webmaster1 Posted April 29, 2010 Share Posted April 29, 2010 I have a log-in form that starts a session by checking the input against a database: // Mysql_num_row is counting table row. $count=mysql_num_rows($result); if($count==1){ $_SESSION['username'] = $username; $_SESSION['password'] = $password; header("location:success.php"); } If the inputs match the user is redirected to success.php which checks for the session as follows: <?php // Begin session. Function must remain at top. session_start(); // If the session is not registered. if(!session_is_registered(username)){ // Redirects when the url of this page is directly accessed without a registered session. header("location:fail.php"); } ?> [Q1] Let's say I have two users who are each redirected to a different success page. How do I prevent them from accessing each others success pages? Here's what I'm trying to achieve in simpler terms: SESSION A allows USER A to access SUCCESS PAGE A but not PAGE B SESSION B allows USER B to access SUCCESS PAGE B but not PAGE A How do I distinguish between sessions? [Q1] If users listed in my username/password mysql table are each to be redirected to an individual url, should I just save this as a third column in my username/password table (or is it bad practice to use this table for anything other than checking the username and password?) Quote Link to comment https://forums.phpfreaks.com/topic/200101-session-basics-independent-sessions/ Share on other sites More sharing options...
JAY6390 Posted April 29, 2010 Share Posted April 29, 2010 You should set up ACL of some sort and verify on each landing page if that page is allowed to be accessed by the current user Check out ACL on wikipedia @ http://en.wikipedia.org/wiki/Access_control_list Quote Link to comment https://forums.phpfreaks.com/topic/200101-session-basics-independent-sessions/#findComment-1050252 Share on other sites More sharing options...
webmaster1 Posted April 29, 2010 Author Share Posted April 29, 2010 Thanks Jay, I read through the Wikipedia entry. Is this the simplest way of going about it? I was hoping an extra column in my table, a little boolean and some session functions might do the trick. Quote Link to comment https://forums.phpfreaks.com/topic/200101-session-basics-independent-sessions/#findComment-1050263 Share on other sites More sharing options...
Zagga Posted April 29, 2010 Share Posted April 29, 2010 Hi, I have just answered a similar question here http://www.phpfreaks.com/forums/index.php/topic,296100.0.html It lets each user access their own individual page (eg member1 will be directed to member1.php, member2 goes to member2.php etc). Hope this helps. Zagga Quote Link to comment https://forums.phpfreaks.com/topic/200101-session-basics-independent-sessions/#findComment-1050264 Share on other sites More sharing options...
webmaster1 Posted April 29, 2010 Author Share Posted April 29, 2010 Thanks Zagga. I don't want each user to have their own page. I need group a to be redirected to page a and group b to be redirected to page b. Group a and b cannot access each others pages. I'm going to add a third column to my username/password table to assign values for the variable to be used in redirect url e.g. $direct-to = "page-a.php" header("location:/$direct-to") Quote Link to comment https://forums.phpfreaks.com/topic/200101-session-basics-independent-sessions/#findComment-1050278 Share on other sites More sharing options...
PFMaBiSmAd Posted April 29, 2010 Share Posted April 29, 2010 You cannot enforce security using redirects anyway. You must either enforce security on each page (assuming you are the only one with the ability to put .php files on the server) or through file/folder permissions through the operating system/web server (assuming you will allow the users to place any kind of files on the server.) If you implement a general purpose ACL like JAY6390 suggested, you can assign users to groups with each group having their own specific content on a single page (which is basically what you see in front of you in this Forum.) Non-logged in guests, regular members, banned members, new members with less than 10 posts, supporters, gurus, recommended members, mods, admins, owners, and any other group you would want to define can all see and access specific content on the Forum's single index.php page. Quote Link to comment https://forums.phpfreaks.com/topic/200101-session-basics-independent-sessions/#findComment-1050284 Share on other sites More sharing options...
webmaster1 Posted April 29, 2010 Author Share Posted April 29, 2010 Cheers. I'll delve into the ACL concept. Quote Link to comment https://forums.phpfreaks.com/topic/200101-session-basics-independent-sessions/#findComment-1050286 Share on other sites More sharing options...
webmaster1 Posted April 29, 2010 Author Share Posted April 29, 2010 There's a lot of code involved with some of the acl tutorials/demo I've come across. Can anyone reccomend a simple and light ACL tutorial? Note: I'm currently looking into Zend if anyone has any thoughts on their framework. I've also found a straight forward tutorial for anyone starting out with ACL: http://net.tutsplus.com/tutorials/php/a-better-login-system/ Quote Link to comment https://forums.phpfreaks.com/topic/200101-session-basics-independent-sessions/#findComment-1050386 Share on other sites More sharing options...
JAY6390 Posted April 29, 2010 Share Posted April 29, 2010 If you're building your application with Zend then they already have their own ACL class. http://framework.zend.com/manual/en/zend.acl.html Quote Link to comment https://forums.phpfreaks.com/topic/200101-session-basics-independent-sessions/#findComment-1050393 Share on other sites More sharing options...
webmaster1 Posted April 29, 2010 Author Share Posted April 29, 2010 Would you reccomend Zend or this ACL on tutsplus? Quote Link to comment https://forums.phpfreaks.com/topic/200101-session-basics-independent-sessions/#findComment-1050396 Share on other sites More sharing options...
JAY6390 Posted April 29, 2010 Share Posted April 29, 2010 I would highly recommend the tutplus tutorial over zend, since I'm guessing you've not worked with zend before, and you would end up having to learn a whole lot more than you probably expect Quote Link to comment https://forums.phpfreaks.com/topic/200101-session-basics-independent-sessions/#findComment-1050399 Share on other sites More sharing options...
webmaster1 Posted April 29, 2010 Author Share Posted April 29, 2010 Thanks, Jay! Quote Link to comment https://forums.phpfreaks.com/topic/200101-session-basics-independent-sessions/#findComment-1050401 Share on other sites More sharing options...
webmaster1 Posted April 29, 2010 Author Share Posted April 29, 2010 One more question: Let's say two different companies use different sections of the one site. Should I use an ACL per section of the site or should I only ever have the one ACL to manage the entire site? i.e. should the ACL tables have their own database or do I have a set of ACL tables for each database that requires it? Quote Link to comment https://forums.phpfreaks.com/topic/200101-session-basics-independent-sessions/#findComment-1050409 Share on other sites More sharing options...
JAY6390 Posted April 29, 2010 Share Posted April 29, 2010 Personally I would use one database table per domain, making more than one table will become messy in the long run Quote Link to comment https://forums.phpfreaks.com/topic/200101-session-basics-independent-sessions/#findComment-1050416 Share on other sites More sharing options...
webmaster1 Posted April 29, 2010 Author Share Posted April 29, 2010 Personally I would use one database table per domain, making more than one table will become messy in the long run One ACL it is then. Quote Link to comment https://forums.phpfreaks.com/topic/200101-session-basics-independent-sessions/#findComment-1050422 Share on other sites More sharing options...
PFMaBiSmAd Posted April 29, 2010 Share Posted April 29, 2010 LOL. The tutsplus code, while someone went to a lot of trouble to design and write, is actually not secure because there are no exit; statements after the header() redirects. All a hacker needs to do is ignore the header() redirects and he can access the pages the same as if the security checks were not present. If you use that code, add exit; statements after every header() redirect. Quote Link to comment https://forums.phpfreaks.com/topic/200101-session-basics-independent-sessions/#findComment-1050445 Share on other sites More sharing options...
webmaster1 Posted April 29, 2010 Author Share Posted April 29, 2010 If you use that code, add exit; statements after every header() redirect. Thanks for spotting that.I'll exit(); following my headers. @all: I've installed the ACL and now want to implement it. The index of my admin panel starts with: <?php include("assets/php/database.php"); include("assets/php/class.acl.php"); $userID = $_GET['userID']; $_SESSION['userID'] = 1; $myACL = new ACL(); ?> As it stands, the page is publicly accesible. The tutorial explains that I need to add the following to make it private: <?php include("assets/php/database.php"); include("assets/php/class.acl.php"); $myACL = new ACL(); if ($myACL->hasPermission('access_admin') != true) { header("location: insufficientPermission.php"); } ?> How do I combine these two blocks of to make it work? I've tried adding the condition beneath the included files but the page isn't redirected to the insufficientPermission.php. Also, in terms of implementing this with a log-in form, are the above blocks of code recieving the posts of my log-in form or the posts defined as a session variables? Quote Link to comment https://forums.phpfreaks.com/topic/200101-session-basics-independent-sessions/#findComment-1050451 Share on other sites More sharing options...
PFMaBiSmAd Posted April 29, 2010 Share Posted April 29, 2010 The demo code is setting $_SESSION['userID'] = 1; That is equivalent to having some login script that has authenticated you as userid 1, which is the main administrator account in the demo data for that script. As soon as you visit the index.php page, you are logged in as the main administrator and have sufficient permissions and group membership to pass all the security checks. Quote Link to comment https://forums.phpfreaks.com/topic/200101-session-basics-independent-sessions/#findComment-1050469 Share on other sites More sharing options...
webmaster1 Posted April 29, 2010 Author Share Posted April 29, 2010 The demo code is setting $_SESSION['userID'] = 1; Should I simply replace the '1' with the $userID variable (as below)? <?php include("assets/php/database.php"); include("assets/php/class.acl.php"); $userID = $_GET['userID']; //$_SESSION['userID'] = 1; $_SESSION['userID'] = $userID; $myACL = new ACL(); ?> Quote Link to comment https://forums.phpfreaks.com/topic/200101-session-basics-independent-sessions/#findComment-1050476 Share on other sites More sharing options...
webmaster1 Posted April 29, 2010 Author Share Posted April 29, 2010 I've gotten the following to work: <?php include("assets/php/database.php"); include("assets/php/class.acl.php"); $userID = $_GET['userID']; $_SESSION['userID'] = $userID; $myACL = new ACL(); if ($myACL->hasPermission('access_admin') != true) { header("location: insufficientPermission.php"); } ?> I swapped out the '1' for the variable and added the condition. It's redirecting to insufficientPermission.php for starters. I just need to test posting an input/session. Quote Link to comment https://forums.phpfreaks.com/topic/200101-session-basics-independent-sessions/#findComment-1050485 Share on other sites More sharing options...
webmaster1 Posted April 29, 2010 Author Share Posted April 29, 2010 I'm using the following form to test the security check on the admin index page: <form method="post" action="/acl"> <ol> <li> <input type="text" name="userID" id="userID"> </li> <li> <input type="submit" value="SEND userID"> </li> </ol> </form> I've posted '1' through the form hoping to trigger the permissions for userID 1 (admin access). Unfortunately, I'm being redirected to the error page. Am I missing a step? Quote Link to comment https://forums.phpfreaks.com/topic/200101-session-basics-independent-sessions/#findComment-1050554 Share on other sites More sharing options...
webmaster1 Posted April 29, 2010 Author Share Posted April 29, 2010 Ooh, yeah! I solved it using the following test: page1.php: <html> <form action="/page2.php" method="post" enctype="multipart/form-data" name="form"> <ol> <li> <input type="text" name="userID" id="userID"> </li> <li> <input type="submit" value="SEND userID" name="senduserid"> </li> </ol> </form> </html> page2.php: <?php // Begin session. session_start(); $userID=$_POST['userID']; // this sets variables in the session $_SESSION['userID']=$userID; header("location:/acl"); ?> (I replaced the beginning of the admin index.php with the regular check.) Quote Link to comment https://forums.phpfreaks.com/topic/200101-session-basics-independent-sessions/#findComment-1050629 Share on other sites More sharing options...
PFMaBiSmAd Posted April 29, 2010 Share Posted April 29, 2010 There is another security problem in the tutsplus code. On the admin pages that do form processing, some of the form processing code is before the security check code. So, it is possible for ANYONE to submit form data and it will be processed. Quote Link to comment https://forums.phpfreaks.com/topic/200101-session-basics-independent-sessions/#findComment-1050775 Share on other sites More sharing options...
webmaster1 Posted April 30, 2010 Author Share Posted April 30, 2010 Thanks for pointing out a second insecurity. Can this be (easily) remedied or is the tutsplus acl a no-go? Quote Link to comment https://forums.phpfreaks.com/topic/200101-session-basics-independent-sessions/#findComment-1050807 Share on other sites More sharing options...
PFMaBiSmAd Posted April 30, 2010 Share Posted April 30, 2010 Putting the security check code as the first thing a page does would be kind of important for a script that was trying to show how to create and use an Access Control List. It's only three lines of php code (plus the {} brackets for the if() statement.) You can always move it to be above the form processing code on the pages. Other than the two security holes already mentioned, the script is primarily just a tutorial to show ACL, it is lacking the typical input validation, escaping, error checking, and error reporting... logic that would be needed in a real application. Quote Link to comment https://forums.phpfreaks.com/topic/200101-session-basics-independent-sessions/#findComment-1050970 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.