470,862 Members | 1,821 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 470,862 developers. It's quick & easy.

need help with user authentication routine

I am trying to develop a simple user authentication routine.

I started with something I got from a book called "PHP in Easy Steps."
It works like this:

- create a table in a database with basic user information: name,
login, password
- create a simple html form which loads "authenticate.php" when the
submit button is pushed.
- autheticate.php checks the login against the database, and loads the
next file, if the user is authenticated.

I have all that working. The problem, if you haven't guessed, is that
somebody can bypass the entire thing, if that person the the file(s)
that are loaded after the authetication. i.e.

http://urlname/sensitivedata.html

So how do I fix this? Cookies? Can I check if the user is authenticated
in each subsequent file that might be loaded?

Apr 12 '06 #1
1 1388
>I am trying to develop a simple user authentication routine.

I started with something I got from a book called "PHP in Easy Steps."
It works like this:

- create a table in a database with basic user information: name,
login, password
- create a simple html form which loads "authenticate.php" when the
submit button is pushed.
- autheticate.php checks the login against the database, and loads the
next file, if the user is authenticated.

I have all that working. The problem, if you haven't guessed, is that
somebody can bypass the entire thing, if that person the the file(s)
that are loaded after the authetication. i.e.
(1) Make sure that there *is* no next file. (Put it in *this* file).
(2) If there is a next file, make sure it has no URL (it's outside
the document tree).

Often, every file to be protected would include "authenticate.php"
up front. Sometimes it is useful, after successful authentication,
to output a Content-type header followed by fpassthru() called on
a file outside the document tree (this is one way to protect images or
files to be downloaded).

Whether or not you do full authentication each time or if you leave behind
a cookie or session variable which is checked later is up to you.
http://urlname/sensitivedata.html

So how do I fix this? Cookies? Can I check if the user is authenticated
in each subsequent file that might be loaded?


Gordon L. Burditt
Apr 13 '06 #2

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

2 posts views Thread by Alliss | last post: by
9 posts views Thread by Paul | last post: by
1 post views Thread by Shapper | last post: by
3 posts views Thread by Miguel Dias Moura | last post: by
1 post views Thread by walterbyrd | last post: by
1 post views Thread by awebguynow | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.