How to build a web application the right way

I struggled with this too. I wanted my customer, the owner of the
webpage, to have the ability to run utilities to maintain his page's
database but prevent anyone from even accidentally running any of the
PHP utility scripts. It was more challenging considering the owner
might run these utilities from anywhere, like a public internet cafe.

I could have used a login and password but that can be picked up
enroute since we were not using https. I finally decided to display a
simple, random puzzle that only the customer knew how to solve. If the
answer he typed matched the answer sitting on the server, a session key
was set and he was free to use any of the utilities until he closed the
browser. Anyone coming along and perhaps reviewing the URL history
(e.g., http://www....com/deleterecord.php?id=101) would get an error
message if they tried to run them.

Write me for details.

Anthony Smith wrote:

I am looking into building a web application and one of the things I
want to do is to make sure the user is logged in. I know I can do this
by checking the session for a user object or something similar. Is
there a best practice for this. Currently what I do is have each page
include a check session include file.

Anthony Smith wrote:

I am looking into building a web application and one of the things I
want to do is to make sure the user is logged in. I know I can do this
by checking the session for a user object or something similar. Is
there a best practice for this. Currently what I do is have each page
include a check session include file.

Yep, that's what I do.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

On 28 Dec 2006 12:06:53 -0800, "Anthony Smith" <mr******@hotmail.com>
wrote:

>there a best practice for this. Currently what I do is have each page
include a check session include file.

From what I read, this is how it should be done. Put the check in a
file, and include it first thing in all the pages.

On Dec 29, 6:26 am, Vincent Delporte <just...@acme.comwrote:

On 28 Dec 2006 12:06:53 -0800, "Anthony Smith" <mrsmi...@hotmail.com>
wrote:

there a best practice for this. Currently what I do is have each page
include a check session include file. From what I read, this is how it should be done. Put the check in a

file, and include it first thing in all the pages.

And to take it to the next step you include thier remode address as
part of thier session check (md5 with ip and user name or something to
mix it up) so if someone were to intercept your session and try to take
over, the change in client IP (during the session) would void the
access.

And other thing would be to put a time limit to the current session
access ( a session var with expiration time) so if some badguy got in
from a user abandoning a terminal with a live connection it would time
out regardless. (or/also maybe have a re-verification for
sensitive/delete/admin parts just to make sure) Just depends on how
paranoid you want to be.

la***@portcommodore.com wrote:

>
On Dec 29, 6:26 am, Vincent Delporte <just...@acme.comwrote:

>>On 28 Dec 2006 12:06:53 -0800, "Anthony Smith" <mrsmi...@hotmail.com>
wrote:

>>>there a best practice for this. Currently what I do is have each page
include a check session include file. From what I read, this is how it should be done. Put the check in a

file, and include it first thing in all the pages.

And to take it to the next step you include thier remode address as
part of thier session check (md5 with ip and user name or something to
mix it up) so if someone were to intercept your session and try to take
over, the change in client IP (during the session) would void the
access.

VERY BAD IDEA!

First of all, there are providers like AOL who have multiple servers.
Every time a user accesses the page they may come in on a different IP
address.

And many companies have one server for the entire company (or at least a
site). Anyone coming into your site would be coming from the same IP
address. Since the two most likely places to intercept the packets are
on either end of the link and you know your server's end is secure (or
at least hope it is), this provides no protection whatsoever. Worse, it
bugs some users while providing a false sense of security for others.

And other thing would be to put a time limit to the current session
access ( a session var with expiration time) so if some badguy got in
from a user abandoning a terminal with a live connection it would time
out regardless. (or/also maybe have a re-verification for
sensitive/delete/admin parts just to make sure) Just depends on how
paranoid you want to be.

This is a good idea. But then if someone stupidly leaves a computer
signed on in a public place, there is a limit to how much you can do
without hassling all of the other users of your site.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Jerry Stuckle wrote:

>
VERY BAD IDEA!

First of all, there are providers like AOL who have multiple servers.
Every time a user accesses the page they may come in on a different IP
address.

And many companies have one server for the entire company (or at least a
site). Anyone coming into your site would be coming from the same IP
address. Since the two most likely places to intercept the packets are
on either end of the link and you know your server's end is secure (or
at least hope it is), this provides no protection whatsoever. Worse, it
bugs some users while providing a false sense of security for others.

Interesting I didn't realize that the IP address could change for some
users in the middle of a session; thanks (I had got the tip from
another page a while back guess it wasn't that great of a resource.)

I guess there isn't a good verification methgod of "you are still you"
without user intervention then?

And other thing would be to put a time limit to the current session
access ( a session var with expiration time) so if some badguy got in
from a user abandoning a terminal with a live connection it would time
out regardless. (or/also maybe have a re-verification for
sensitive/delete/admin parts just to make sure) Just depends on how
paranoid you want to be.

This is a good idea. But then if someone stupidly leaves a computer
signed on in a public place, there is a limit to how much you can do
without hassling all of the other users of your site.

It depends on the data or value of lost/damaged data I guess. The best
solution would be to educate the end user, but sometimes it's not as
easy.

Anthony Smith wrote:

I am looking into building a web application and one of the things I
want to do is to make sure the user is logged in. I know I can do this
by checking the session for a user object or something similar. Is
there a best practice for this. Currently what I do is have each page
include a check session include file.

There are many "best practices" for securing your webaps. And their is
a ton of argument as to which is the best of them all. The solution
you pick is going to depend greatly on whether or not you decide to use
a database of some kind (MySQL, or even a flat flat file db). I use a
database solution for all my sites and follow this sort of algorithm:

function check_login() {
get auth_string from session variable
if auth_string is not null {
validate auth_string, check for SQL injection
SELECT COUNT(*) FROM users_table
WHERE $auth_string = MD5(CONCAT(username, auth_key))
if count == 1 return true
}
get username, password from post variable
validate username and password, check for SQL injection
SELECT COUNT(*) FROM users_table
WHERE username=$username AND password=$password
if count == 1 {
generate a new auth_key
update user record with auth_key
set session variable to MD5(username + auth_key)
return true
}

return false
}

For generating the new auth key, I just use a random string or letters
and numbers, there are a ton of algorithms out there for that, or you
could just use a time string or something.

Now you would do this on every page you wanted under your login:

if check_login() show page
else show login form
That may not be the best solution, you may also want to implement some
form of time out to it as well, but for my purposes it works good. You
can feel free to email me if you have questions about it.

Anthony Smith wrote:

by checking the session for a user object or something similar. Is

That's how I do this. You may as well check some MVC frameworks with
session and auth management support and look how it's done there.
--
Mateusz Papiernik, Maticomp Webdesign
ma**@maticomp.net, http://www.maticomp.net
"One man can make a difference" - Wilton Knight