Page 1 of 1

Secure or may be over

Posted: Wed Feb 21, 2007 2:53 pm
by user___
Hi guys,
I am wondering how to cope with a security issue. I have a log in form. When a user logs in they are redirected to a logged.php file(All browsing activity is then than done only in this file). It has a function which checks the username and the password previously entered in the log in form. Do you think this is a good solution for a security logic?

Here the question comes. I have a .conf file which is different according a user's status. If they are logged in it is one else another. I have a constant in it called $IS_LOGGED = 1; and my very question is whether it is a good idea to check it within each query whether a table in the database has a value in the user's id is_logged(column) equal to 1.
Sorry, I was not very clear. I will try to explain it better:The constant is different for each .conf file. I have a table with users and by checking the constant with its supposed value in the database is what I want to do. If something is not clear please ask.

Posted: Wed Feb 21, 2007 10:13 pm
by Kieran Huggins
still not getting it :-( you have a conf file per user that indicates their logged in status?

Posted: Wed Feb 21, 2007 11:53 pm
by cinac
I set a session variable upon successful authentication, then have a quick check at the top of each PHP page that checks for that variable to be set. If not, I bounce them to the login page via a header() call.

If you're using a variable, and are deployed on a server with register_globals enabled (which it should not be, by the way), someone could set that variable's value in the URL and poof they are logged in. Granted, they have to guess the variable and the value it needs to be, but it's so much simpler to do with a session variable that they can't tamper with (IMO anyway).

Posted: Thu Feb 22, 2007 4:13 am
by Rovas
Use something like

Code: Select all

// it' s a super variable and it' s recognized in all the pages
$_SESSION["user"]
and don' t put sensitive data in the URL (or validate it and use magic qoutes if you have to).
Read the tutorials on super variables on php.net or search for tutorials on validation, security for PHP also you can read some posts on this matter.