Hi Group,
I have a site with a MySQL backend. It has a member-system.
Members login with a small login-form that appears on every page
(via include())
If members are logged in, the form disappears and a few extra links
appear instead of the form.
- If members log in, i want to redirect them, if succesful, back to
the page they logged in from.
Should i use an extra hidden form-field with the
$_SERVER['request_uri'] or sould i use the $_SERVER['http_referer']?
- In both cases, how can i check that the referer is from MY domain?
if users login from http://domain.com/page.php i want to send them
back to that page, and not to http://www.domain.com/page.php and
vice versa.
How do i make sure they come from 1 of my own pages, and it's
accepted WITH and WITHOUT the 'www' prefix?
Thanks for any help!
Greetings Frizzle. 14  2273 
frizzle wrote: I have a site with a MySQL backend. It has a member-system.
Members login with a small login-form that appears on every page
(via include())
If members are logged in, the form disappears and a few extra links
appear instead of the form.
- If members log in, i want to redirect them, if succesful, back to
the page they logged in from.
Should i use an extra hidden form-field with the
$_SERVER['request_uri'] or sould i use the $_SERVER['http_referer']?
- In both cases, how can i check that the referer is from MY domain?
if users login from http://domain.com/page.php i want to send them
back to that page, and not to http://www.domain.com/page.php and
vice versa.
How do i make sure they come from 1 of my own pages, and it's
accepted WITH and WITHOUT the 'www' prefix?
In my project (sf.net/projects/phpsecurityadm) I've been using the
REQUEST_URI. If you use the referer, that's the page they came from, so
if they have the login bookmarked, then it will be blank. If they have a
proxy or firewall, that may be blank as well... If you use PHP_SELF,
then on a site that uses mod_rewrite or the like would have problems
since it isn't finding what it expects.
Basically, I have this set up in my login form generation:
if(isset($_SERV ER['REQUEST_URI'])){
echo ' <form method="post" action="',
$_SERVER['REQUEST_URI'],'">',"\n",
' <fieldset>',"\n ",
' <input type="hidden" name="PSA_REQ_U RI" value="',
$_SERVER['REQUEST_URI'],'" />',"\n";
}else{
echo ' <form method="post" action="',
$_SERVER['PHP_SELF'],'">',"\n",
' <fieldset>',"\n ",
' <input type="hidden" name="PSA_REQ_U RI" value="',
$_SERVER['PHP_SELF'],'" />',"\n";
}
This seems to have been working out well for me and other users.
--
Justin Koivisto, ZCE - ju****@koivi.co m http://koivi.com
Thanks for the reply!
Reading this, it seems to me, $_SERVER['REQUEST_URI'] isn't always set.
Isn't this a full server-side property?
I'm using mod_rewrite, so the second part of your code wouldn't be very
nice ... :(
Thanks!
Frizzle.
>I have a site with a MySQL backend. It has a member-system. Members login with a small login-form that appears on every page
(via include())
If members are logged in, the form disappears and a few extra links
appear instead of the form.
- If members log in, i want to redirect them, if succesful, back to
the page they logged in from.
Should i use an extra hidden form-field with the
$_SERVER['request_uri'] or sould i use the $_SERVER['http_referer']?
http_referer is sent from the browser, so it can't be trusted.
Also, many people turn it off or send nonsense for it. Some people
may not be able or willing to easily turn it back on for your site.
Use your hidden field. You have much more control over it.
- In both cases, how can i check that the referer is from MY domain?
Well, if it's just a random link, it probably won't have your hidden
form-field with the place to go back to listed. isset($_PUT['go_back_to'])
might be useful to test this.
if users login from http://domain.com/page.php i want to send them
back to that page, and not to http://www.domain.com/page.php and
vice versa.
How do i make sure they come from 1 of my own pages, and it's
accepted WITH and WITHOUT the 'www' prefix?
Parse the URL. If it's www.domain.com, change it to domain.com.
If it's not on a list of domains that are "yours", or not http or
https, or the field is missing entirely, send them to your home
page or someplace default. You could have a complete list of all
acceptable URLs where you have these login forms, but that's probably
too much work and not worth it. Just checking the domain is probably
enough.
Gordon L. Burditt
frizzle wrote: Thanks for the reply!
Reading this, it seems to me, $_SERVER['REQUEST_URI'] isn't always set.
Isn't this a full server-side property?
I'm using mod_rewrite, so the second part of your code wouldn't be very
nice ... :(
It depends on the server software you are using. For instance, IIS
doesn't have it: http://koivi.com/apache-iis-php-server-array.php
--
Justin Koivisto, ZCE - ju****@koivi.co m http://koivi.com
@Gordon
I don't completely inderstand the next part: "Well, if it's just a random link, it probably won't have your hidden
form-field with the place to go back to listed. isset($_PUT['go_back_to'])
might be useful to test this. "
I understood that i should use the hidden field, but could you please
try to explain (with other words) what you mean with that part?
@Justin,
I have the $_SERVER['REQUEST_URI'] implemented in some parts of the
site already. And it always works AFAIK ...
Could there be certain circumstances on my site that would have it to
fail?
Thanks a bunch guys!
Frizzle.
frizzle wrote: @Gordon
I don't completely inderstand the next part:
"Well, if it's just a random link, it probably won't have your hidden
form-field with the place to go back to listed. isset($_PUT['go_back_to'])
might be useful to test this. "
I understood that i should use the hidden field, but could you please
try to explain (with other words) what you mean with that part?
@Justin,
I have the $_SERVER['REQUEST_URI'] implemented in some parts of the
site already. And it always works AFAIK ...
Could there be certain circumstances on my site that would have it to
fail?
Sure, if you move the site to a non-apache server... If you don't plan
on moving it, you should be OK since that is an apache environment variable.
--
Justin Koivisto, ZCE - ju****@koivi.co m http://koivi.com
I'm definetly not moving the site! :D
Another thought: if the $_SERVER['http_referer'] is quite easy to fake,
would a hidden field with $_SERVER['REQUEST_URI'] be even more easy to
fake?
I'm assuming the members WANT to login. Username & pass are checked
from the DB, so if either referer, username or pass don't match, the
user cannot login (as it is now). is there anything wrong with this?
Now i'm also using the $_SERVER['http_referer'] for the logout action.
It doesn't contain a form, but only requests a page that destroys some
$_SESSION vars. This way i can send them back to the last page where
they were logged in.
Am i doing something wrong here then?
Frizzle.
>@Gordon I don't completely inderstand the next part: "Well, if it's just a random link, it probably won't have your hidden
form-field with the place to go back to listed. isset($_PUT['go_back_to'])
Oops. That should be isset($_POST['go_back_to']).
might be useful to test this. "I understood that i should use the hidden field, but could you please
try to explain (with other words) what you mean with that part?
If you have a hidden field in your login form, say:
<input type="hidden" name="go_back_t o" value="http://www.domain.com/foo.php">
(the value part will be generated from some variable like
$_SERVER['REQUEST_URI'])
on all of your login pages, then when the user clicks the SUBMIT button,
you will have "http://www.domain.com/foo.php" in $_POST['go_back_to'].
If someone else sets up a non-form link, $_POST['go_back_to'] will
be empty. A quick but unreliable way to test if one of your forms
was used is to test isset($_POST['go_back_to']). This should have
no false negatives (your login forms *ALWAYS* have the hidden field).
There might be false positives. So if that variable isn't set,
it DEFINITELY isn't one of your login forms.
Someone CAN copy the HTML for your login form and set it up on another
server.
@Justin,
I have the $_SERVER['REQUEST_URI'] implemented in some parts of the
site already. And it always works AFAIK ...
Could there be certain circumstances on my site that would have it to
fail?
Gordon L. Burditt
>Another thought: if the $_SERVER['http_referer'] is quite easy to fake, would a hidden field with $_SERVER['REQUEST_URI'] be even more easy to
fake?
Probably not. Someone trying to DELIBERATELY fake is going to
succeed (without trying particularly hard). But many people running
security software, including those that block HTTP_REFERER, block
it without realizing it, and it may be darned inconvenient to NOT
block it. Also, something as simple as bookmarking a page and going
back to it will mess up HTTP_REFERER, and the user doing it may
have no idea why his login didn't work.
Remember, it is always possible for a user to (a) copy your HTML to
another server and edit it all he wants, or (b) manually type in
HTTP requests using telnet (or perhaps more conveniently, using CURL).
I'm assuming the members WANT to login. Username & pass are checked
from the DB, so if either referer, username or pass don't match, the
user cannot login (as it is now). is there anything wrong with this?
The referer stuff shouldn't be a *security* issue. As you described
it, it's a *convenience*. IMHO, if they give you an invalid referer
(remember, some users can't UNblock it), but a valid username and
password you should pick some reasonable default place to send them
(home page? ok. www.nambla.org? please don't.) after they've
logged in, and send them there. I think it's overly anal-retentive
to refuse a login here. It's much like not letting anyone with a
video display less than 65,000 colors and less than 20/20 vision
see your photographs AT ALL because they don't look their absolute
best, so you subject them to mandatory eye tests.
Why, incidentally, do you even want to refuse to send them back to
the page they logged in from if it's not yours? Sounds like
pretty obnoxious behavior.
Now i'm also using the $_SERVER['http_referer'] for the logout action.
It doesn't contain a form, but only requests a page that destroys some
$_SESSION vars. This way i can send them back to the last page where
they were logged in.
If you can't send them back to the last page where they were logged
in because the URL looks invalid, pick some place to send them
and send them there. Your home page, perhaps.
Gordon L. Burditt This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: XP |
last post by:
I am having problems with the blow page. I have a login page where I
enter the userid and password. This then connects to this page. If I
enter the userid and password correctly, it prints successfully logged
into system. If I enter the wrong information all I get is an erro page
HTTP status 502 etc.
Can anyone help?
<?php
|
by: nicholas |
last post by:
Hi,
Got an asp.net application and I use the "forms" authentication mode defined
in the web.config file.
Everything works fine.
But now I would like to add a second, different login page for the users
that go in a specific folder.
How can I do this?
|
by: pv |
last post by:
Hi everyone,
I need help with following scenario, please:
Users are accessing same web server from intranet (users previously
authenticated in Active Dir) and from extranet (common public users). If
user is from intranet, web server should recognize it and application should
create additional options in controls regarding groups the user belongs to.
If user is from extranet it should be logged in as anonymous and a link to
login page...
|
by: Tim Cartwright |
last post by:
I have a page that has the login control on it, nothing else. This page inherits from a master page, neither page has any code in it. This page works perfectly when running on the WebDev debug web server. I am able to log in. However after publishing the page to my local IIS, it results in the below error. This error is occurring on the Visual Studio.Net 2k5 release version, but did not occur on the beta 2, same code.
A point of interest, is...
|
by: Bruce |
last post by:
I just started the design of an ASP.NET application which accesses one of
our custom web services to provide user authentication, among other
purposes.
I created a log-in page (code below), using the WebControls.Login control.
I put a simple label on the page, to display text showing whether the log-in
was successful. I populate the Label.Text from within the event handler for
the Login control's Authenticate event.
But when I run...
| | |
by: Jakob Lithner |
last post by:
When I started a new ASP project I was eager to use the login facilities
offered in Framework 2.0/VS 2005.
I wanted:
- A custom principal that could hold my integer UserID from the database
- An easy way to classify different pages as either Admin, Member or Public,
where login is necessary for Admin and Member but not for Public. My idea was
to put the pages in different directories to easily keep my order.
- An easy menu system that...
|
by: Sasquatch |
last post by:
I'm still having trouble creating a simple login page using the
asp:login
control. I followed some instructions in a WROX book, "Beginning
ASP.NET 2.0," and the instructions are very straight forward, but it
won't work for me. I've got a little better troubleshooting
information for everyone now. First, here's how I set this stuff up...
1. Created a new folder named "testlogin"
2. Turned that folder into an application using the...
|
by: muder |
last post by:
I have a standard Login ASP.NET 2.0 control on a login Page, a LoginName and LoginStatus controls on the member's page.
once the user login successfully I am redirecting the user to Member.aspx page. The following is my machine configuration
Windows XP Pro Service Pack2
IIS 5.1
SQL Server 2000
visual Studio 2005
DISABLE ANONMYOUS ACCESS IN IIS
ENABLE WINDOWS AUTHENTICATION
|
by: AppleBag |
last post by:
I'm having the worst time trying to login to myspace through code. Can
someone tell me how to do this? Please try it yourself before replying,
only because I have asked this a couple of times in the past in other
places, and while the help was much appreciated, it seemed everyone
just wanted to 'theoretically' explain how to do it, but when I tried
to do it myself, I couldn't login.
I want to simply pass the email address and password to...
|
by: sandari |
last post by:
The following code (web.config in Visual Studio 2005) is supposed to redirect a user to the appropriate Form depending on their role.
However, regardless of the user's role, the only page displayed is the login page with the URL of the page the user was supposed to go to being displayed in the address bar.
A valid user is:
name "sandy"
password = san_mcd
role = Administrator
...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
| | |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
| | |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
