Re: [PHP] restrict access to multiple pages
I like your second solution better. (seems simpler to me to leave out the nested else...). I'd just write it this way: ?php if(!loggedin()) { // redirect to login page header (Location: http://domain.com/login.php;); exit; } ? Also check out some of these articles for some different options/ideas: http://www.google.com/search?q=php+user+authentication olinux --- Chris W. Parker [EMAIL PROTECTED] wrote: Hey y'all. Ok so I am working on the admin sectin of the e-commerce app I'm writing and I'm hoping there's a better way to do what I am currently doing. In an effort to prevent circumvention of the login page I've placed a check at the beginning of each page that basically does the following: ?php if(loggedin()) { // entire page of code goes here } else { // redirect back to login page } ? By doing this people will not be able to just enter manually any URL they want and have the page load. As far as better ways go I was thinking that maybe I could employ .htaccess somehow? But then I think that might require having user accounts registered with the server instead of just using a db and I don't want to do that. I was thinking that maybe I could change it to this: ?php // define function stored in class file // (basic auth function, not at all what i'm using. // just an example.) function IsLoggedIn($input) { if(isset($input) !empty($input)) { return 1; } else { // redirect to login page } } IsLoggedIn($input); // entire page of code goes here ? Any want to share their experiences and ideas? __ Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing. http://photos.yahoo.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] restrict access to multiple pages
Chris Shiflett mailto:[EMAIL PROTECTED] on Monday, December 08, 2003 5:17 PM said: The only risk is forgetting to add this check, since I assume you mean that you have to copy/paste this into every script. You might want to consider whether you can design your application in such a way that you can have a more centralized way to enforce authorization. This is what I tried to do with my second example. I thought it to be an improvement because it was merely one function call and not a if..else construct. Any comments on that? The one thing I would definitely consider doing differently is the redirect. You could, instead, just include the logic necessary for the login page, so that you avoid the superfluous transaction. Is this comment from a security standpoint or an effciency issue? As far as better ways go I was thinking that maybe I could employ .htaccess somehow? Yes, and you can use a database like you're wanting. There is existing code to help you do this. However, this implements HTTP authentication, which has the little popup window. This is fine, but some people might perceive this as being unprofessional, so you might want to keep your audience in mind. Ewww.. no I don't want to do that. And to olinux, yes I will check google! :) Chris. -- Don't like reformatting your Outlook replies? Now there's relief! http://home.in.tum.de/~jain/software/outlook-quotefix/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] restrict access to multiple pages
On Mon, 8 Dec 2003, Chris W. Parker wrote: Ok so I am working on the admin sectin of the e-commerce app I'm writing and I'm hoping there's a better way to do what I am currently doing. In an effort to prevent circumvention of the login page I've placed a check at the beginning of each page that basically does the following: ... In the case that this is part of a larger application, as it seems to be, you probably should have an include that you are doing on each hit that handles the user identity/authentication.. Not just for your admin users, but a general container for all the user-related functions. On that page Within that include, let's call it loguser.php, you could write functions such as require_admin() or require_login() .. then, call those functions on the pages that require the user to be an admin or be logged in. The functions would determine if the logged-in user had adequate permission, and redirect them if not. That way, you can control this behavior from a central location--you don't want to have to go through each page of your app and change a URL. -- Kelly Hallman // Ultrafancy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] restrict access to multiple pages
Kelly Hallman wrote: On Mon, 8 Dec 2003, Chris W. Parker wrote: Ok so I am working on the admin sectin of the e-commerce app I'm writing and I'm hoping there's a better way to do what I am currently doing. In an effort to prevent circumvention of the login page I've placed a check at the beginning of each page that basically does the following: ... In the case that this is part of a larger application, as it seems to be, you probably should have an include that you are doing on each hit that handles the user identity/authentication.. Not just for your admin users, but a general container for all the user-related functions. On that page Within that include, let's call it loguser.php, you could write functions such as require_admin() or require_login() .. then, call those functions on the pages that require the user to be an admin or be logged in. The functions would determine if the logged-in user had adequate permission, and redirect them if not. That way, you can control this behavior from a central location--you don't want to have to go through each page of your app and change a URL. -- Kelly Hallman // Ultrafancy What I've done for the CMS I've been working on for a while is I have a base class which is the core of the application, and all modules in the CMS extend from this base class. Part of this base class is a check_login() method, and I simply call this in the constructor of each module to verify login and access privelidges. This method first verifies a basic login, and assuming the login passes it then checks the user's credentials against a list of credentials which are necessary to access the different functionalities in each module, and away we go. If the login test fails, the session is destroyed and the user is sent back to the login page. Otherwise if they are attempting to access functionality to which they don't have access they get notified of this, else they proceed as normal. Cheers, Pablo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] restrict access to multiple pages
Kelly Hallman wrote: On Mon, 8 Dec 2003, Chris W. Parker wrote: Ok so I am working on the admin sectin of the e-commerce app I'm writing and I'm hoping there's a better way to do what I am currently doing. In an effort to prevent circumvention of the login page I've placed a check at the beginning of each page that basically does the following: ... In the case that this is part of a larger application, as it seems to be, you probably should have an include that you are doing on each hit that handles the user identity/authentication.. Not just for your admin users, but a general container for all the user-related functions. On that page Within that include, let's call it loguser.php, you could write functions such as require_admin() or require_login() .. then, call those functions on the pages that require the user to be an admin or be logged in. The functions would determine if the logged-in user had adequate permission, and redirect them if not. That way, you can control this behavior from a central location--you don't want to have to go through each page of your app and change a URL. -- Kelly Hallman // Ultrafancy What I've done for the CMS I've been working on for a while is I have a base class which is the core of the application, and all modules in the CMS extend from this base class. Part of this base class is a check_login() method, and I simply call this in the constructor of each module to verify login and access privelidges. This method first verifies a basic login, and assuming the login passes it then checks the user's credentials against a list of credentials which are necessary to access the different functionalities in each module, and away we go. If the login test fails, the session is destroyed and the user is sent back to the login page. Otherwise if they are attempting to access functionality to which they don't have access they get notified of this, else they proceed as normal. Cheers, Pablo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] restrict access to multiple pages
--- Chris W. Parker [EMAIL PROTECTED] wrote: In an effort to prevent circumvention of the login page I've placed a check at the beginning of each page that basically does the following: ?php if(loggedin()) { // entire page of code goes here } else { // redirect back to login page } ? This is fine, assuming loggedin() does what you intend and can't be subverted. The only risk is forgetting to add this check, since I assume you mean that you have to copy/paste this into every script. You might want to consider whether you can design your application in such a way that you can have a more centralized way to enforce authorization. The one thing I would definitely consider doing differently is the redirect. You could, instead, just include the logic necessary for the login page, so that you avoid the superfluous transaction. As far as better ways go I was thinking that maybe I could employ .htaccess somehow? Yes, and you can use a database like you're wanting. There is existing code to help you do this. However, this implements HTTP authentication, which has the little popup window. This is fine, but some people might perceive this as being unprofessional, so you might want to keep your audience in mind. Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] restrict access to multiple pages
On Tuesday, December 9, 2003, at 12:08 PM, Chris W. Parker wrote: Hey y'all. Ok so I am working on the admin sectin of the e-commerce app I'm writing and I'm hoping there's a better way to do what I am currently doing. In an effort to prevent circumvention of the login page I've placed a check at the beginning of each page that basically does the following: ?php if(loggedin()) { // entire page of code goes here } else { // redirect back to login page } ? That's essentially what I do too... except I've got all this stored in a restricted.inc file which I just include() where needed. I think you can minimise your code though, by checking (in my case) for an invalid uid or a uid without admin clearance (redirect and exit), otherwise just show the page: --- ?php if(!$_SESSION['uid'] || !$_SESSION['admin']) { header(Location: login.php); exit; } ? the rest of your page here --- Cheers, Justin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php