Secure or may be over

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
user___
Forum Contributor
Posts: 297
Joined: Tue Dec 05, 2006 3:05 pm

Secure or may be over

Post by user___ »

Hi guys,
I am wondering how to cope with a security issue. I have a log in form. When a user logs in they are redirected to a logged.php file(All browsing activity is then than done only in this file). It has a function which checks the username and the password previously entered in the log in form. Do you think this is a good solution for a security logic?

Here the question comes. I have a .conf file which is different according a user's status. If they are logged in it is one else another. I have a constant in it called $IS_LOGGED = 1; and my very question is whether it is a good idea to check it within each query whether a table in the database has a value in the user's id is_logged(column) equal to 1.
Sorry, I was not very clear. I will try to explain it better:The constant is different for each .conf file. I have a table with users and by checking the constant with its supposed value in the database is what I want to do. If something is not clear please ask.
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

still not getting it :-( you have a conf file per user that indicates their logged in status?
cinac
Forum Newbie
Posts: 9
Joined: Wed Nov 16, 2005 1:30 pm

Post by cinac »

I set a session variable upon successful authentication, then have a quick check at the top of each PHP page that checks for that variable to be set. If not, I bounce them to the login page via a header() call.

If you're using a variable, and are deployed on a server with register_globals enabled (which it should not be, by the way), someone could set that variable's value in the URL and poof they are logged in. Granted, they have to guess the variable and the value it needs to be, but it's so much simpler to do with a session variable that they can't tamper with (IMO anyway).
Rovas
Forum Contributor
Posts: 272
Joined: Mon Aug 21, 2006 7:09 am
Location: Romania

Post by Rovas »

Use something like

Code: Select all

// it' s a super variable and it' s recognized in all the pages
$_SESSION["user"]
and don' t put sensitive data in the URL (or validate it and use magic qoutes if you have to).
Read the tutorials on super variables on php.net or search for tutorials on validation, security for PHP also you can read some posts on this matter.
Post Reply