Re: [PHP] limit access to php page
Camilo Sperberg unrea...@gmail.com wrote: On 30 mei 2013, at 05:05, Paul M Foster pa...@quillandmouse.com wrote: On Wed, May 29, 2013 at 08:51:47PM -0400, Tedd Sperling wrote: On May 29, 2013, at 7:11 PM, Tim Dunphy bluethu...@gmail.com wrote: Hello list, I've created an authentication page (index.php) that logs into an LDAP server, then points you to a second page that some folks are intended to use to request apache redirects from the sysadmin group (redirect.php). Everything works great so far, except if you pop the full URL of redirect.php into your browser you can hit the page regardless of the login process on index.php. How can I limit redirect.php so that it can only be reached once you login via the index page? Thank you! Tim -- GPG me!! Try this: http://sperling.com/php/authorization/log-on.php I realize this is example code. My question is, in a real application where that $_SESSION['auth'] token would be used subsequently to gain entry to other pages, what would you use instead of the simple TRUE/FALSE value? It seems that someone (with far more knowledge of hacking than I have) could rather easily hack the session value to change its value. But then again, I pretty much suck when it comes to working out how you'd hack (crack) things. Paul $_SESSION value are quite secure, as they are set on the server, only you can control what's inside them. What can be hacked is the authentification process or some script that sets session values. There is also a way of hijacking a session, but again: its values aren't changed by some PHP script, the session is being hijacked. Don't pass urls with the session id within them and you'll be save. Looking back through the posts, I see I sent one without the link I intended. Session variables can be secure enough (there will never be perfect security, just like there will never be completely safe sex), but you *do* have to take precautions. This is the link I meant to send before: http://www.php.net/manual/en/session.security.php Very important reading. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] limit access to php page
On 30 mei 2013, at 05:05, Paul M Foster pa...@quillandmouse.com wrote: On Wed, May 29, 2013 at 08:51:47PM -0400, Tedd Sperling wrote: On May 29, 2013, at 7:11 PM, Tim Dunphy bluethu...@gmail.com wrote: Hello list, I've created an authentication page (index.php) that logs into an LDAP server, then points you to a second page that some folks are intended to use to request apache redirects from the sysadmin group (redirect.php). Everything works great so far, except if you pop the full URL of redirect.php into your browser you can hit the page regardless of the login process on index.php. How can I limit redirect.php so that it can only be reached once you login via the index page? Thank you! Tim -- GPG me!! Try this: http://sperling.com/php/authorization/log-on.php I realize this is example code. My question is, in a real application where that $_SESSION['auth'] token would be used subsequently to gain entry to other pages, what would you use instead of the simple TRUE/FALSE value? It seems that someone (with far more knowledge of hacking than I have) could rather easily hack the session value to change its value. But then again, I pretty much suck when it comes to working out how you'd hack (crack) things. Paul -- Paul M. Foster http://noferblatz.com http://quillandmouse.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php $_SESSION value are quite secure, as they are set on the server, only you can control what's inside them. What can be hacked is the authentification process or some script that sets session values. There is also a way of hijacking a session, but again: its values aren't changed by some PHP script, the session is being hijacked. Don't pass urls with the session id within them and you'll be save. Greetings. Sent from my iPhone 6 Beta [Confidential use only] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] limit access to php page
On May 29, 2013, at 11:05 PM, Paul M Foster pa...@quillandmouse.com wrote: http://sperling.com/php/authorization/log-on.php I realize this is example code. My question is, in a real application where that $_SESSION['auth'] token would be used subsequently to gain entry to other pages, what would you use instead of the simple TRUE/FALSE value? It seems that someone (with far more knowledge of hacking than I have) could rather easily hack the session value to change its value. But then again, I pretty much suck when it comes to working out how you'd hack (crack) things. Paul Paul: While the above link may be example code, it is still sound for production. Keep in mind that everything in security comes down to a true/false condition. Do you let the person in or not! Certainly there are attacks on session ids and one must deal with that. But that's the level of security we have today. I could go through all the things you need to consider in protecting your session id (e.g., not accessing your bank accounts while having coffee at StartBucks) but that would defeat the purpose of attending one of my classes on the subject. :-) If you are very concerned about security, then jump to a https protocol for those transactions; change session ids frequently; monitor the user's local environmental changes; time the session, and do a bunch of other stuff that will make it more and more difficult for your user to use your service. But for *most things* using a session id will keep things relatively safe. Cheers, tedd _ tedd.sperl...@gmail.com http://sperling.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] limit access to php page
On Thu, May 30, 2013 at 12:06:02PM -0400, Tedd Sperling wrote: On May 29, 2013, at 11:05 PM, Paul M Foster pa...@quillandmouse.com wrote: http://sperling.com/php/authorization/log-on.php I realize this is example code. My question is, in a real application where that $_SESSION['auth'] token would be used subsequently to gain entry to other pages, what would you use instead of the simple TRUE/FALSE value? It seems that someone (with far more knowledge of hacking than I have) could rather easily hack the session value to change its value. But then again, I pretty much suck when it comes to working out how you'd hack (crack) things. Paul Paul: While the above link may be example code, it is still sound for production. Keep in mind that everything in security comes down to a true/false condition. Do you let the person in or not! Certainly there are attacks on session ids and one must deal with that. But that's the level of security we have today. I could go through all the things you need to consider in protecting your session id (e.g., not accessing your bank accounts while having coffee at StartBucks) but that would defeat the purpose of attending one of my classes on the subject. :-) Yep, next time I'm up at the North Pole, I'll drop in and see you. Meantime, the beach is heating up. Better go get some more ice for my margueritas. [grin] Paul -- Paul M. Foster http://noferblatz.com http://quillandmouse.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] limit access to php page
Hello list, I've created an authentication page (index.php) that logs into an LDAP server, then points you to a second page that some folks are intended to use to request apache redirects from the sysadmin group (redirect.php). Everything works great so far, except if you pop the full URL of redirect.php into your browser you can hit the page regardless of the login process on index.php. How can I limit redirect.php so that it can only be reached once you login via the index page? Thank you! Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
Re: [PHP] limit access to php page
On Wed, May 29, 2013 at 6:11 PM, Tim Dunphy bluethu...@gmail.com wrote: Hello list, I've created an authentication page (index.php) that logs into an LDAP server, then points you to a second page that some folks are intended to use to request apache redirects from the sysadmin group (redirect.php). Everything works great so far, except if you pop the full URL of redirect.php into your browser you can hit the page regardless of the login process on index.php. How can I limit redirect.php so that it can only be reached once you login via the index page? Thank you! Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B Read through this page, and the other parts of the Session manual. Hopefully that will help. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] limit access to php page
On May 29, 2013, at 7:11 PM, Tim Dunphy bluethu...@gmail.com wrote: Hello list, I've created an authentication page (index.php) that logs into an LDAP server, then points you to a second page that some folks are intended to use to request apache redirects from the sysadmin group (redirect.php). Everything works great so far, except if you pop the full URL of redirect.php into your browser you can hit the page regardless of the login process on index.php. How can I limit redirect.php so that it can only be reached once you login via the index page? Thank you! Tim -- GPG me!! Try this: http://sperling.com/php/authorization/log-on.php Cheers, tedd _ tedd.sperl...@gmail.com http://sperling.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] limit access to php page
On Wed, May 29, 2013 at 08:51:47PM -0400, Tedd Sperling wrote: On May 29, 2013, at 7:11 PM, Tim Dunphy bluethu...@gmail.com wrote: Hello list, I've created an authentication page (index.php) that logs into an LDAP server, then points you to a second page that some folks are intended to use to request apache redirects from the sysadmin group (redirect.php). Everything works great so far, except if you pop the full URL of redirect.php into your browser you can hit the page regardless of the login process on index.php. How can I limit redirect.php so that it can only be reached once you login via the index page? Thank you! Tim -- GPG me!! Try this: http://sperling.com/php/authorization/log-on.php I realize this is example code. My question is, in a real application where that $_SESSION['auth'] token would be used subsequently to gain entry to other pages, what would you use instead of the simple TRUE/FALSE value? It seems that someone (with far more knowledge of hacking than I have) could rather easily hack the session value to change its value. But then again, I pretty much suck when it comes to working out how you'd hack (crack) things. Paul -- Paul M. Foster http://noferblatz.com http://quillandmouse.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
