how to make the logged in pages safe?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
fredelius
Forum Newbie
Posts: 1
Joined: Wed Aug 19, 2009 4:44 pm

how to make the logged in pages safe?

Post by fredelius »

pickle | Please use [ code=php ], [ code=text ], etc tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: :arrow: Posting Code in the Forums to learn how to do it too.


I have this php code on the log in page. Then I want to keep a session to the next page so the visitors only can get to that page by log in. Right now the visitors can write the adress for the logged in page and they get there. I want them to get back to the log in page instead. I would be glad if someone could help me :)

Code: Select all

<?php
session_start();
 
$data=array("client1"=>array("url"=>"client1.php","password"=>"client1"),
"client2"=>array("url"=>"client2.php","password"=>"client2"));
 
if(isset($_POST['username']) && isset($_POST['password'])) {
if($data[$_POST['username']]['password'] == $_POST['password']) {
$_SESSION['username'] = $_POST['username'] . " " . $_POST['password'];
header('Location: ' . $data[$_POST['username']]['url']);
} else {
login('Wrong user name or password. <br>');
}
} else {
login();
}
?><?php
 
function login($response='Här loggar du in.') {
 
?>

pickle | Please use [ code=php ], [ code=text ], etc tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: :arrow: Posting Code in the Forums to learn how to do it too.
robnet
Forum Commoner
Posts: 85
Joined: Mon Aug 10, 2009 8:32 am
Location: South East, UK

Re: how to make the logged in pages safe?

Post by robnet »

If you create a new session var (eg $_SESSION['loggedin']) during the login script you can check for this on other pages:

Code: Select all

If (isset(loggedin var)){
//logged in
}else {
//header redirect to login page
}
Don't forget to unset it (or destroy the session) when the user logs out!
post_phobic
Forum Newbie
Posts: 8
Joined: Tue Feb 03, 2009 3:58 pm

Re: how to make the logged in pages safe?

Post by post_phobic »

robnet wrote: Don't forget to unset it (or destroy the session) when the user logs out!
Hopefully not threadjacking too much, but would this be an appropriate way to destroy all of the users session variables?

Code: Select all

 
    function logOut() {
        session_destroy();
        $_SESSION = array();
    }
 
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: how to make the logged in pages safe?

Post by jackpf »

I don't think you need the second line.

session_destroy() should wipe all data from the current session. The only thing it doesn't do is unset the cookie. If you wanted to, you'd have to do it manually:

Code: Select all

setcookie('cookie_name', null, -1000, '/', 'yourdomain.com');
post_phobic
Forum Newbie
Posts: 8
Joined: Tue Feb 03, 2009 3:58 pm

Re: how to make the logged in pages safe?

Post by post_phobic »

jackpf wrote:

Code: Select all

setcookie('cookie_name', null, -1000, '/', 'yourdomain.com');
Good to know, thanks for the code!
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: how to make the logged in pages safe?

Post by Mordred »

Important correction:
robnet wrote:If you create a new session var (eg $_SESSION['loggedin']) during the login script you can check for this on other pages:

Code: Select all

If (isset(loggedin var)){
//logged in
}else {
//header redirect to login page
[b]exit();[/b] //[color=#FF0000]otherwise the script below will continue executing![/color]
}
Don't forget to unset it (or destroy the session) when the user logs out!
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: how to make the logged in pages safe?

Post by kaisellgren »

session_destroy() will destroy the session data. However, the data will remain on the memory for the rest of the execution, but that is not a problem.
Post Reply