Jump to content

Security passing variables through browser


jmayer

Recommended Posts

Right now I am using sessions for a login with something like this at the top of each page

 

	session_start();
if(!isset($_SESSION['auth']) && !isset($_SESSION['admin'])){
	session_destroy();
	header("Location: http://localhost/web/");
}elseif(isset($_SESSION['auth']) && !isset($_SESSION['admin'])){
	session_destroy();
	header("Location: http://localhost/web/");
}

 

Now if you tried to go to one of these pages while not being logged in, it redirects you back to the homepage.

However, on some pages like this I pass variables through the URL such as edit_menu?id=10&action=delete.  This code is included in the header of the page.  The problem is, even when I am not logged in, I can type in the url with variables passed through it and it will perform the action and THEN redirect me back to the home page.  It seems to run all the code in the header before redirecting.

 

What would be the best way to deal with this, register all variables to the session? Or would just putting the functions down in the body of the page work?

 

Thanks

Link to comment
Share on other sites

You need to place an exit() after any calls to header to stop the rest of the script being executed.

 

<?php

  session_start();
  if (!isset($_SESSION['auth']) && !isset($_SESSION['admin'])) {
    session_destroy();
    header("Location: http://localhost/web/");
    exit();
  } elseif (isset($_SESSION['auth']) && !isset($_SESSION['admin'])) {
    session_destroy();
    header("Location: http://localhost/web/");
    exit();
  }

?>

Link to comment
Share on other sites

[...] cuase for some reason the script does not always seem to stop after the header();

 

That's because you don't tell it to. PHP does not care what headers you send, it just sends them. PHP is not the thing redirecting, nor is it the web server. It's the browser. The Location header just tells the browser to go somewhere, but the browser can choose to not do so.

Link to comment
Share on other sites

When using the PHP header() function, it includes the content of the page specified

 

No, the header function simply sends a header to the browser and keeps on executing the script. If you happen to send a Location header, the browser will redirect to that page.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.