secring multiple pages

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: secring multiple pages

Post by social_experiment »

“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: secring multiple pages

Post by social_experiment »

:) At the start and till you find an answer
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
shehan31
Forum Commoner
Posts: 59
Joined: Sun Aug 29, 2010 5:24 am

Re: secring multiple pages

Post by shehan31 »

Hi Social;
I have tried this but still it does not gives me the answer. In my Auth page i have set the session variable and open a session.
In the auth page
-------------------
session start();
$_SESSION['lia'] = "$username";
//and this redirects into a home page which consists number of sub pages under tabs(like buttons when you click it will redirect to anothe page).
------------
In my Home page and in other pages.
-------------------
session_start();
if((!$_SESSION['lia'])){

header( 'Location: http://localhost/guestbook/useradd.php' ) ;//this is my auth page
}
else{
///the code
}
Session destroy();
--------------------
*** when I clicked on other tabs which is inside my home page, it will redirect to the auth page. that is not i want. i want is it should be accepted inside the home page and should not be accepted if out side world tries to access.

Regards
Shehan31
social_experiment wrote:Yes that is refered to as an 'auth' page (unofficialy probably). You set some session variables when you login and then the 'auth' page checks if these values are set each time a 'protected' page is accessed. If the conditions are not met, the user is probably NOT logged in and trying to access the pages incorrectly, and invalidly and they are redirected to a page of your choice.

Code: Select all

<?php
session_start();
		
		if ( !isset($_SESSION['member_id']) || trim($_SESSION['member_id'] == '') || !isset($_SESSION['member_name']) )  {
		    unset($_SESSION['member_id']);
			unset($_SESSION['member_name']);
			header("location: somepage.php");
			session_destroy();
			exit();
			}
			
			
?>
Hth
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: secring multiple pages

Post by social_experiment »

The code that you have on the other pages (home, etc) should be inside the 'auth' page. The reason for this is that you include this page so you don't have to write your check at the top of each page.

Code: Select all

<?php
session_start();
if (!isset($_SESSION['your_variable'])) {
 header('location: login_page.php');
 exit();
}
?>
This is an example of the auth page. You then include it on all your other pages

Code: Select all

<?php include_once('auth.php'); ?>

Code: Select all

<?php $_SESSION['lia'] = "$username"; ?>
Setting of session variables should be done when authentication is completed.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
shehan31
Forum Commoner
Posts: 59
Joined: Sun Aug 29, 2010 5:24 am

Re: secring multiple pages

Post by shehan31 »

HI social;
Thank you for the reply. It isn't possible to include all the codes inside this auth.php page because they are big and I've got the feeling that all the five codes will be displayd in a one page. So it will make a mess.
social_experiment wrote:Thank you for your support.The code that you have on the other pages (home, etc) should be inside the 'auth' page. The reason for this is that you include this page so you don't have to write your check at the top of each page.

Code: Select all

<?php include_once('auth.php'); ?>
Whitout this the page still redirects into the auth page. The only problem is after the login using the auth.php, still it redirects to the login.php even if i click another page which is inside the home page. I am running out of thoughts. :banghead:
Regards
Shehan31

session_start();
if (!isset($_SESSION['your_variable'])) {
header('location: login_page.php');
exit();
}
?>[/syntax]
This is an example of the auth page. You then include it on all your other pages

Code: Select all

<?php include_once('auth.php'); ?>

Code: Select all

<?php $_SESSION['lia'] = "$username"; ?>
Setting of session variables should be done when authentication is completed.
fbatalha
Forum Newbie
Posts: 5
Joined: Tue Feb 08, 2011 9:41 am

Re: secring multiple pages

Post by fbatalha »

Hello,
isn't the mentioned code vulnerable to SQL injection?

Code: Select all

$username = $_POST['username'];
$password = $_POST['password'];
         
                                $sql = mysql_query("SELECT * FROM login WHERE user='$username' AND password='$password'")or die (" error with table");
Regards.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: secring multiple pages

Post by social_experiment »

Yes, mysql_real_escape_string() should always be used when accepting user input into a SQL query.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
shehan31
Forum Commoner
Posts: 59
Joined: Sun Aug 29, 2010 5:24 am

Re: secring multiple pages

Post by shehan31 »

Can Some one help to sort out this matter.
:banghead:
social_experiment wrote:Yes, mysql_real_escape_string() should always be used when accepting user input into a SQL query.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: secring multiple pages

Post by Mordred »

Read my article and try the examples to see for yourself:

http://www.webappsec.org/projects/articles/091007.shtml
sankha.icraft
Forum Newbie
Posts: 2
Joined: Tue Feb 22, 2011 7:33 am
Location: Kolkata

Re: secring multiple pages

Post by sankha.icraft »

The discussion really help me.

Thanks.
Post Reply