I'm making a web site that does login authentication.
It all works fine, but I have a question about 'correctness'...
Certain php scripts on the site should only run in the user has logged
on. So, the 'private' scripts in question all includes the following php
script:
<?
// has user authenticated?
if (! $logged_in) {
$newPath='login.php';
echo "<html><head><meta http-equiv=\"REFRESH\" content=\"3;
url=$newPath\"></head>";
echo "<body>You can't access this page without logging
in!<p>Redirecting to the <a href=\"$newPath\">login page</a> in 3
seconds.</body></html>";
}
// exit php so that no more content gets output!
exit(0);
?>
As you can see, if the user is not logged on, we output an http refresh
to redirect the users browser to the login screen. It works fine, but my
main question is about the trick of calling exit(0) at the end, which is
required to stop the php script that includes the above code from
outputting any of its content (which is 'secret' from unauthenticated
users.)
Is calling exit(0) ok to this end? Is it considered a dirty hacky way of
doing it? It does the job, but I'm just wondering if there is a nicer
way of doing it I should be using.
thanks
alex 7  4679 
"Alex Hunsley" wrote: I’m making a web site that does login authentication.
It all works fine, but I have a question about
’correctness’...
Certain php scripts on the site should only run in the user has
logged
on. So, the ’private’ scripts in question all includes the
following php
script:
<?
// has user authenticated?
if (! $logged_in) {
$newPath=’login.php’;
echo "<html><head><meta http-equiv=\"REFRESH\"
content=\"3;
url=$newPath\"></head>";
echo "<body>You can’t access this page without
logging
in!<p>Redirecting to the <a href=\"$newPath\">login
page</a> in 3
seconds.</body></html>";
}
// exit php so that no more content gets output!
exit(0);
?>
As you can see, if the user is not logged on, we output an http
refresh
to redirect the users browser to the login screen. It works fine,
but my
main question is about the trick of calling exit(0) at the end,
which is
required to stop the php script that includes the above code from
outputting any of its content (which is ’secret’ from
unauthenticated
users.)
Is calling exit(0) ok to this end? Is it considered a dirty hacky
way of
doing it? It does the job, but I’m just wondering if there is a
nicer
way of doing it I should be using.
thanks
alex
I believe the content produced to that point would still be output,
unless you cache the content (see ob_start, ob_get_content, etc. in
the manual).
But why wait 3 seconds? You could simply redirect to
"login.php?msg=1" and if login.php has a $_GET[’msg’ ==1 then print
the message that they have to login first, and following it show the
normal login boxes.
-- http://www.dbForumz.com/ This article was posted by author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.dbForumz.com/PHP-correct-...ict133077.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.dbForumz.com/eform.php?p=444480
>As you can see, if the user is not logged on, we output an http refresh to redirect the users browser to the login screen. It works fine, but my
main question is about the trick of calling exit(0) at the end, which is
required to stop the php script that includes the above code from
outputting any of its content (which is 'secret' from unauthenticated
users.)
Is calling exit(0) ok to this end? Is it considered a dirty hacky way of
doing it? It does the job, but I'm just wondering if there is a nicer
way of doing it I should be using.
From the point of view of structured programming, it might be
better to do:
<?php
if (! $logged_in) {
... output a redirect page ...
} else {
... output the content ...
}
?>
However, there is a risk that if someone adds stuff on the end,
they might put it after the last brace, and output it to the
unauthorized users also.
Gordon L. Burditt
Gordon Burditt wrote: As you can see, if the user is not logged on, we output an http refresh
to redirect the users browser to the login screen. It works fine, but my
main question is about the trick of calling exit(0) at the end, which is
required to stop the php script that includes the above code from
outputting any of its content (which is 'secret' from unauthenticated
users.)
Is calling exit(0) ok to this end? Is it considered a dirty hacky way of
doing it? It does the job, but I'm just wondering if there is a nicer
way of doing it I should be using.
From the point of view of structured programming, it might be
better to do:
<?php
if (! $logged_in) {
... output a redirect page ...
} else {
... output the content ...
}
?>
However, there is a risk that if someone adds stuff on the end,
they might put it after the last brace, and output it to the
unauthorized users also.
Gordon L. Burditt
I would not pass logged_in as a plain text variable, make it a session id or
some other unique, per user and verifiable piece of data. if it is a simple
Y/N/1/0 then all I have to do is add that to a URL and I am in.
--
Michael Austin.
Consultant - Available.
Donations welcomed. Http://www.firstdbasource.com/donations.html
:)
steve wrote: "Alex Hunsley" wrote: > I’m making a web site that does login authentication.
> It all works fine, but I have a question about
> ’correctness’...
>
> Certain php scripts on the site should only run in the user has logged >
> on. So, the ’private’ scripts in question all includes the
> following php
> script:
>
> <?
> // has user authenticated?
> if (! $logged_in) {
> $newPath=’login.php’;
>
> echo "<html><head><meta http-equiv=\"REFRESH\"
> content=\"3;
> url=$newPath\"></head>";
>
> echo "<body>You can’t access this page without
> logging
> in!<p>Redirecting to the <a href=\"$newPath\">login
> page</a> in 3
> seconds.</body></html>";
>
> }
> // exit php so that no more content gets output!
> exit(0);
>
> ?>
>
> As you can see, if the user is not logged on, we output an http
> refresh
> to redirect the users browser to the login screen. It works fine,
but > my
> main question is about the trick of calling exit(0) at the end,
which > is
> required to stop the php script that includes the above code from
> outputting any of its content (which is ’secret’ from
> unauthenticated
> users.)
> Is calling exit(0) ok to this end? Is it considered a dirty hacky
way > of
> doing it? It does the job, but I’m just wondering if there is a
> nicer
> way of doing it I should be using.
>
> thanks
> alex
I believe the content produced to that point would still be output,
unless you cache the content (see ob_start, ob_get_content, etc. in
the manual).
Yup, it does get output.
But why wait 3 seconds? You could simply redirect to
"login.php?msg=1" and if login.php has a $_GET[’msg’ ==1 then print
the message that they have to login first, and following it show the
normal login boxes.
This is actually what my code already does, but I simplified the code I
outpout! The login form also has a hidden form value that holds the
original URL, and if the user logs in successfully they are sent on back
to the original page..
alex
Michael Austin wrote: Gordon Burditt wrote:
As you can see, if the user is not logged on, we output an http
refresh to redirect the users browser to the login screen. It works
fine, but my main question is about the trick of calling exit(0) at
the end, which is required to stop the php script that includes the
above code from outputting any of its content (which is 'secret' from
unauthenticated users.)
Is calling exit(0) ok to this end? Is it considered a dirty hacky way
of doing it? It does the job, but I'm just wondering if there is a
nicer way of doing it I should be using.
From the point of view of structured programming, it might be
better to do:
<?php
if (! $logged_in) {
... output a redirect page ...
} else {
... output the content ...
}
?>
However, there is a risk that if someone adds stuff on the end,
they might put it after the last brace, and output it to the
unauthorized users also.
Gordon L. Burditt
This was the original approach. However, since my checking code that I
originally posted is in another file which gets included at the top of
each script that is 'private', the if { } else { } part can't really be
done in that situation.
I would not pass logged_in as a plain text variable, make it a session
id or some other unique, per user and verifiable piece of data. if it
is a simple Y/N/1/0 then all I have to do is add that to a URL and I am in.
logged_in isn't a passed in cgi variable, it is set according to the
user having a cookie already set, so they can't just mung the url to cheat!
alex
> logged_in isn't a passed in cgi variable, it is set according to the
user having a cookie already set, so they can't just mung the url to
cheat!
Additionally, an attacker would need to know the varible names used in the
script to be able to pass them as arguments in the URL.
alex
Aidan wrote: logged_in isn't a passed in cgi variable, it is set according to the
user having a cookie already set, so they can't just mung the url to
cheat!
Additionally, an attacker would need to know the varible names used in the
script to be able to pass them as arguments in the URL.
Yup! This variable $logged_in is never passed to the client side, so
they have no way of knowing it is there or is checked..
And even when I *do* try to pass in a cgi var, e.g. ?logged_in=true, it
doesn't work, since the script overwrites the value with its own value
based on cookies being present and authentic.
alex This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: David Leon |
last post by:
Is there any way to stop php.exe closing after it processes a PHP script? It
doesn't seem to have the traditional options of an MS-DOS program. I am
using Windows XP Pro and have associated .php...
|
by: Brandon J. Van Every |
last post by:
I'm realizing I didn't frame my question well.
What's ***TOTALLY COMPELLING*** about Ruby over Python? What makes you jump
up in your chair and scream "Wow! Ruby has *that*? That is SO...
|
by: Dan V. |
last post by:
Situation:
I have to connect with my Windows 2000 server using VS.NET 2003 and C# and
connect to a remote Linux server at another company's office and query their
XML file. Their file may be...
|
by: Nobody |
last post by:
Let me start off with a brief overview...
This part is not really important, just saying what its for...
I had been working on a Windows GUI library (DLL) when suddenly my boss told
he wanted...
|
by: typingcat |
last post by:
First of all, I'm an Asian and I need to input Japanese, Korean and so
on. I've tried many PHP IDEs today, but almost non of them supported
Unicode (UTF-8) file.
I've found that the only Unicode...
|
by: Midnight Java Junkie |
last post by:
Dear Colleagues:
I feel that the dumbest questions are those that are never asked. I have
been given the opportunity to get into .NET. Our organization has a
subscription with Microsoft that...
|
by: Alexander Widera |
last post by:
hello all,
i have a problem ...
like I already discussed in the thread "session empty" I have the following
problem:
I created a completely new web...
i added 2 files:
sessiontest1.aspx:
|
by: sunyao |
last post by:
Hi Friend,
I write a linux shell script to call a python script inside. But I got a wrong exit code from Python exit code. The linux shell script as follows;
#!/bin/bash
MyPython.py
exit $?
...
|
by: Lingo |
last post by:
Hi all,
I have a problem, i am running a batch file which will connect to oracle database via sqlplus.
If i set whenever Oserror Exit and then try to connect it fails with the error message...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |
