secring multiple pages

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

shehan31
Forum Commoner
Posts: 59
Joined: Sun Aug 29, 2010 5:24 am

secring multiple pages

Post by shehan31 »

Hello everyone;
I have devoloped a site and it contains multiple pages. Pages are listed in the home page. I am looking for a method which can be logged in for once and it has to be worked for other listed pages as well. Ex: if i logged into my home page by using my loging password, I would be able to veiw all athe pages listed in the home page. Yes that does not need any method but my question is if some one types in the address bar of webpage as lets say www.devnet.com/accounts.php, he will be able to view all the info in the accounts page which is under the home page. If i use <?php include ?> syntax, it will ask the user password and the name each time that a user wants to visit that page via home page.
I have found a piece of a code n the net and it does not contains what i wanted.

Code: Select all

// Check if login button has been pressed
if(isset($_POST['login'])){
// Define admin username and password
$a_username = "test";
$a_password = "pass";
// Define $_POST's from form text fields
$username = $_POST['username'];
$password = $_POST['password'];
// Add some stripslashes
$username = stripslashes($username);
$password = stripslashes($password);
// Check if username and password is good, if it is it will start session
if($username == $a_username && $password == $a_password){
session_start();
$_SESSION['s_logged_n'] = 'true';
$_SESSION['s_username'] = $username;
// Echo message for successfully login
echo "Congratulations $userame, you may now proceed to the <a href=\"admin.php\">admin area</a>!";
} else {
// If username and or pass is incorrect then output it
echo "Username $username or password $password is incorrect, please try again";
}
} else {
// If someone just open login.php tell them to use login form
echo "Please use <a href=\"form.php\">form</a> to login";
} 
I have found some thing called sessions and does it helps.
can some one help.
Regards
Shehan31
Peter Kelly
Forum Contributor
Posts: 143
Joined: Fri Jan 14, 2011 5:33 pm
Location: England
Contact:

Re: secring multiple pages

Post by Peter Kelly »

Hi, Yes I believe what you are looking for is sessions but I have written a user system tutorial which I think is what you are ideally looking for. Its only simple but there are more additions coming in the further parts. The link is http://www.peter-kelly.me/tutorials/user-system-part-1/

I'm not sure if I am allowed to post the link but if a moderator removes it just pm me and I will send it you :).
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: secring multiple pages

Post by social_experiment »

You create a page that checks whether certain conditions are met, if they are, your user is logged in, if not, redirect. Is this what you are refering to?
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
shehan31
Forum Commoner
Posts: 59
Joined: Sun Aug 29, 2010 5:24 am

Re: secring multiple pages

Post by shehan31 »

social_experiment wrote:You create a page that checks whether certain conditions are met, if they are, your user is logged in, if not, redirect. Is this what you are refering to?
hi social;
Thank you for the reply. The idea is the page has about 5 tabs. Ex : home,accounts, summary, refunds, stock control. each tab has five seperate php scripts. once the user logged in he should be able to see evert thing and it shoud not be accessed from outside.( Ex: if you type http//forums.devnet.net/accounts.php, then it shoud be redircted to the log in form ).
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: secring multiple pages

Post by social_experiment »

Yes that is refered to as an 'auth' page (unofficialy probably). You set some session variables when you login and then the 'auth' page checks if these values are set each time a 'protected' page is accessed. If the conditions are not met, the user is probably NOT logged in and trying to access the pages incorrectly, and invalidly and they are redirected to a page of your choice.

Code: Select all

<?php
session_start();
		
		if ( !isset($_SESSION['member_id']) || trim($_SESSION['member_id'] == '') || !isset($_SESSION['member_name']) )  {
		    unset($_SESSION['member_id']);
			unset($_SESSION['member_name']);
			header("location: somepage.php");
			session_destroy();
			exit();
			}
			
			
?>
Hth
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
shehan31
Forum Commoner
Posts: 59
Joined: Sun Aug 29, 2010 5:24 am

Re: secring multiple pages

Post by shehan31 »

Hi Social;
Thank you for the reply. here is my code and I am trying to understand the functinality of both the sessions and the cookies.

Code: Select all

<?php

$connect = mysql_connect ("localhost","root","") or die ("error");
mysql_select_db ("guestbook") or die ("Error Connecting With The Database");

 if (isset($_POST['Login'])){
     
    $username = $_POST['username'];
    $password = $_POST['password'];
         
                		$sql = mysql_query("SELECT * FROM login WHERE user='$username' AND password='$password'")or die (" error with table");    
                $nr = mysql_num_rows($sql);
              if($nr==0){
                       
                        echo "you are not authorized";
                       
                  }else{
                    $info=mysql_fetch_array($sql);
                                 echo"you are authorized";        }
                 
                   

}
echo"
 <div id='second_table' style='float: left; width: 800px; position:absolute; top:250px; right:300px'>

 <form action = 'useradd.php' method='post'>
  
   <tr>
        <td>
               
         <font size='5' face='times new roman'>Username</font>
        </td>
        <td>
        <input type='text' name='username' maxlength='200'>
        </td>
   </tr>
    <tr>
        <td></br></br>
               
         <font size='5' face='times new roman'>Password</font>
        </td>
        <td>
        <input type='password' name='password' maxlength='200'>
        </td>
   </tr>
   <tr>
       <td align='center' valign='top' colspan='2'>
        <input type='submit' name='Login' value='Login'>
       </td>
           </tr>
   </form>";
?>
social_experiment wrote:Yes that is refered to as an 'auth' page (unofficialy probably). You set some session variables when you login and then the 'auth' page checks if these values are set each time a 'protected' page is accessed. If the conditions are not met, the user is probably NOT logged in and trying to access the pages incorrectly, and invalidly and they are redirected to a page of your choice.

Code: Select all

<?php
session_start();
		
		if ( !isset($_SESSION['member_id']) || trim($_SESSION['member_id'] == '') || !isset($_SESSION['member_name']) )  {
		    unset($_SESSION['member_id']);
			unset($_SESSION['member_name']);
			header("location: somepage.php");
			session_destroy();
			exit();
			}
			
			
?>
Hth
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: secring multiple pages

Post by social_experiment »

shehan31 wrote:I am trying to understand the functinality of both the sessions and the cookies.
In the 'auth' page you use them to remember certain values. Cookies work on a similar principle (remembering information). Once you have logged in the user, regenerate the session id and redirect the user to a 'logged in' page. From there, your 'auth' page is included at the top of all the pages you want to protect. If you want to learn more about sessions and cookies try google. There are much information available than i can offer :) (Also try a search on the forum, sessions have been covered a lot)
Hth
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
shehan31
Forum Commoner
Posts: 59
Joined: Sun Aug 29, 2010 5:24 am

Re: secring multiple pages

Post by shehan31 »

hi social ;
I have tried someting but it gives me a notice .
Notice: Undefined index: lia in C:\wamp\www\guestbook\test_session.php on line 3

First of all I have created a authentication page which has a seesion variable called $user.

Code: Select all

<?php

$connect = mysql_connect ("localhost","root","") or die ("error");
mysql_select_db ("guestbook") or die ("Error Connecting With The Database");

 if (isset($_POST['Login'])){
     
    $username = $_POST['username'];
    $password = $_POST['password'];
         
                		$sql = mysql_query("SELECT * FROM login WHERE user='$username' AND password='$password'")or die (" error with table"); 
				//the session starts from here.		   
                session_start();
				$_SESSION['lia'] = "$username";
				$nr = mysql_num_rows($sql);
              if($nr==0){
                       
                        echo "you are not authorized";
                       
                  }else{
                    $info=mysql_fetch_array($sql);
                                 echo"<a href='test_session.php'>go to home pahe</a>";        }
                 
                   

}
echo"
 <div id='second_table' style='float: left; width: 800px; position:absolute; top:250px; right:300px'>

 <form action = 'useradd.php' method='post'>
  
   <tr>
        <td>
               
         <font size='5' face='times new roman'>Username</font>
        </td>
        <td>
        <input type='text' name='username' maxlength='200'>
        </td>
   </tr>
    <tr>
        <td></br></br>
               
         <font size='5' face='times new roman'>Password</font>
        </td>
        <td>
        <input type='password' name='password' maxlength='200'>
        </td>
   </tr>
   <tr>
       <td align='center' valign='top' colspan='2'>
        <input type='submit' name='Login' value='Login'>
       </td>
           </tr>
   </form>";
?>

If the login is sucess then it will redirect you via a link to a page which consist the system. It also has a session with a variable which was defined ealier in the auth page. it works if i tried to access the page from the web pages address bar but with a notice.

Code: Select all

<?php
session_start();
$name = $_SESSION['lia'];

if(!$name ||$name ==''){
		die ("<a href='useradd.php'> you must log in </a>");
		}
		
echo"you have accessed the page";
 session_destroy();
?>
social_experiment wrote:Yes that is refered to as an 'auth' page (unofficialy probably). You set some session variables when you login and then the 'auth' page checks if these values are set each time a 'protected' page is accessed. If the conditions are not met, the user is probably NOT logged in and trying to access the pages incorrectly, and invalidly and they are redirected to a page of your choice.

Code: Select all

<?php
session_start();
		
		if ( !isset($_SESSION['member_id']) || trim($_SESSION['member_id'] == '') || !isset($_SESSION['member_name']) )  {
		    unset($_SESSION['member_id']);
			unset($_SESSION['member_name']);
			header("location: somepage.php");
			session_destroy();
			exit();
			}
			
			
?>
Hth
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: secring multiple pages

Post by social_experiment »

When you work with sessions, you must always call session_start() to initialize the session.
shehan31 wrote:bar but with a notice.
Which notice to you get?
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
shehan31
Forum Commoner
Posts: 59
Joined: Sun Aug 29, 2010 5:24 am

Re: secring multiple pages

Post by shehan31 »

hi social;
thank you for the reply. Yes I have opend a seesion in both scripts and it was there.
the notice that i get is.
Notice: Undefined index: lia in C:\wamp\www\guestbook\test_session.php on line 3.
As i expected it cannot be accessed via the adressbar on the browser without loging. but the notice is the worry.
regards
Shehan31
social_experiment wrote:When you work with sessions, you must always call session_start() to initialize the session.
shehan31 wrote:bar but with a notice.
Which notice to you get?
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: secring multiple pages

Post by social_experiment »

Im refering to this page, does this have session_start()?

Code: Select all

<?php
session_start();
//add session start
$connect = mysql_connect ("localhost","root","") or die ("error");
mysql_select_db ("guestbook") or die ("Error Connecting With The Database");

 if (isset($_POST['Login'])){
     
    $username = $_POST['username'];
    $password = $_POST['password'];
         
                                $sql = mysql_query("SELECT * FROM login WHERE user='$username' AND password='$password'")or die (" error with table"); 
                                //the session starts from here.            
                session_start();
                                $_SESSION['lia'] = "$username";
                                $nr = mysql_num_rows($sql);
              if($nr==0){
                       
                        echo "you are not authorized";
                       
                  }else{
                    $info=mysql_fetch_array($sql);
                                 echo"<a href='test_session.php'>go to home pahe</a>";        }
                 
                   

}
echo"
 <div id='second_table' style='float: left; width: 800px; position:absolute; top:250px; right:300px'>

 <form action = 'useradd.php' method='post'>
  
   <tr>
        <td>
               
         <font size='5' face='times new roman'>Username</font>
        </td>
        <td>
        <input type='text' name='username' maxlength='200'>
        </td>
   </tr>
    <tr>
        <td></br></br>
               
         <font size='5' face='times new roman'>Password</font>
        </td>
        <td>
        <input type='password' name='password' maxlength='200'>
        </td>
   </tr>
   <tr>
       <td align='center' valign='top' colspan='2'>
        <input type='submit' name='Login' value='Login'>
       </td>
           </tr>
   </form>";
?>
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
shehan31
Forum Commoner
Posts: 59
Joined: Sun Aug 29, 2010 5:24 am

Re: secring multiple pages

Post by shehan31 »

hi social_experiment;
yes it has but it is some where in the middle with a comment. Does it make any sense.
regards
Shehan31

social_experiment wrote:Im refering to this page, does this have session_start()?

Code: Select all

<?php
session_start();
//add session start
$connect = mysql_connect ("localhost","root","") or die ("error");
mysql_select_db ("guestbook") or die ("Error Connecting With The Database");

 if (isset($_POST['Login'])){
     
    $username = $_POST['username'];
    $password = $_POST['password'];
         
                                $sql = mysql_query("SELECT * FROM login WHERE user='$username' AND password='$password'")or die (" error with table"); 
                                //the session starts from here.            
                session_start();
                                $_SESSION['lia'] = "$username";
                                $nr = mysql_num_rows($sql);
              if($nr==0){
                       
                        echo "you are not authorized";
                       
                  }else{
                    $info=mysql_fetch_array($sql);
                                 echo"<a href='test_session.php'>go to home pahe</a>";        }
                 
                   

}
echo"
 <div id='second_table' style='float: left; width: 800px; position:absolute; top:250px; right:300px'>

 <form action = 'useradd.php' method='post'>
  
   <tr>
        <td>
               
         <font size='5' face='times new roman'>Username</font>
        </td>
        <td>
        <input type='text' name='username' maxlength='200'>
        </td>
   </tr>
    <tr>
        <td></br></br>
               
         <font size='5' face='times new roman'>Password</font>
        </td>
        <td>
        <input type='password' name='password' maxlength='200'>
        </td>
   </tr>
   <tr>
       <td align='center' valign='top' colspan='2'>
        <input type='submit' name='Login' value='Login'>
       </td>
           </tr>
   </form>";
?>
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: secring multiple pages

Post by social_experiment »

Move it to the top of the page and see what happens, this from the php manual
PHP Manual wrote:If you are using cookie-based sessions, you must call session_start() before anything is outputted to the browser.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
shehan31
Forum Commoner
Posts: 59
Joined: Sun Aug 29, 2010 5:24 am

Re: secring multiple pages

Post by shehan31 »

it dosent work either. same result with a notice.
social_experiment wrote:Move it to the top of the page and see what happens, this from the php manual
PHP Manual wrote:If you are using cookie-based sessions, you must call session_start() before anything is outputted to the browser.
shehan31
Forum Commoner
Posts: 59
Joined: Sun Aug 29, 2010 5:24 am

Re: secring multiple pages

Post by shehan31 »

does any one no what is this notice and how to eliminate.
shehan31 wrote:it dosent work either. same result with a notice.
social_experiment wrote:Move it to the top of the page and see what happens, this from the php manual
PHP Manual wrote:If you are using cookie-based sessions, you must call session_start() before anything is outputted to the browser.
Post Reply