Re: [PHP] restrict access to multiple pages

2003-12-09 Thread olinux 
I like your second solution better. (seems simpler to
me to leave out the nested else...). I'd just write it
this way:

?php
if(!loggedin())
{
   // redirect to login page 
   header (Location: http://domain.com/login.php;);
   exit;
}
?

Also check out some of these articles for some
different options/ideas:
http://www.google.com/search?q=php+user+authentication

olinux


--- Chris W. Parker [EMAIL PROTECTED] wrote:
 Hey y'all.
 
 Ok so I am working on the admin sectin of the
 e-commerce app I'm writing
 and I'm hoping there's a better way to do what I am
 currently doing.
 
 In an effort to prevent circumvention of the login
 page I've placed a
 check at the beginning of each page that basically
 does the following:
 
 ?php
 
 if(loggedin())
 {
   // entire page of code goes here
 }
 else
 {
   // redirect back to login page
 }
 
 ?
 
 By doing this people will not be able to just enter
 manually any URL
 they want and have the page load.
 
 As far as better ways go I was thinking that maybe I
 could employ
 .htaccess somehow? But then I think that might
 require having user
 accounts registered with the server instead of just
 using a db and I
 don't want to do that.
 
 I was thinking that maybe I could change it to this:
 
 ?php
 
 // define function stored in class file
 // (basic auth function, not at all what i'm using.
 // just an example.)
 function IsLoggedIn($input)
 {
   if(isset($input)  !empty($input))
   {
   return 1;
   }
   else
   {
   // redirect to login page
   }
 }
 
 IsLoggedIn($input);
 
 // entire page of code goes here
 
 
 ?
 
 Any want to share their experiences and ideas?
 


__
Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing.
http://photos.yahoo.com/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] restrict access to multiple pages

2003-12-09 Thread Chris W. Parker 
Chris Shiflett mailto:[EMAIL PROTECTED]
on Monday, December 08, 2003 5:17 PM said:

 The only risk is forgetting to add this check, since I
 assume you mean that you have to copy/paste this into every script.
 You might want to consider whether you can design your application in
 such a way that you can have a more centralized way to enforce
 authorization.

This is what I tried to do with my second example. I thought it to be an
improvement because it was merely one function call and not a if..else
construct. Any comments on that?


 The one thing I would definitely consider doing differently is the
 redirect. You could, instead, just include the logic necessary for the
 login page, so that you avoid the superfluous transaction.

Is this comment from a security standpoint or an effciency issue?


 As far as better ways go I was thinking that maybe I could employ
 .htaccess somehow?
 
 Yes, and you can use a database like you're wanting. There is existing
 code to help you do this. However, this implements HTTP
 authentication, which has the little popup window. This is fine, but
 some people might perceive this as being unprofessional, so you might
 want to keep your audience in mind.

Ewww.. no I don't want to do that.


And to olinux, yes I will check google! :)



Chris.
--
Don't like reformatting your Outlook replies? Now there's relief!
http://home.in.tum.de/~jain/software/outlook-quotefix/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] restrict access to multiple pages

2003-12-09 Thread Kelly Hallman 
On Mon, 8 Dec 2003, Chris W. Parker wrote:
 Ok so I am working on the admin sectin of the e-commerce app I'm writing
 and I'm hoping there's a better way to do what I am currently doing.
 In an effort to prevent circumvention of the login page I've placed a
 check at the beginning of each page that basically does the following:
...

In the case that this is part of a larger application, as it seems to be, 
you probably should have an include that you are doing on each hit that 
handles the user identity/authentication.. Not just for your admin users, 
but a general container for all the user-related functions.

On that page Within that include, let's call it loguser.php, you could
write functions such as require_admin() or require_login() .. then, call
those functions on the pages that require the user to be an admin or be
logged in. The functions would determine if the logged-in user had
adequate permission, and redirect them if not. That way, you can control
this behavior from a central location--you don't want to have to go
through each page of your app and change a URL.

-- 
Kelly Hallman
// Ultrafancy

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] restrict access to multiple pages

2003-12-09 Thread Pablo Gosse 
Kelly Hallman wrote:
 On Mon, 8 Dec 2003, Chris W. Parker wrote:
 Ok so I am working on the admin sectin of the e-commerce app I'm
 writing and I'm hoping there's a better way to do what I am currently
 doing. In an effort to prevent circumvention of the login page I've
 placed a check at the beginning of each page that basically does the
 following:
 ...
 
 In the case that this is part of a larger application, as it seems to
 be, 
 you probably should have an include that you are doing on each hit
 that 
 handles the user identity/authentication.. Not just for your admin
 users, 
 but a general container for all the user-related functions.
 
 On that page Within that include, let's call it loguser.php, you
 could write functions such as require_admin() or require_login() ..
 then, call those functions on the pages that require the user to be
 an admin or be logged in. The functions would determine if the
 logged-in user had adequate permission, and redirect them if not.
 That way, you can control this behavior from a central location--you
 don't want to have to go through each page of your app and change a
 URL.   
 
 --
 Kelly Hallman
 // Ultrafancy

What I've done for the CMS I've been working on for a while is I have a
base class which is the core of the application, and all modules in the
CMS extend from this base class.  Part of this base class is a
check_login() method, and I simply call this in the constructor of each
module to verify login and access privelidges.

This method first verifies a basic login, and assuming the login passes
it then checks the user's credentials against a list of credentials
which are necessary to access the different functionalities in each
module, and away we go.

If the login test fails, the session is destroyed and the user is sent
back to the login page.  Otherwise if they are attempting to access
functionality to which they don't have access they get notified of this,
else they proceed as normal.

Cheers,
Pablo

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] restrict access to multiple pages

2003-12-09 Thread Pablo Gosse 
Kelly Hallman wrote:
 On Mon, 8 Dec 2003, Chris W. Parker wrote:
 Ok so I am working on the admin sectin of the e-commerce app I'm
 writing and I'm hoping there's a better way to do what I am currently
 doing. In an effort to prevent circumvention of the login page I've
 placed a check at the beginning of each page that basically does the
 following:
 ...
 
 In the case that this is part of a larger application, as it seems to
 be, 
 you probably should have an include that you are doing on each hit
 that 
 handles the user identity/authentication.. Not just for your admin
 users, 
 but a general container for all the user-related functions.
 
 On that page Within that include, let's call it loguser.php, you
 could write functions such as require_admin() or require_login() ..
 then, call those functions on the pages that require the user to be
 an admin or be logged in. The functions would determine if the
 logged-in user had adequate permission, and redirect them if not.
 That way, you can control this behavior from a central location--you
 don't want to have to go through each page of your app and change a
 URL.   
 
 --
 Kelly Hallman
 // Ultrafancy

What I've done for the CMS I've been working on for a while is I have a
base class which is the core of the application, and all modules in the
CMS extend from this base class.  Part of this base class is a
check_login() method, and I simply call this in the constructor of each
module to verify login and access privelidges.

This method first verifies a basic login, and assuming the login passes
it then checks the user's credentials against a list of credentials
which are necessary to access the different functionalities in each
module, and away we go.

If the login test fails, the session is destroyed and the user is sent
back to the login page.  Otherwise if they are attempting to access
functionality to which they don't have access they get notified of this,
else they proceed as normal.

Cheers,
Pablo

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] restrict access to multiple pages

2003-12-08 Thread Chris W. Parker 
Hey y'all.

Ok so I am working on the admin sectin of the e-commerce app I'm writing
and I'm hoping there's a better way to do what I am currently doing.

In an effort to prevent circumvention of the login page I've placed a
check at the beginning of each page that basically does the following:

?php

if(loggedin())
{
// entire page of code goes here
}
else
{
// redirect back to login page
}

?

By doing this people will not be able to just enter manually any URL
they want and have the page load.

As far as better ways go I was thinking that maybe I could employ
.htaccess somehow? But then I think that might require having user
accounts registered with the server instead of just using a db and I
don't want to do that.

I was thinking that maybe I could change it to this:

?php

// define function stored in class file
// (basic auth function, not at all what i'm using.
// just an example.)
function IsLoggedIn($input)
{
if(isset($input)  !empty($input))
{
return 1;
}
else
{
// redirect to login page
}
}

IsLoggedIn($input);

// entire page of code goes here


?

Any want to share their experiences and ideas?


Thanks,
Chris.
--
Don't like reformatting your Outlook replies? Now there's relief!
http://home.in.tum.de/~jain/software/outlook-quotefix/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] restrict access to multiple pages

2003-12-08 Thread Chris Shiflett 
--- Chris W. Parker [EMAIL PROTECTED] wrote:
 In an effort to prevent circumvention of the login page I've placed
 a check at the beginning of each page that basically does the
 following:
 
 ?php
 if(loggedin())
 {
   // entire page of code goes here
 }
 else
 {
   // redirect back to login page
 }
 ?

This is fine, assuming loggedin() does what you intend and can't be
subverted. The only risk is forgetting to add this check, since I assume
you mean that you have to copy/paste this into every script. You might
want to consider whether you can design your application in such a way
that you can have a more centralized way to enforce authorization.

The one thing I would definitely consider doing differently is the
redirect. You could, instead, just include the logic necessary for the
login page, so that you avoid the superfluous transaction.

 As far as better ways go I was thinking that maybe I could employ
 .htaccess somehow?

Yes, and you can use a database like you're wanting. There is existing
code to help you do this. However, this implements HTTP authentication,
which has the little popup window. This is fine, but some people might
perceive this as being unprofessional, so you might want to keep your
audience in mind.

Hope that helps.

Chris

=
Chris Shiflett - http://shiflett.org/

PHP Security Handbook
 Coming mid-2004
HTTP Developer's Handbook
 http://httphandbook.org/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] restrict access to multiple pages

2003-12-08 Thread Justin French 
On Tuesday, December 9, 2003, at 12:08  PM, Chris W. Parker wrote:

Hey y'all.

Ok so I am working on the admin sectin of the e-commerce app I'm 
writing
and I'm hoping there's a better way to do what I am currently doing.

In an effort to prevent circumvention of the login page I've placed a
check at the beginning of each page that basically does the following:
?php

if(loggedin())
{
// entire page of code goes here
}
else
{
// redirect back to login page
}
?
That's essentially what I do too... except I've got all this stored in 
a restricted.inc file which I just include() where needed.

I think you can minimise your code though, by checking (in my case) for 
an invalid uid or a uid without admin clearance
(redirect and exit), otherwise just show the page:
---
?php
if(!$_SESSION['uid'] || !$_SESSION['admin'])
	{
	header(Location: login.php);
	exit;
	}
?
the rest of your page here
---

Cheers,

Justin

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php