Page 2 of 2

Re: secring multiple pages

Posted: Tue Jan 25, 2011 10:53 am
by social_experiment

Re: secring multiple pages

Posted: Sat Jan 29, 2011 12:06 am
by social_experiment
:) At the start and till you find an answer

Re: secring multiple pages

Posted: Tue Feb 08, 2011 10:57 am
by shehan31
Hi Social;
I have tried this but still it does not gives me the answer. In my Auth page i have set the session variable and open a session.
In the auth page
-------------------
session start();
$_SESSION['lia'] = "$username";
//and this redirects into a home page which consists number of sub pages under tabs(like buttons when you click it will redirect to anothe page).
------------
In my Home page and in other pages.
-------------------
session_start();
if((!$_SESSION['lia'])){

header( 'Location: http://localhost/guestbook/useradd.php' ) ;//this is my auth page
}
else{
///the code
}
Session destroy();
--------------------
*** when I clicked on other tabs which is inside my home page, it will redirect to the auth page. that is not i want. i want is it should be accepted inside the home page and should not be accepted if out side world tries to access.

Regards
Shehan31
social_experiment wrote:Yes that is refered to as an 'auth' page (unofficialy probably). You set some session variables when you login and then the 'auth' page checks if these values are set each time a 'protected' page is accessed. If the conditions are not met, the user is probably NOT logged in and trying to access the pages incorrectly, and invalidly and they are redirected to a page of your choice.

Code: Select all

<?php
session_start();
		
		if ( !isset($_SESSION['member_id']) || trim($_SESSION['member_id'] == '') || !isset($_SESSION['member_name']) )  {
		    unset($_SESSION['member_id']);
			unset($_SESSION['member_name']);
			header("location: somepage.php");
			session_destroy();
			exit();
			}
			
			
?>
Hth

Re: secring multiple pages

Posted: Tue Feb 08, 2011 4:25 pm
by social_experiment
The code that you have on the other pages (home, etc) should be inside the 'auth' page. The reason for this is that you include this page so you don't have to write your check at the top of each page.

Code: Select all

<?php
session_start();
if (!isset($_SESSION['your_variable'])) {
 header('location: login_page.php');
 exit();
}
?>
This is an example of the auth page. You then include it on all your other pages

Code: Select all

<?php include_once('auth.php'); ?>

Code: Select all

<?php $_SESSION['lia'] = "$username"; ?>
Setting of session variables should be done when authentication is completed.

Re: secring multiple pages

Posted: Wed Feb 09, 2011 4:36 am
by shehan31
HI social;
Thank you for the reply. It isn't possible to include all the codes inside this auth.php page because they are big and I've got the feeling that all the five codes will be displayd in a one page. So it will make a mess.
social_experiment wrote:Thank you for your support.The code that you have on the other pages (home, etc) should be inside the 'auth' page. The reason for this is that you include this page so you don't have to write your check at the top of each page.

Code: Select all

<?php include_once('auth.php'); ?>
Whitout this the page still redirects into the auth page. The only problem is after the login using the auth.php, still it redirects to the login.php even if i click another page which is inside the home page. I am running out of thoughts. :banghead:
Regards
Shehan31

session_start();
if (!isset($_SESSION['your_variable'])) {
header('location: login_page.php');
exit();
}
?>[/syntax]
This is an example of the auth page. You then include it on all your other pages

Code: Select all

<?php include_once('auth.php'); ?>

Code: Select all

<?php $_SESSION['lia'] = "$username"; ?>
Setting of session variables should be done when authentication is completed.

Re: secring multiple pages

Posted: Wed Feb 09, 2011 6:09 pm
by fbatalha
Hello,
isn't the mentioned code vulnerable to SQL injection?

Code: Select all

$username = $_POST['username'];
$password = $_POST['password'];
         
                                $sql = mysql_query("SELECT * FROM login WHERE user='$username' AND password='$password'")or die (" error with table");
Regards.

Re: secring multiple pages

Posted: Wed Feb 09, 2011 11:56 pm
by social_experiment
Yes, mysql_real_escape_string() should always be used when accepting user input into a SQL query.

Re: secring multiple pages

Posted: Sat Feb 12, 2011 2:14 am
by shehan31
Can Some one help to sort out this matter.
:banghead:
social_experiment wrote:Yes, mysql_real_escape_string() should always be used when accepting user input into a SQL query.

Re: secring multiple pages

Posted: Sat Feb 12, 2011 2:22 am
by Mordred
Read my article and try the examples to see for yourself:

http://www.webappsec.org/projects/articles/091007.shtml

Re: secring multiple pages

Posted: Tue Mar 01, 2011 1:39 am
by sankha.icraft
The discussion really help me.

Thanks.