Re: User authentication and redirect

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Bastien Koert wrote:

I can't see why you simply dont do this


if ($LoginSuccessful)
{
 $location = "";
}else{
 $location = "../index.php";
}
header("location=$location");

If i don't have the solution, perhaps I am misunderstanding the problem

Bastien


From: "Vinny Lape" <vinny@xxxxxxxxxxxxxxxxxx>
To: <php-db@xxxxxxxxxxxxx>
Subject: RE:  User authentication and redirect
Date: Fri, 15 Jul 2005 09:01:52 -0400

I think I need to explain my question better.

I have a db and the table contains 4 fields uid(pk) username password
location
 I can authenticate the user / pass properly. The problem I am having is
getting the information from field location and defining it as $location so I can do the following: (when I make $redirectLoginSuccess = "example.php"
all works fine)
<snip>
$redirectLoginSuccess = "$location";
$redirectLoginFailed = "../index.php";
</snip>

<snip>
}
    header("Location: " . $redirectLoginSuccess );
  }
  else {
    header("Location: ". $redirectLoginFailed );
</snip>

Here is where I query the db
<snip>
$LoginRS__query=sprintf("SELECT username, password FROM webauth WHERE
username='%s' AND password='%s'",
get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername),
get_magic_quotes_gpc() ? $password : addslashes($password));
  $LoginRS = mysql_query($LoginRS__query, $mysql) or die(mysql_error());
</snip>
On the landing page im using this for security:
<?php
session_start();
$MM_authorizedUsers = "";
$MM_donotCheckaccess = "true";

// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {
  // For security, start by assuming the visitor is NOT authorized.
  $isValid = False;

  // When a visitor has logged into this site, the Session variable
MM_Username set equal to their username.
  // Therefore, we know that a user is NOT logged in if that Session
variable is blank.
  if (!empty($UserName)) {
    // Besides being logged in, you may restrict access to only certain
users based on an ID established when they login.
    // Parse the strings into arrays.
    $arrUsers = Explode(",", $strUsers);
    $arrGroups = Explode(",", $strGroups);
    if (in_array($UserName, $arrUsers)) {
      $isValid = true;
    }
    // Or, you may restrict access to only certain users based on their
username.
    if (in_array($UserGroup, $arrGroups)) {
      $isValid = true;
    }
    if (($strUsers == "") && true) {
      $isValid = true;
    }
  }
  return $isValid;
}

$MM_restrictGoTo = "../index.php";
if (!((isset($_SESSION['MM_Username'])) &&
(isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'],
$_SESSION['MM_UserGroup'])))) {
  $MM_qsChar = "?";
  $MM_referrer = $_SERVER['PHP_SELF'];
  if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
  if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0)
  $MM_referrer .= "?" . $QUERY_STRING;
  $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" .
urlencode($MM_referrer);
  header("Location: ". $MM_restrictGoTo);
  exit;
}
?>
-----Original Message-----
From: Ahmed Saad [mailto:myanywhere@xxxxxxxxx]
Sent: Thursday, July 14, 2005 8:34 AM
To: Vinny Lape
Cc: php-db@xxxxxxxxxxxxx
Subject: Re:  User authentication and redirect

hi Vinny,

On 7/13/05, Vinny Lape <vinny@xxxxxxxxxxxxxxxxxx> wrote:
> If user validates then look at db entry location then redirect to
> mydomain.com/"location"/index.php

i don't think it's a good idea. what if the user bookmarked or took
down a notice with the URL to your "secured" page
(mydomain.com/location/index.php)? then he would just type the url
heading directly for the bypassing your login page! i think u might
want to put the user authorization code in your index php or even
better put it in a file and require() that file at the top of of any
page u want to protect. you can either use sessions or plain HTTP
authentication  (which is not a very good idea).

-ahmed

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


you shouldn't do that (in my opinion) because of the following scenario: Bob needs access from a shared terminal. Bob puts in his (authorized) login information, and then bookmarks the resulting page. Fred comes along. Fred is not authorized to access the database. Fred follows the link out of curiosity, finds sensitive information, and either deletes it all, sells it to a competitor, or otherwise screws with it because he is bitter that he is being severly underpaid, all using either Bob's session information, or no session information, depending on how the session is set to expire. The best option is to put the login and login check functions in a file, include that file at the beginning of all your scripts which need access control, and then put the following code at the beginning of the script:

if(login_check($user, $pass)
{
      //allow access, main script body here
}
else
{
      //deny access
      echo "you aren't supposed to be here....";
      exit;
}

i hope i understood your problem correctly, and i hope i was of some help...this is the way i wrote my project, but it was only access-controlled on certain pages (i.e. inserting and deleting records)

--
Thomas Dodson
Programmer, Bioinformatics
S-327 Ag. Science North
Department of Entomology
University of Kentucky
Lexington, KY 40546-0091
Phone (859) 257-3169
Fax (859) 323-1120
Cell: (859) 420-1696

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux