I'm making a web site that does login authentication.
It all works fine, but I have a question about 'correctness'.. .
Certain php scripts on the site should only run in the user has logged
on. So, the 'private' scripts in question all includes the following php
script:
<?
// has user authenticated?
if (! $logged_in) {
$newPath='login .php';
echo "<html><head><m eta http-equiv=\"REFRESH \" content=\"3;
url=$newPath\"> </head>";
echo "<body>You can't access this page without logging
in!<p>Redirecti ng to the <a href=\"$newPath \">login page</a> in 3
seconds.</body></html>";
}
// exit php so that no more content gets output!
exit(0);
?>
As you can see, if the user is not logged on, we output an http refresh
to redirect the users browser to the login screen. It works fine, but my
main question is about the trick of calling exit(0) at the end, which is
required to stop the php script that includes the above code from
outputting any of its content (which is 'secret' from unauthenticated
users.)
Is calling exit(0) ok to this end? Is it considered a dirty hacky way of
doing it? It does the job, but I'm just wondering if there is a nicer
way of doing it I should be using.
thanks
alex 7 4793
"Alex Hunsley" wrote: I’m making a web site that does login authentication. It all works fine, but I have a question about ’correctness’.. .
Certain php scripts on the site should only run in the user has
logged on. So, the ’private’ scripts in question all includes the following php script:
<? // has user authenticated? if (! $logged_in) { $newPath=’login .php’;
echo "<html><head><m eta http-equiv=\"REFRESH \" content=\"3; url=$newPath\"> </head>";
echo "<body>You can’t access this page without logging in!<p>Redirecti ng to the <a href=\"$newPath \">login page</a> in 3 seconds.</body></html>";
} // exit php so that no more content gets output! exit(0);
?>
As you can see, if the user is not logged on, we output an http refresh to redirect the users browser to the login screen. It works fine,
but my main question is about the trick of calling exit(0) at the end,
which is required to stop the php script that includes the above code from
outputting any of its content (which is ’secret’ from unauthenticated users.) Is calling exit(0) ok to this end? Is it considered a dirty hacky
way of doing it? It does the job, but I’m just wondering if there is a nicer way of doing it I should be using.
thanks alex
I believe the content produced to that point would still be output,
unless you cache the content (see ob_start, ob_get_content, etc. in
the manual).
But why wait 3 seconds? You could simply redirect to
"login.php?msg= 1" and if login.php has a $_GET[’msg’ ==1 then print
the message that they have to login first, and following it show the
normal login boxes.
-- http://www.dbForumz.com/ This article was posted by author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.dbForumz.com/PHP-correct-...ict133077.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.dbForumz.com/eform.php?p=444480
>As you can see, if the user is not logged on, we output an http refresh to redirect the users browser to the login screen. It works fine, but my main question is about the trick of calling exit(0) at the end, which is required to stop the php script that includes the above code from outputting any of its content (which is 'secret' from unauthenticated users.) Is calling exit(0) ok to this end? Is it considered a dirty hacky way of doing it? It does the job, but I'm just wondering if there is a nicer way of doing it I should be using.
From the point of view of structured programming, it might be
better to do:
<?php
if (! $logged_in) {
... output a redirect page ...
} else {
... output the content ...
}
?>
However, there is a risk that if someone adds stuff on the end,
they might put it after the last brace, and output it to the
unauthorized users also.
Gordon L. Burditt
Gordon Burditt wrote: As you can see, if the user is not logged on, we output an http refresh to redirect the users browser to the login screen. It works fine, but my main question is about the trick of calling exit(0) at the end, which is required to stop the php script that includes the above code from outputting any of its content (which is 'secret' from unauthenticated users.) Is calling exit(0) ok to this end? Is it considered a dirty hacky way of doing it? It does the job, but I'm just wondering if there is a nicer way of doing it I should be using.
From the point of view of structured programming, it might be better to do:
<?php if (! $logged_in) { ... output a redirect page ... } else { ... output the content ... } ?>
However, there is a risk that if someone adds stuff on the end, they might put it after the last brace, and output it to the unauthorized users also.
Gordon L. Burditt
I would not pass logged_in as a plain text variable, make it a session id or
some other unique, per user and verifiable piece of data. if it is a simple
Y/N/1/0 then all I have to do is add that to a URL and I am in.
--
Michael Austin.
Consultant - Available.
Donations welcomed. Http://www.firstdbasource.com/donations.html
:)
steve wrote: "Alex Hunsley" wrote: > I’m making a web site that does login authentication. > It all works fine, but I have a question about > ’correctness’.. . > > Certain php scripts on the site should only run in the user has logged > > on. So, the ’private’ scripts in question all includes the > following php > script: > > <? > // has user authenticated? > if (! $logged_in) { > $newPath=’login .php’; > > echo "<html><head><m eta http-equiv=\"REFRESH \" > content=\"3; > url=$newPath\"> </head>"; > > echo "<body>You can’t access this page without > logging > in!<p>Redirecti ng to the <a href=\"$newPath \">login > page</a> in 3 > seconds.</body></html>"; > > } > // exit php so that no more content gets output! > exit(0); > > ?> > > As you can see, if the user is not logged on, we output an http > refresh > to redirect the users browser to the login screen. It works fine, but > my > main question is about the trick of calling exit(0) at the end, which > is > required to stop the php script that includes the above code from
> outputting any of its content (which is ’secret’ from > unauthenticated > users.) > Is calling exit(0) ok to this end? Is it considered a dirty hacky way > of > doing it? It does the job, but I’m just wondering if there is a > nicer > way of doing it I should be using. > > thanks > alex
I believe the content produced to that point would still be output, unless you cache the content (see ob_start, ob_get_content, etc. in the manual).
Yup, it does get output. But why wait 3 seconds? You could simply redirect to "login.php?msg= 1" and if login.php has a $_GET[’msg’ ==1 then print the message that they have to login first, and following it show the normal login boxes.
This is actually what my code already does, but I simplified the code I
outpout! The login form also has a hidden form value that holds the
original URL, and if the user logs in successfully they are sent on back
to the original page..
alex
Michael Austin wrote: Gordon Burditt wrote:
As you can see, if the user is not logged on, we output an http refresh to redirect the users browser to the login screen. It works fine, but my main question is about the trick of calling exit(0) at the end, which is required to stop the php script that includes the above code from outputting any of its content (which is 'secret' from unauthenticated users.) Is calling exit(0) ok to this end? Is it considered a dirty hacky way of doing it? It does the job, but I'm just wondering if there is a nicer way of doing it I should be using.
From the point of view of structured programming, it might be better to do:
<?php if (! $logged_in) { ... output a redirect page ... } else { ... output the content ... } ?>
However, there is a risk that if someone adds stuff on the end, they might put it after the last brace, and output it to the unauthorized users also.
Gordon L. Burditt
This was the original approach. However, since my checking code that I
originally posted is in another file which gets included at the top of
each script that is 'private', the if { } else { } part can't really be
done in that situation.
I would not pass logged_in as a plain text variable, make it a session id or some other unique, per user and verifiable piece of data. if it is a simple Y/N/1/0 then all I have to do is add that to a URL and I am in.
logged_in isn't a passed in cgi variable, it is set according to the
user having a cookie already set, so they can't just mung the url to cheat!
alex
> logged_in isn't a passed in cgi variable, it is set according to the user having a cookie already set, so they can't just mung the url to
cheat!
Additionally, an attacker would need to know the varible names used in the
script to be able to pass them as arguments in the URL. alex
Aidan wrote: logged_in isn't a passed in cgi variable, it is set according to the user having a cookie already set, so they can't just mung the url to
cheat!
Additionally, an attacker would need to know the varible names used in the script to be able to pass them as arguments in the URL.
Yup! This variable $logged_in is never passed to the client side, so
they have no way of knowing it is there or is checked..
And even when I *do* try to pass in a cgi var, e.g. ?logged_in=true , it
doesn't work, since the script overwrites the value with its own value
based on cookies being present and authentic.
alex This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: David Leon |
last post by:
Is there any way to stop php.exe closing after it processes a PHP script? It
doesn't seem to have the traditional options of an MS-DOS program. I am
using Windows XP Pro and have associated .php files to open with
C:\PHP\php.exe -q %1.
Thanks in advance,
David Leon
davidleon@iprimus.com.au
|
by: Brandon J. Van Every |
last post by:
I'm realizing I didn't frame my question well.
What's ***TOTALLY COMPELLING*** about Ruby over Python? What makes you jump
up in your chair and scream "Wow! Ruby has *that*? That is SO FRICKIN'
COOL!!! ***MAN*** that would save me a buttload of work and make my life
sooooo much easier!"
As opposed to minor differences of this feature here, that feature there.
Variations on style are of no interest to me. I'm coming at this from a...
|
by: Dan V. |
last post by:
Situation:
I have to connect with my Windows 2000 server using VS.NET 2003 and C# and
connect to a remote Linux server at another company's office and query their
XML file. Their file may be updated every hour or so. How can I do this
easily? I would like to use secure communication even encryption if
possible. I would query and insert locally only the newest records found in
that XML file to an xml or MS access db.
|
by: Nobody |
last post by:
Let me start off with a brief overview...
This part is not really important, just saying what its for...
I had been working on a Windows GUI library (DLL) when suddenly my boss told
he wanted a static .lib version so he could give a customer a single .exe
file for the "free version".
Certain parts of my library are required to live inside a DLL.
|
by: typingcat |
last post by:
First of all, I'm an Asian and I need to input Japanese, Korean and so
on. I've tried many PHP IDEs today, but almost non of them supported
Unicode (UTF-8) file.
I've found that the only Unicode support IDEs are DreamWeaver 8 and
Zend PHP Studio.
DreamWeaver provides full support for Unicode. However, DreamWeaver is
a web editor rather than a PHP IDE. It only supports basic IntelliSense
(or code completion) and doesn't have anything...
| |
by: Midnight Java Junkie |
last post by:
Dear Colleagues:
I feel that the dumbest questions are those that are never asked. I have
been given the opportunity to get into .NET. Our organization has a
subscription with Microsoft that basically entitled to us to just about
every .Net development tool you can imagine. I cant even begin to mention
them.
To begin with, my background is not that of a programmer, but a systems
engineer and the closest I have come to "programming"...
|
by: Alexander Widera |
last post by:
hello all,
i have a problem ...
like I already discussed in the thread "session empty" I have the following
problem:
I created a completely new web...
i added 2 files:
sessiontest1.aspx:
|
by: sunyao |
last post by:
Hi Friend,
I write a linux shell script to call a python script inside. But I got a wrong exit code from Python exit code. The linux shell script as follows;
#!/bin/bash
MyPython.py
exit $?
After run the above linux script, I always got exit code 0. But autually the Python log file shows that its exit code is 256. In python script, use sys.exit(256).
|
by: Lingo |
last post by:
Hi all,
I have a problem, i am running a batch file which will connect to oracle database via sqlplus.
If i set whenever Oserror Exit and then try to connect it fails with the error message 'o/s no such file or directory'
if i dont set , i am able to connect.
Why does setting Whenever osError Exit create a problem
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| |
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |