Session basics: Independent sessions

[webmaster1]

I have a log-in form that starts a session by checking the input against a database:

 

// Mysql_num_row is counting table row.
$count=mysql_num_rows($result);

if($count==1){
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
header("location:success.php");
}

 

If the inputs match the user is redirected to success.php which checks for the session as follows:

 

<?php
// Begin session. Function must remain at top.
session_start();

// If the session is not registered.
if(!session_is_registered(username)){

// Redirects when the url of this page is directly accessed without a registered session.
header("location:fail.php");

}
?>

 

[Q1] Let's say I have two users who are each redirected to a different success page. How do I prevent them from accessing each others success pages? Here's what I'm trying to achieve in simpler terms:

 

SESSION A allows USER A to access SUCCESS PAGE A but not PAGE B

 

SESSION B allows USER B to access SUCCESS PAGE B but not PAGE A

 

How do I distinguish between sessions?

 

[Q1] If users listed in my username/password mysql table are each to be redirected to an individual url, should I just save this as a third column in my username/password table (or is it bad practice to use this table for anything other than checking the username and password?)

 

[JAY6390]

You should set up ACL of some sort and verify on each landing page if that page is allowed to be accessed by the current user

Check out ACL on wikipedia @ http://en.wikipedia.org/wiki/Access_control_list

[webmaster1]

Thanks Jay, I read through the Wikipedia entry. Is this the simplest way of going about it? I was hoping an extra column in my table, a little boolean and some session functions might do the trick.

 

 

[Zagga]

Hi,

 

I have just answered a similar question here

http://www.phpfreaks.com/forums/index.php/topic,296100.0.html

It lets each user access their own individual page (eg member1 will be directed to member1.php, member2 goes to member2.php etc).

 

Hope this helps.

 

Zagga

[webmaster1]

Thanks Zagga. I don't want each user to have their own page. I need group a to be redirected to page a and group b to be redirected to page b. Group a and b cannot access each others pages.

 

I'm going to add a third column to my username/password table to assign values for the variable to be used in redirect url e.g. $direct-to = "page-a.php" header("location:/$direct-to")

 

 

 

[PFMaBiSmAd]

You cannot enforce security using redirects anyway. You must either enforce security on each page (assuming you are the only one with the ability to put .php files on the server) or through file/folder permissions through the operating system/web server (assuming you will allow the users to place any kind of files on the server.)

 

If you implement a general purpose ACL like JAY6390 suggested, you can assign users to groups with each group having their own specific content on a single page (which is basically what you see in front of you in this Forum.) Non-logged in guests, regular members, banned members, new members with less than 10 posts, supporters, gurus, recommended members, mods, admins, owners, and any other group you would want to define can all see and access specific content on the Forum's single index.php page.

[webmaster1]

Cheers. I'll delve into the ACL concept.

[webmaster1]

There's a lot of code involved with some of the acl tutorials/demo I've come across.

 

Can anyone reccomend a simple and light ACL tutorial?

 

Note: I'm currently looking into Zend if anyone has any thoughts on their framework.

 

I've also found a straight forward tutorial for anyone starting out with ACL: http://net.tutsplus.com/tutorials/php/a-better-login-system/

[JAY6390]

If you're building your application with Zend then they already have their own ACL class. http://framework.zend.com/manual/en/zend.acl.html

[webmaster1]

Would you reccomend Zend or this ACL on tutsplus?

[JAY6390]

I would highly recommend the tutplus tutorial over zend, since I'm guessing you've not worked with zend before, and you would end up having to learn a whole lot more than you probably expect

[webmaster1]

Thanks, Jay!

[webmaster1]

One more question:

 

Let's say two different companies use different sections of the one site.

 

Should I use an ACL per section of the site or should I only ever have the one ACL to manage the entire site?

 

i.e. should the ACL tables have their own database or do I have a set of ACL tables for each database that requires it?

[JAY6390]

Personally I would use one database table per domain, making more than one table will become messy in the long run

[webmaster1]

Personally I would use one database table per domain, making more than one table will become messy in the long run

 

One ACL it is then.

[PFMaBiSmAd]

LOL. The tutsplus code, while someone went to a lot of trouble to design and write, is actually not secure because there are no exit; statements after the header() redirects. All a hacker needs to do is ignore the header() redirects and he can access the pages the same as if the security checks were not present.

 

If you use that code, add exit; statements after every header() redirect.

[webmaster1]

If you use that code, add exit; statements after every header() redirect.

 

Thanks for spotting that.I'll exit(); following my headers.

 

@all:

 

I've installed the ACL and now want to implement it. The index of my admin panel starts with:

 

<?php 
include("assets/php/database.php"); 
include("assets/php/class.acl.php");

$userID = $_GET['userID'];
$_SESSION['userID'] = 1;
$myACL = new ACL();
?>

 

As it stands, the page is publicly accesible. The tutorial explains that I need to add the following to make it private:

 

<?php  
include("assets/php/database.php");  
include("assets/php/class.acl.php");  
$myACL = new ACL();  
if ($myACL->hasPermission('access_admin') != true)  
{  
    header("location: insufficientPermission.php");  
}  
?>  

 

How do I combine these two blocks of to make it work? I've tried adding the condition beneath the included files but the page isn't redirected to the insufficientPermission.php.

 

Also, in terms of implementing this with a log-in form, are the above blocks of code recieving the posts of my log-in form or the posts defined as a session variables?

[PFMaBiSmAd]

The demo code is setting $_SESSION['userID'] = 1;

 

That is equivalent to having some login script that has authenticated you as userid 1, which is the main administrator account in the demo data for that script. As soon as you visit the index.php page, you are logged in as the main administrator and have sufficient permissions and group membership to pass all the security checks.

[webmaster1]

The demo code is setting $_SESSION['userID'] = 1;

 

Should I simply replace the '1' with the $userID variable (as below)?

 

<?php 
include("assets/php/database.php"); 
include("assets/php/class.acl.php");

$userID = $_GET['userID'];
//$_SESSION['userID'] = 1;
$_SESSION['userID'] = $userID;
$myACL = new ACL();
?>

 

 

 

 

 

[webmaster1]

I've gotten the following to work:

 

<?php  
include("assets/php/database.php");  
include("assets/php/class.acl.php");  
$userID = $_GET['userID'];
$_SESSION['userID'] = $userID;
$myACL = new ACL();  
if ($myACL->hasPermission('access_admin') != true)  
{  
    header("location: insufficientPermission.php");  
}  
?>

 

I swapped out the '1' for the variable and added the condition. It's redirecting to insufficientPermission.php for starters. I just need to test posting an input/session.

[webmaster1]

I'm using the following form to test the security check on the admin index page:

 

<form method="post" action="/acl">
<ol>
<li>                          
<input type="text" name="userID" id="userID"> 
</li>
<li>
<input type="submit" value="SEND userID">
</li>
</ol>   
</form>      

 

I've posted '1' through the form hoping to trigger the permissions for userID 1 (admin access). Unfortunately, I'm being redirected to the error page.

 

Am I missing a step?

[webmaster1]

Ooh, yeah!

 

I solved it using the following test:

 

page1.php:

<html>
<form action="/page2.php" method="post" enctype="multipart/form-data" name="form">
<ol>
<li>                          
<input type="text" name="userID" id="userID"> 
</li>
<li>
<input type="submit" value="SEND userID" name="senduserid">
</li>
</ol>   
</form>  
</html> 

 

page2.php:

<?php
// Begin session.
session_start();

$userID=$_POST['userID'];

// this sets variables in the session 
$_SESSION['userID']=$userID;  

header("location:/acl");
?>

 

(I replaced the beginning of the admin index.php with the regular check.)

[PFMaBiSmAd]

There is another security problem in the tutsplus code. On the admin pages that do form processing, some of the form processing code is before the security check code. So, it is possible for ANYONE to submit form data and it will be processed.

[webmaster1]

Thanks for pointing out a second insecurity.

 

Can this be (easily) remedied or is the tutsplus acl a no-go?

[PFMaBiSmAd]

Putting the security check code as the first thing a page does would be kind of important for a script that was trying to show how to create and use an Access Control List. It's only three lines of php code (plus the {} brackets for the if() statement.) You can always move it to be above the form processing code on the pages.

 

Other than the two security holes already mentioned, the script is primarily just a tutorial to show ACL, it is lacking the typical input validation, escaping, error checking, and error reporting... logic that would be needed in a real application.