Page 1 of 1
Problem with Security
Posted: Tue Jan 13, 2009 8:22 am
by kostasps
Hallo Friends,
I need your help with the following issue:
Well, suppose that i have a domain (e.g:
http://www.mypage.com), and in this domain there is a subdomain (e.g.
http://www.mypage.com/Myadmin) and in this subdomain there are two php files that support the main page (
http://www.mypage.com).
The first one is called admin.php and in that the user gives his login and his password (which i compare with the records of the table users of my database) and if he succedds then he is redirected to the second file - contents.php - in which he can see all the tables of the database and if he want, he can add or remove records from these tables.
Now, in order to secure the file contents.php, in the admin.php file - if the registration succeeds - i do the following procedure
1) i call the function session_start();
2) i build a session variable in which i give a certain value
$_SESSION['user'] = "administrator"
3) i redirect him to the file contents.php
In the contents.php file, before anything starts, i do the following procedure:
a) i call the function session_start();
b) i compare the value of the session variable "$_SESSION['user']" and if it's value is equal
to "administrator", then i go on and show to the user the contents of the database. Else
i redirect him back to admin.php.
Now from the above procedure i can secure that if a invalid user types to URL: "
www.mypage.com/Myadmin/contents.php" , he will be redirected to admin.php and he will never get access to this precius file.
But the serius problem occurs when a valid user, while he is still inside the file contents.php, decides to visit another url, and after decides to come back to the contents.php page either by typing in the URL the path ("
www.mypage.com/Myadmin/contents.php" ), or by clicking the "Back" button of his browser.
If he do so, then he will get inside the contents.php without first being asked and compared for his login name and password . And this is smth i want to prevent.
So with few words i don't know how to secure my subdomain - Myadmin - or it's files from a valid user's moves between this subdomain and other pages.
Could you please help me?
Re: Problem with Security
Posted: Tue Jan 13, 2009 6:22 pm
by it2051229
unless, you have provided a sign out function to destroy the session... anyways i was having a problem with that before i ended up giving a time for a session where it self destructs at a given time. By default I think each sessions has 30 seconds.
Re: Problem with Security
Posted: Wed Jan 14, 2009 2:51 am
by kostasps
it2051229,
Let me first thank you for your answer.
Could you please show me the way how to achieve this, because i know litttle things about making a session to self destruct, in a determined period time.
Also, i would like to ask you about the session cookies, meaning if these cookies have an attribute in which we can determine the domains - or subdomains - where these cookies are allowed to be saved.
(I suppose that if a session cookie - in which the session variable $_Session['user'] is stored - is allowed to be saved only in the subdomain "
www.mypage.com/Myadmin", then when the valid user changes domain or subdomain this cookie shall be destroyed and so the session variable and it's value. Am i right ?)
Thank you again
Re: Problem with Security
Posted: Wed Jan 14, 2009 3:34 am
by it2051229
Sessions are stored on the server side and cookies are stored on the client's computer. Sessions and cookies have the ability to self destruct at a given time and also store data. If you use cookie, the value's inside it can be viewed by the client so you might not want to store sensitive data in there.
I can't say which one is better to use but I suggest you read the manual on how to manipulate sessions. Examples are also given along with other programmer's example.
http://www.php.net/manual/en/book.session.php
Re: Problem with Security
Posted: Wed Jan 14, 2009 3:49 am
by kostasps
Thank you again for your quick answer.
Well ,if i am right, the conclusion is that there is no way to prevent the intrance of a valid user by going back and forward between the subdomain we want to protect and other domains,
except if - as you said before - we command the session to self destruct in a determined time period.
I would like to ask you if in the URL you suggest me to visit, there is any example on how to make a session to self destruct ?
Re: Problem with Security
Posted: Wed Jan 14, 2009 1:21 pm
by kaisellgren
First of all, a subdomain is a kind of prefix like subdomain.domain.com -
not - domain.com/subfolder.
kostasps wrote:If he do so, then he will get inside the contents.php without first being asked and compared for his login name and password . And this is smth i want to prevent.
No he won't. He gets the data of the previous page from the browser cache, he won't get "inside" the contents.php file unless he is authenticated. Forget it, you have worse things to worry about such as session fixations and hijacks.
Re: Problem with Security
Posted: Wed Jan 14, 2009 6:19 pm
by it2051229
yup trust the finland guy, oh and yes the link I gave you is the official website of PHP... of course it has examples (it's a documentation) nobody will ever going to learn PHP without a manual. So as a new learner of PHP, you'll be visiting that link everytime you want to learn some features (eg. session, cookies, string functions, blah blah blah)
Re: Problem with Security
Posted: Wed Jan 21, 2009 3:06 am
by kostasps
Thank you my friends,
I think i figure out a way to protect the precius files of the myadmin forlder from going Forwarnd and then Back.
In each file i setup a new Session variable.
For example in the admin.php file i create the session variable $_SESSION['user'] = "administrator"
In the contents.php file in the top of the file i compare this variable with the value "administrator" and if it is not correct i redirect the user back to admin.php file else the first thing i do is to make its value empty ($_SESSION['user'] = ""), and then i continue with whatever i want to do.
So if the valid user - while he is inside the contents.php file - push the "F5" button or refresh his browser, or goes somewhere else outside the specific folder then, when he will return back he will be forced to be checked about his validity once again in the admin.php file.
I think that's is one solution to solve the specific proble. Do you agree ?
Re: Problem with Security
Posted: Wed Jan 21, 2009 7:21 am
by kaisellgren
kostasps wrote:Thank you my friends,
I think i figure out a way to protect the precius files of the myadmin forlder from going Forwarnd and then Back.
In each file i setup a new Session variable.
For example in the admin.php file i create the session variable $_SESSION['user'] = "administrator"
In the contents.php file in the top of the file i compare this variable with the value "administrator" and if it is not correct i redirect the user back to admin.php file else the first thing i do is to make its value empty ($_SESSION['user'] = ""), and then i continue with whatever i want to do.
So if the valid user - while he is inside the contents.php file - push the "F5" button or refresh his browser, or goes somewhere else outside the specific folder then, when he will return back he will be forced to be checked about his validity once again in the admin.php file.
I think that's is one solution to solve the specific proble. Do you agree ?
I honestly think you are overcomplicating things.
Use sessions to determine if the user can be at the admin cp, if he can't, ask for a login.
Use tokens in forms and URL to prevent CSRF attacks.
Whatever you do, some browsers makes the 'back' button still work. Why? For example some browsers cache the admin page to your memory, now if you go to google.com and press Back, the browser does not load the admin page (the php file is never called), instead the browser takes the HTML from the memory and displays the same page. This does not mean that this person is inside the admin panel, he just sees the content, because he was in that page earlier and browser cached it.
You could of course prevent caching with HTTP headers (or HTML tags). However, this does not increase any security. It's just a feature that you could add if you do not want anyone to use back and forward buttons.
Re: Problem with Security
Posted: Wed Jan 21, 2009 8:47 am
by kostasps
kaisellgren, forgive me about insisting in this issue but i just want to full clear this case
In first place i agree with you, and i may overconsidering about this "Back and Forwoard" of the valid user.
But i would like to answer me the folloowing question:
Suppose that the valid user inserts to the admin panel not from his pc but from another's one, and then he visits for example the google and suddenly for some reason leaves without closing the browser.
If someone else sit's after him to the same pc and push the "Back" button then he will see - as you said - the content of the "admin panel's" file that before him the valid user was into.
Now as you are saying he will only see what the cache of the browser held. Ok, but what if this page has a button like "delete records" ?
Will the script - that is trigered from this button - take place or not? (and i am asking this because the $_SESSION['user'] variable will already have the valid value "administrator" and will not be null or empty - except if i am wrong).
Thank you again
Re: Problem with Security
Posted: Wed Jan 21, 2009 11:34 am
by kaisellgren
kostasps wrote:kaisellgren, forgive me about insisting in this issue but i just want to full clear this case
In first place i agree with you, and i may overconsidering about this "Back and Forwoard" of the valid user.
But i would like to answer me the folloowing question:
Suppose that the valid user inserts to the admin panel not from his pc but from another's one, and then he visits for example the google and suddenly for some reason leaves without closing the browser.
If someone else sit's after him to the same pc and push the "Back" button then he will see - as you said - the content of the "admin panel's" file that before him the valid user was into.
Now as you are saying he will only see what the cache of the browser held. Ok, but what if this page has a button like "delete records" ?
Will the script - that is trigered from this button - take place or not? (and i am asking this because the $_SESSION['user'] variable will already have the valid value "administrator" and will not be null or empty - except if i am wrong).
Thank you again
You should make the session to expire after certain amount of inactivity. For example, in my current script it logs the admin out after 15mins on inactivity. Now if this (your demonstration) happens, he will see the page, but pressing any links or buttons on the page will give him a "please login" page.
It's true that a browser could cache your admin page, and even if the session is expired, some trivial information may be leaked.
The solution is to make sure no browser caches the page, use header pragma no cache and HTML meta tags to disable browser caching. Then make the session to expire.
Re: Problem with Security
Posted: Thu Jan 22, 2009 4:00 am
by kostasps
kaisellgren,
Thank you for your advices.
I believe that these instructions cover the hole issue.
Could you give me a link where to find your script that, logs the admin out after a specific time period of inactivity?
Re: Problem with Security
Posted: Thu Jan 22, 2009 6:30 am
by kaisellgren
kostasps wrote:kaisellgren,
Thank you for your advices.
I believe that these instructions cover the hole issue.
Could you give me a link where to find your script that, logs the admin out after a specific time period of inactivity?
It's under development and not available at the moment.
If you are using PHP's standard session system, just do something like
Code: Select all
$_SESSION['last_pageload'] = time();
In front of all ACP pages (after session_start of course and after you have checked (s)he is authenticated). Also, put the following
before the above:
Code: Select all
if (time()-$_SESSION['last_pageload'] > 60*60)
die('Last pageload was made >= 60 minutes ago');
Re: Problem with Security
Posted: Thu Jan 22, 2009 7:02 am
by kostasps
Thank you again kaisellgren for your precius help.
I will try it rigth away and i will inform you.
Thank you again
Re: Problem with Security
Posted: Thu Jan 22, 2009 7:58 am
by kostasps
kaisellgren,
I tried it and i am happy to say that in first place it works just fine.
Thank you again