Another Login twister !

[ajoo]

Hi guys,

 

I am back with another login twister. Earlier i tried to create a yahoo like login system which ensured that a given user was logged in only on one machine even if that user tried to do a multiple login from same or different machines. So after a great deal of effort and with a lot of support from the forum i decided it would be best to not allow a second , the new login, at all if the user was logged in. So the new login fails saying that the user is already logged in. 

 

I am now using a sliding jquery login panel that i picked up from the net and i tried and implement this new logic and guess what ? I ran into another issue. 

 

So the panel works fine. I'll put the login procedure in steps;

 

1. I input the username and password and I login. The initial screen provides the username and password and a login button. Also a registration form for a new login registration. The display shows Guest for user.

 

2. The user logs in & is greeted by his 'username' that it picks from a database. When the panel is expanded it now opens to a new page ( say PAGE 1) which has two hyperlinks: a) to play a movie and b) to logout.

 

3. Both work fine. So far so good. 

 

4. Now I run the login page again in a new tab and because an instance of it is already running, it opens on PAGE 1 which has the two hyperlinks a) movie and  b) to logout. 

 

Since the panel is running sessions and since i am running the two on the two tabs of a browser, the sessions would ensure that the session values are the same for the instances in both tabs.

 

5. Now I logout from the 2nd (newer) tab. ( actually since there are two instances running on the two tabs of the same browser I can logout of either.) The sessions is destroyed and the logout page is displayed. Since the sessions are destroyed, they must be destroyed from both instances. At this point of time the first instance / tab is still showing the PAGE1 as it should but it is now a dead session. However now when i press the a) option, the hyperlink to a movie, it plays !!!!! WHY should the movie play when the session is destroyed. 

 

6. So in effect, while i am effectively logged out because of a logout command in one of the two tabs of the browser, the hyperlink to the movie in the other tab is still active. which is a great flaw i think. I mean it should not behave like that.  

 

So does anyone have any idea why this is happening and how it may be over come??

 

A bit of code showing that which makes the PAGE 1

  <div class="left">
            
            <h1>Members panel</h1>
            
            <p>You can put member-only data here</p>
            <a href="registered.php">View a special member page</a>
            <p>- or -</p>
            <a href="?logoff">Log off</a>
            
  </div>
            
  

registered.php actually runs a movie - the a) option - or the user can logoff - the b) option

 

Please HELP,  stuck on this one again.

 

 

 

 

 

 

 

[kicken]

Whatever page your play movie button is linking to is not properly validating the session, that is why it still plays. You need to ensure all your pages (even indirect pages, such as ajax helpers) which require someone to be logged in have a check at the top of them to verify that an active login is present. If none is found, either show an error or redirect somewhere else.

[ajoo]

I thought I would illustrate this with a small demo program. I am sure other would have come against something like this and found a way around it. This involves five small files for a login syste. 

 

1. Index.php

2. loginproc1.php

3. securedpage.php 

4. loggedout.html.

5. Mypage.html.

 

It does not make use of a database but accepts only one user namely "John" with password - actually password is irrelevant for this illustration but i use 1234.

 

So typing the url "localhost/xampp/sessions/index.php"   will open a login form. Once I login using USER as John and password 1234, loginproc1 takes me to securedpage.php if i am not already logged in. 

Now I open another browser window and as soon as i put in the url "localhost/xampp/sessions/index.php" it immediately goes to the loggedout.html which is displayes and says that since ur already logged in ur being logged out. So i am logged out.

But since i am logging in from another tab of the same browser, I am actually logged out of both sessions since both sessions in this case ( on different tabs of the same browser ) are considered as one and the same.

At this point I have two pages on the two tabs. secured Page on the 1st tab and loggedout Page on the 2nd tab of my browser and effectively i should be logged out and the sessions ( actually session - since both are one and the same) destroyed. 

However if you now go to the secured page ( 1st Tab of the broswer) , you can still see the link to MyPage on it, which if clicked on would take us to the contents of Mypage.html even though envoking the the url "localhost/xampp/sessions/index.php" , in the 2nd tab of my browser has effectively destroyed the session. 

I want to prevent the link to MyPage from working once the session is destroyed. 

How can this be achieved. 

SInce I have attached the code files I would be glad if someone can actually do this one here and demonstrate it.

 

Thanks loads to all for any help that i would receive on this one.

 

The code files :-

INDEX.PHP

<?php
//////// INDEX.PHP /////////////
// Inialize session
session_start();

// Check, if user is already login, then jump to secured page
if (isset($_SESSION['username'])) {
echo  $_SESSION['username']. "Already Logged in @ index 8";
echo " You are being logged out as you have logged in from another page ";
session_destroy();
header('Location: loggedout.html');
exit();
} else { echo " Hi new user ";}


?>
<html>

<head>
<title>PHPMySimpleLogin 0.3</title>
</head>

<body>

<h3>User Login</h3>

<table border="0">
<form method="POST" action="loginproc1.php">
<tr><td>Username</td><td>:</td><td><input type="text" name="username" size="20"></td></tr>
<tr><td>Password</td><td>:</td><td><input type="password" name="password" size="20"></td></tr>
<tr><td> </td><td> </td><td><input type="submit" value="Login"></td></tr>
</form>
</table>

</body>

</html>

<?php
////// loginproc1.php //////

// Inialize session
session_start();

// Include database connection settings
include('config.inc');

if (isset($_SESSION['username'])) {
echo  $_SESSION['username']. "Already Logged in @ index 8";
echo " You are being logged out as you have logged in from another page ";
session_destroy();
header('Location: loggedout.html');
exit();
} else { echo " Hi new user ";}

$_SESSION['username'] = $_POST['username'];

if($_SESSION['username'] == "John")
{
header('Location: securedpage.php');
exit();
}
else {
// Jump to login page
echo " Can't find you";

//header('Location: index.php');
}

?>

SECUREDPAGE.PHP

<?php

///// SECUREDPAGE.PHP ///////

// Inialize session
session_start();

// Check, if username session is NOT set then this page will jump to login page
if (!isset($_SESSION['username'])) {
header('Location: index.php');
exit();
} else { echo " Welcome". $_SESSION['username']; }

?>
<html>

<head>
<title>Secured Page</title>
</head>

<body>

<p>This is secured page with session: <b><?php echo $_SESSION['username']; ?></b>
<br>You can put your restricted information here.</p>
<p> You can jump to your page <a href = "mypage.html">MyPage </a> </p>
<p><a href="logout.php">Logout</a></p>

</body>

</html>

This is content of ‘securedpage.php’:

<?

LOGGEDOUT.HTML

<html>

<head>
<title>Loggedout Page</title>
</head>

<body>

<p> <?php echo $_SESSION['username']. ?> "Already Logged in @ index 8";
<p> " You are being logged out as you have logged in from another page ";

<p><b><?php echo $_SESSION['username']; ?></b> you are logged out.
<br>You cannot put any kind of information now.</p>

</body>

</html>

MYPAGE.HTML

<!DOCTYPE html>
<html>
<head> <title> MyPage </title> </head>
<body>

<h1>My First Heading</h1>

<p>My first paragraph.</p>

</body>
</html>

[kicken]

However if you now go to the secured page ( 1st Tab of the broswer) , you can still see the link to MyPage on it, which if clicked on would take us to the contents of Mypage.html even though envoking the the url "localhost/xampp/sessions/index.php" , in the 2nd tab of my browser has effectively destroyed the session. 

I want to prevent the link to MyPage from working once the session is destroyed. 

How can this be achieved.

You don't prevent linking to MyPage, you prevent MyPage from loading when there is no active session. You have to add your login verification code to the top of MyPage.html (which you'd rename to MyPage.php since it now contains PHP code) and if no valid login is present, redirect the user somewhere else.

 

With the setup you have, someone doesn't even have to login at all to view MyPage, all they need is the URL. Say someone logged in, then bookmarked MyPage, or sent the link to someone else via IM/Email. They, or whoever they sent the link to, would never have to login again in order to see that page since it is uncontrolled.

[ajoo]

Hi, what you said is absolutely correct. However I just have a questions. 

 

1. Once a session is destroyed, shouldn't the link and page itself become irrelevant? 

2. is there a way by which, the hyperlink upon being pressed, should first check if the session is valid and only then move to the next page which in my case is Mypage?

 

So i want the authentication to take place on the securedpage.php instead of going onto the Mypage and checking for it there.

 

Yes i did realise that my page would be directly accessible thru a hyperlink but this was just for the sake of an illustration. In an application that page would check for further authentication. 

 

Thanks for all the replies so far. I do hope others would joinin too with their valuable suggestions and ideas.

Thanks all !

[DavidAM]

1. Once a session is destroyed, shouldn't the link and page itself become irrelevant?

"Irrelevant" makes no sense here, perhaps you mean "invalid". In any case, the session is destroyed ON THE SERVER and the browser (THE CLIENT) has no knowledge of this until it requests another page. So the answer is "NO"

 

2. is there a way by which, the hyperlink upon being pressed, should first check if the session is valid and only then move to the next page which in my case is Mypage?

Yes and No. There is no fool-proof way to do this. You can use AJAX on the client side to ask the server if it is ok to follow the link, but since the user has complete control of the CLIENT (browser) such checks can be easily bypassed or ignored. It is the responsibility of each "page" that should be secure to authenticate each and every request. Also, doing an AJAX check and then following the link wastes a lot of resources: bandwidth, server processing, user time. It makes more sense to do the check in the target script.

 

So i want the authentication to take place on the securedpage.php instead of going onto the Mypage and checking for it there.

Can NOT be done. You are trying to make "Mypage" a secured page, so it MUST validate the request.

[ajoo]

Hi guys !! hope all of you are good n doing great !

 

So i have achieved a login system which i think is secure enuff in the sense that it does not allow multiple logins. It takes care of back arrows and stuff like that and so far i tested the system it is just fine as long as the person is trying to login a 2nd time. It prevents that successfully.

However once a person is logged in and is on hiot bs secure page and that person uses the right key to create a duplicate page there or for that matter n duplicate pages, he can do so !!!!!!! Now i am besides myself on trying to find a way to prevent that. How can i prevent the logged in user from duplicating his secured page. I have not been able to come up with anything that can check that.

 

Any suggestions ? I most desperately hope that someone has a solution to that one. Awaiting the response of gurus and senior members. 

Thanks all in advance for their time, effort and help.

Ajoo.

[kicken]

Are you talking about something like the 'Duplicate tab' option in chrome where it opens the same page in another tab? You can't prevent that. People opening your site in multiple tabs is, for the most part, just something you have to accept, there isn't much you can do to control things like that.

[ajoo]

yes I am talking about the 'Duplicate Tab' option in chrome that opens a duplicate of the page in another Tab. So there is no way for php or javascript to detect that a duplicate TAB has been created of an already open page and there is no way to stop or prevent that using PHP or javascript etc. 

 

Please confirm. 

Thanks all.

[kicken]

So there is no way for php or javascript to detect that a duplicate TAB has been created of an already open page and there is no way to stop or prevent that using PHP or javascript etc.

No, there isn't. Just learn to live with the fact that the user can open your site in however many tabs they want. Why are you trying to prevent such a thing anyway? I'd just be pissed off and never visit the site again if it was preventing me from using tabs