Re: sessions and email

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Nov 12, 2009 at 1:21 PM, Ashley Sheridan
<ash@xxxxxxxxxxxxxxxxxxxx> wrote:
> On Thu, 2009-11-12 at 13:17 -0500, Dan Shirah wrote:
>
>> All,
>>
>> I am using sessions for my application to verify a user has logged in:
>>
>> // Verify the user is logged in.
>> if (!isset($_SESSION['basic_is_logged_in'])
>>     || $_SESSION['basic_is_logged_in'] !== true) {
>>     // If not logged in, redirect to the login page.
>>     header('Location: login.php');
>>     exit;
>> }
>>
>> If anyone tries to go to any page in the application via the address bar,
>> they are correctly redirected to the login page.
>>
>> However, if someone that is currently logged into the application using I.E.
>> goes to File -> Send -> Page by Email, the person they email the link to can
>> open it and use the application without logging in and the address bar uses
>> a local path like: C:\Documents and Settings\my_name\Local
>> Settings\Temporary Internet Files\OLK18\My Page (2).htm
>>
>> How can I prevent the emailed pages from being able to access the
>> application if it is a local path or the user hasn't logged in?
>
>
> You can't really. When someone is emailing the page, it's the equivalent
> of them saving the page to their local computer, and then sending that
> as an attachment. As this is all client-side, it has no contact with
> PHP. You could have some sort of Javascript to detect the domain the
> page has, and then redirect if it's not your domain, but this fails when
> someone turns Javascript off. Apart from that, I don't know of any other
> way you could stop someone from emailing a page, aside from making the
> site completely Ajax based and pulling in every scrap of content via
> Ajax.
>
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>

And even then, it has become part of the DOM and will be saved with
the rest of the page. The presence of Javascript in the page *might*
remove it/hide it/obscure it/etc., but it will still be there in the
saved document.

Andrew

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux