Page 1 of 1

How secure is this?

Posted: Mon Dec 06, 2004 11:00 pm
by Benjamin
I am building a very large website. Virtually all of the pages will require that a user be logged in. Since very few of the webpages don't require a login, I created an exception list.

Code: Select all

<?php
if ($_SESSION['IsLoggedIn'] != TRUE)
  {
  $LoginExemptURI = array();
  array_push($LoginExemptURI, "login.php", "index.php", "newmember.php");
  if (!in_array(strtolower($_SERVER['REQUEST_URI']), $LoginExemptURI))
    {
    header("Location: " . RootHTTPAddress . "login.php");
    exit;
    }
  }

?>
You can't forge the URI, and if the URI is not in this list, and the user is not logged in, then they get redirected to the login page. Any thoughts on this? I really don't see a way around it, but wanted to run it past ya'all.

Posted: Mon Dec 06, 2004 11:45 pm
by rehfeld
curious why did you use array_push?

opposed to just
$LoginExemptURI = array( "login.php", "index.php", "newmember.php");

also, what about if the url has a query string?
it wont match any of the available pages then

but i dont see any vulnerabilites w/ it

Posted: Tue Dec 07, 2004 12:38 am
by Benjamin
Thanks for the reply. No reason in particular for using array_push, I most likely used it because it is more descriptive then just array. Using array might be more efficient though so I might modify that.

As for the query strings, I didn't think about that, but it's not a problem since any link with a query string would require that the user be logged in anyway.

Posted: Tue Dec 07, 2004 5:49 am
by harsha
I feel it is good to store the $LoginExemptURI array data in database.
this is because in your message you said that the site is large,
so the number of php lines are more.

if the site accesses other php module(s)/file(s) using something like this

index.php?load=controlpanel

say if every one has access index.php
and say if controlpanel module has very limited access,
through index.php they can access controlpanel,
I feel that a little care should be taken while dealing with $_GET in this case.

these are the ideas that flashed to me :-)

harsha

Posted: Tue Dec 07, 2004 8:15 am
by Maugrim_The_Reaper
As above - would be better to store the urls on the database. Depends on how extensive your uri exemption system will be. I don't see any issues with get variables in the above - you are redirecting to a php file without any query string - something to keep in mind however if you extend this system. You'd need to authorise the full url, query string and all for it to function effectively.

Nice to see another url authorised listing being used :)