473,320 Members | 1,535 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Login system

Hi Group,

I have a site with a MySQL backend. It has a member-system.
Members login with a small login-form that appears on every page
(via include())
If members are logged in, the form disappears and a few extra links
appear instead of the form.

- If members log in, i want to redirect them, if succesful, back to
the page they logged in from.
Should i use an extra hidden form-field with the
$_SERVER['request_uri'] or sould i use the $_SERVER['http_referer']?

- In both cases, how can i check that the referer is from MY domain?
if users login from http://domain.com/page.php i want to send them
back to that page, and not to http://www.domain.com/page.php and
vice versa.
How do i make sure they come from 1 of my own pages, and it's
accepted WITH and WITHOUT the 'www' prefix?

Thanks for any help!

Greetings Frizzle.

Oct 26 '05 #1
14 2248
frizzle wrote:
I have a site with a MySQL backend. It has a member-system.
Members login with a small login-form that appears on every page
(via include())
If members are logged in, the form disappears and a few extra links
appear instead of the form.

- If members log in, i want to redirect them, if succesful, back to
the page they logged in from.
Should i use an extra hidden form-field with the
$_SERVER['request_uri'] or sould i use the $_SERVER['http_referer']?

- In both cases, how can i check that the referer is from MY domain?
if users login from http://domain.com/page.php i want to send them
back to that page, and not to http://www.domain.com/page.php and
vice versa.
How do i make sure they come from 1 of my own pages, and it's
accepted WITH and WITHOUT the 'www' prefix?


In my project (sf.net/projects/phpsecurityadm) I've been using the
REQUEST_URI. If you use the referer, that's the page they came from, so
if they have the login bookmarked, then it will be blank. If they have a
proxy or firewall, that may be blank as well... If you use PHP_SELF,
then on a site that uses mod_rewrite or the like would have problems
since it isn't finding what it expects.

Basically, I have this set up in my login form generation:
if(isset($_SERVER['REQUEST_URI'])){
echo ' <form method="post" action="',
$_SERVER['REQUEST_URI'],'">',"\n",
' <fieldset>',"\n",
' <input type="hidden" name="PSA_REQ_URI" value="',
$_SERVER['REQUEST_URI'],'" />',"\n";
}else{
echo ' <form method="post" action="',
$_SERVER['PHP_SELF'],'">',"\n",
' <fieldset>',"\n",
' <input type="hidden" name="PSA_REQ_URI" value="',
$_SERVER['PHP_SELF'],'" />',"\n";
}

This seems to have been working out well for me and other users.

--
Justin Koivisto, ZCE - ju****@koivi.com
http://koivi.com
Oct 26 '05 #2
Thanks for the reply!

Reading this, it seems to me, $_SERVER['REQUEST_URI'] isn't always set.
Isn't this a full server-side property?
I'm using mod_rewrite, so the second part of your code wouldn't be very
nice ... :(

Thanks!

Frizzle.

Oct 26 '05 #3
>I have a site with a MySQL backend. It has a member-system.
Members login with a small login-form that appears on every page
(via include())
If members are logged in, the form disappears and a few extra links
appear instead of the form.

- If members log in, i want to redirect them, if succesful, back to
the page they logged in from.
Should i use an extra hidden form-field with the
$_SERVER['request_uri'] or sould i use the $_SERVER['http_referer']?
http_referer is sent from the browser, so it can't be trusted.
Also, many people turn it off or send nonsense for it. Some people
may not be able or willing to easily turn it back on for your site.
Use your hidden field. You have much more control over it.
- In both cases, how can i check that the referer is from MY domain?
Well, if it's just a random link, it probably won't have your hidden
form-field with the place to go back to listed. isset($_PUT['go_back_to'])
might be useful to test this.
if users login from http://domain.com/page.php i want to send them
back to that page, and not to http://www.domain.com/page.php and
vice versa.
How do i make sure they come from 1 of my own pages, and it's
accepted WITH and WITHOUT the 'www' prefix?


Parse the URL. If it's www.domain.com, change it to domain.com.
If it's not on a list of domains that are "yours", or not http or
https, or the field is missing entirely, send them to your home
page or someplace default. You could have a complete list of all
acceptable URLs where you have these login forms, but that's probably
too much work and not worth it. Just checking the domain is probably
enough.

Gordon L. Burditt
Oct 26 '05 #4
frizzle wrote:
Thanks for the reply!

Reading this, it seems to me, $_SERVER['REQUEST_URI'] isn't always set.
Isn't this a full server-side property?
I'm using mod_rewrite, so the second part of your code wouldn't be very
nice ... :(


It depends on the server software you are using. For instance, IIS
doesn't have it:

http://koivi.com/apache-iis-php-server-array.php

--
Justin Koivisto, ZCE - ju****@koivi.com
http://koivi.com
Oct 26 '05 #5
@Gordon
I don't completely inderstand the next part:
"Well, if it's just a random link, it probably won't have your hidden
form-field with the place to go back to listed. isset($_PUT['go_back_to'])
might be useful to test this. "

I understood that i should use the hidden field, but could you please
try to explain (with other words) what you mean with that part?

@Justin,
I have the $_SERVER['REQUEST_URI'] implemented in some parts of the
site already. And it always works AFAIK ...
Could there be certain circumstances on my site that would have it to
fail?

Thanks a bunch guys!

Frizzle.

Oct 26 '05 #6
frizzle wrote:
@Gordon
I don't completely inderstand the next part:
"Well, if it's just a random link, it probably won't have your hidden
form-field with the place to go back to listed. isset($_PUT['go_back_to'])
might be useful to test this. "


I understood that i should use the hidden field, but could you please
try to explain (with other words) what you mean with that part?

@Justin,
I have the $_SERVER['REQUEST_URI'] implemented in some parts of the
site already. And it always works AFAIK ...
Could there be certain circumstances on my site that would have it to
fail?


Sure, if you move the site to a non-apache server... If you don't plan
on moving it, you should be OK since that is an apache environment variable.

--
Justin Koivisto, ZCE - ju****@koivi.com
http://koivi.com
Oct 26 '05 #7
I'm definetly not moving the site! :D

Another thought: if the $_SERVER['http_referer'] is quite easy to fake,
would a hidden field with $_SERVER['REQUEST_URI'] be even more easy to
fake?
I'm assuming the members WANT to login. Username & pass are checked
from the DB, so if either referer, username or pass don't match, the
user cannot login (as it is now). is there anything wrong with this?

Now i'm also using the $_SERVER['http_referer'] for the logout action.
It doesn't contain a form, but only requests a page that destroys some
$_SESSION vars. This way i can send them back to the last page where
they were logged in.

Am i doing something wrong here then?

Frizzle.

Oct 26 '05 #8
>@Gordon
I don't completely inderstand the next part:
"Well, if it's just a random link, it probably won't have your hidden
form-field with the place to go back to listed. isset($_PUT['go_back_to'])
Oops. That should be isset($_POST['go_back_to']).
might be useful to test this. "I understood that i should use the hidden field, but could you please
try to explain (with other words) what you mean with that part?


If you have a hidden field in your login form, say:
<input type="hidden" name="go_back_to" value="http://www.domain.com/foo.php">
(the value part will be generated from some variable like
$_SERVER['REQUEST_URI'])

on all of your login pages, then when the user clicks the SUBMIT button,
you will have "http://www.domain.com/foo.php" in $_POST['go_back_to'].
If someone else sets up a non-form link, $_POST['go_back_to'] will
be empty. A quick but unreliable way to test if one of your forms
was used is to test isset($_POST['go_back_to']). This should have
no false negatives (your login forms *ALWAYS* have the hidden field).
There might be false positives. So if that variable isn't set,
it DEFINITELY isn't one of your login forms.

Someone CAN copy the HTML for your login form and set it up on another
server.
@Justin,
I have the $_SERVER['REQUEST_URI'] implemented in some parts of the
site already. And it always works AFAIK ...
Could there be certain circumstances on my site that would have it to
fail?


Gordon L. Burditt
Oct 26 '05 #9
>Another thought: if the $_SERVER['http_referer'] is quite easy to fake,
would a hidden field with $_SERVER['REQUEST_URI'] be even more easy to
fake?
Probably not. Someone trying to DELIBERATELY fake is going to
succeed (without trying particularly hard). But many people running
security software, including those that block HTTP_REFERER, block
it without realizing it, and it may be darned inconvenient to NOT
block it. Also, something as simple as bookmarking a page and going
back to it will mess up HTTP_REFERER, and the user doing it may
have no idea why his login didn't work.

Remember, it is always possible for a user to (a) copy your HTML to
another server and edit it all he wants, or (b) manually type in
HTTP requests using telnet (or perhaps more conveniently, using CURL).
I'm assuming the members WANT to login. Username & pass are checked
from the DB, so if either referer, username or pass don't match, the
user cannot login (as it is now). is there anything wrong with this?
The referer stuff shouldn't be a *security* issue. As you described
it, it's a *convenience*. IMHO, if they give you an invalid referer
(remember, some users can't UNblock it), but a valid username and
password you should pick some reasonable default place to send them
(home page? ok. www.nambla.org? please don't.) after they've
logged in, and send them there. I think it's overly anal-retentive
to refuse a login here. It's much like not letting anyone with a
video display less than 65,000 colors and less than 20/20 vision
see your photographs AT ALL because they don't look their absolute
best, so you subject them to mandatory eye tests.

Why, incidentally, do you even want to refuse to send them back to
the page they logged in from if it's not yours? Sounds like
pretty obnoxious behavior.

Now i'm also using the $_SERVER['http_referer'] for the logout action.
It doesn't contain a form, but only requests a page that destroys some
$_SESSION vars. This way i can send them back to the last page where
they were logged in.


If you can't send them back to the last page where they were logged
in because the URL looks invalid, pick some place to send them
and send them there. Your home page, perhaps.

Gordon L. Burditt
Oct 26 '05 #10
Ok, thanks for the explanation, this is quite what i had in mind as an
alternative.
Now i have only 1 question left: how do i handle the Logout-action.
Which is just started with a link, not a form. Should i then check for
a referer, if not set, send them to the home page?

What do you guys recon?

Thanks anyway, this has made me a lot more conficent about my
situation.

Frizzle.

Oct 26 '05 #11
>Ok, thanks for the explanation, this is quite what i had in mind as an
alternative.
Now i have only 1 question left: how do i handle the Logout-action.
Which is just started with a link, not a form. Should i then check for
a referer, if not set, send them to the home page?


Where do you want to send them after they log out? To the page
they came from when they logged *IN*? In that case, you take the
hidden form variable saved from when they logged in (saved in
$_SESSION, probably), and send them there. You can't use referer
here as they've likely been through several pages on your site while
logged in.

To the page where they clicked on LOGOUT? This doesn't seem very
logical to me. You could use referer for this, if it exists.
There's not a lot of incentive to fake it. If they want to go
elsewhere, they can click on HOME on the browser, or a bookmark,
or whatever.

Gordon L. Burditt
Oct 26 '05 #12
Why would you consider it unlogical to redir them to the page before
they logout?
My opinioin is that you should never redir users to pages they don't
expect, let them decide where they want to go ...

Why would you redir them to the page where they logged in?
They's might even 'not remember' they've been there ...

Frizzle.

Oct 26 '05 #13
>Why would you consider it unlogical to redir them to the page before
they logout?
Because it is likely to contain meaningless or no data unless they
are logged in, as the page is indended to be used by logged-in users
and presumably has user-specific data on it. Also, they probably
aren't supposed to be able to get there if they are not logged in.
My opinioin is that you should never redir users to pages they don't
expect, let them decide where they want to go ...

Why would you redir them to the page where they logged in?
They's might even 'not remember' they've been there ...


So they could log in again, possibly as a different user? You've
gotta send them *somewhere* and this is at least a page they've
been to before and it doesn't require them to be already logged in.

Gordon L. Burditt
Oct 26 '05 #14
Ok, thanks. I get your point.

There are pages that show EXTRA info for
logged-in people, other ones are only
accesable for logged people.

I'll probably make a page, telling
them the page is only viewable once
logged in. This way, it also looks better
when someone visits the page from the
browser's history...

Thanks for your help guys!

Frizzle.

Oct 27 '05 #15

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
by: XP | last post by:
I am having problems with the blow page. I have a login page where I enter the userid and password. This then connects to this page. If I enter the userid and password correctly, it prints...
4
by: nicholas | last post by:
Hi, Got an asp.net application and I use the "forms" authentication mode defined in the web.config file. Everything works fine. But now I would like to add a second, different login page for...
2
by: pv | last post by:
Hi everyone, I need help with following scenario, please: Users are accessing same web server from intranet (users previously authenticated in Active Dir) and from extranet (common public...
6
by: Tim Cartwright | last post by:
I have a page that has the login control on it, nothing else. This page inherits from a master page, neither page has any code in it. This page works perfectly when running on the WebDev debug web...
3
by: Bruce | last post by:
I just started the design of an ASP.NET application which accesses one of our custom web services to provide user authentication, among other purposes. I created a log-in page (code below),...
1
by: Jakob Lithner | last post by:
When I started a new ASP project I was eager to use the login facilities offered in Framework 2.0/VS 2005. I wanted: - A custom principal that could hold my integer UserID from the database -...
2
by: Sasquatch | last post by:
I'm still having trouble creating a simple login page using the asp:login control. I followed some instructions in a WROX book, "Beginning ASP.NET 2.0," and the instructions are very straight...
0
by: muder | last post by:
I have a standard Login ASP.NET 2.0 control on a login Page, a LoginName and LoginStatus controls on the member's page. once the user login successfully I am redirecting the user to Member.aspx...
6
by: AppleBag | last post by:
I'm having the worst time trying to login to myspace through code. Can someone tell me how to do this? Please try it yourself before replying, only because I have asked this a couple of times in...
0
by: sandari | last post by:
The following code (web.config in Visual Studio 2005) is supposed to redirect a user to the appropriate Form depending on their role. However, regardless of the user's role, the only page...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.