true)  
{  
    header("location: insufficientPermission.php");  
}  
?>  

 

How do I combine these two blocks of to make it work? I've tried adding the condition beneath the included files but the page isn't redirected to the insufficientPermission.php.

 

Also, in terms of implementing this with a log-in form, are the above blocks of code recieving the posts of my log-in form or the posts defined as a session variables?

Link to comment
Share on other sites

The demo code is setting $_SESSION['userID'] = 1;

 

That is equivalent to having some login script that has authenticated you as userid 1, which is the main administrator account in the demo data for that script. As soon as you visit the index.php page, you are logged in as the main administrator and have sufficient permissions and group membership to pass all the security checks.

Link to comment
Share on other sites

The demo code is setting $_SESSION['userID'] = 1;

 

Should I simply replace the '1' with the $userID variable (as below)?

 

<?php 
include("assets/php/database.php"); 
include("assets/php/class.acl.php");

$userID = $_GET['userID'];
//$_SESSION['userID'] = 1;
$_SESSION['userID'] = $userID;
$myACL = new ACL();
?>

 

 

 

 

 

Link to comment
Share on other sites

I've gotten the following to work:

 

<?php  
include("assets/php/database.php");  
include("assets/php/class.acl.php");  
$userID = $_GET['userID'];
$_SESSION['userID'] = $userID;
$myACL = new ACL();  
if ($myACL->hasPermission('access_admin') != true)  
{  
    header("location: insufficientPermission.php");  
}  
?>

 

I swapped out the '1' for the variable and added the condition. It's redirecting to insufficientPermission.php for starters. I just need to test posting an input/session.

Link to comment
Share on other sites

I'm using the following form to test the security check on the admin index page:

 

<form method="post" action="/acl">
<ol>
<li>                          
<input type="text" name="userID" id="userID"> 
</li>
<li>
<input type="submit" value="SEND userID">
</li>
</ol>   
</form>      

 

I've posted '1' through the form hoping to trigger the permissions for userID 1 (admin access). Unfortunately, I'm being redirected to the error page.

 

Am I missing a step?

Link to comment
Share on other sites

Ooh, yeah!

 

I solved it using the following test:

 

page1.php:

<html>
<form action="/page2.php" method="post" enctype="multipart/form-data" name="form">
<ol>
<li>                          
<input type="text" name="userID" id="userID"> 
</li>
<li>
<input type="submit" value="SEND userID" name="senduserid">
</li>
</ol>   
</form>  
</html> 

 

page2.php:

<?php
// Begin session.
session_start();

$userID=$_POST['userID'];

// this sets variables in the session 
$_SESSION['userID']=$userID;  

header("location:/acl");
?>

 

(I replaced the beginning of the admin index.php with the regular check.)

Link to comment
Share on other sites

There is another security problem in the tutsplus code. On the admin pages that do form processing, some of the form processing code is before the security check code. So, it is possible for ANYONE to submit form data and it will be processed.

Link to comment
Share on other sites

Putting the security check code as the first thing a page does would be kind of important for a script that was trying to show how to create and use an Access Control List. It's only three lines of php code (plus the {} brackets for the if() statement.) You can always move it to be above the form processing code on the pages.

 

Other than the two security holes already mentioned, the script is primarily just a tutorial to show ACL, it is lacking the typical input validation, escaping, error checking, and error reporting... logic that would be needed in a real application.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.