Security isseu

Hello all,

My website is built in HTML and PHP.
On it, there is a menu wich visitors can use to go to the pages.
Some pages are secured by PHP code to make sure that only people who are
logged in can access them.
But.....
If a visitor types the address (URL) to a certain secured page directly in
the addressbar of the browser, he/she can still access this page despite
he/she is not logged in at all.

Question:
Is there a way to avoid this problem and give a visitor, who accesses a page
without using the menu, a kind of warning and redirect to the homepage.

Thanks in advance.

Regards,

Tino Wintershoven

Re: Security isseu

T. Wintershoven wrote:

> Hello all,
>
> My website is built in HTML and PHP. On it, there is a menu wich
> visitors can use to go to the pages. Some pages are secured by PHP
> code to make sure that only people who are logged in can access them.
> But..... If a visitor types the address (URL) to a certain secured
> page directly in the addressbar of the browser, he/she can still
> access this page despite he/she is not logged in at all.
>
> Question:
> Is there a way to avoid this problem and give a visitor, who accesses a page
> without using the menu, a kind of warning and redirect to the homepage.

Yes, you have to use a global or session variable at the start of each
of the pages. If it is false, redirect to the main page. Set it to true
on the login page.

$lauthorized = $_SESSION['gblauthorized'];
if ($lauthorized <> true ) {
header("Location: index.php");
exit;
}

You could also use "Y" or other key letter or phrase instead of true.

--
-bts
-Motorcycles defy gravity; cars just suck

Re: Security isseu

On 12 Jun, 16:17, "T. Wintershoven" wrote:
> Hello all,
>
> My website is built in HTML and PHP.
> On it, there is a menu wich visitors can use to go to the pages.
> Some pages are secured by PHP code to make sure that only people who are
> logged in can access them.
> But.....
> If a visitor types the address (URL) to a certain secured page directly in
> the addressbar of the browser, he/she can still access this page despite
> he/she is not logged in at all.
>
> Question:
> Is there a way to avoid this problem and give a visitor, who accesses a page
> without using the menu, a kind of warning and redirect to the homepage.
>
> Thanks in advance.
>
> Regards,
>
> Tino Wintershoven

Hi Tino,

I put a code in the top of each page to check for the presence of a
cookie I create when they login.

If its not there I redirect them to the login page or give them an
error.

Hope that helps

A

Re: Security isseu

On 12 Jun, 16:42, UKuser wrote:
> On 12 Jun, 16:17, "T. Wintershoven" wrote:
>
>
>
> > Hello all,
>
> > My website is built in HTML and PHP.
> > On it, there is a menu wich visitors can use to go to the pages.
> > Some pages are secured by PHP code to make sure that only people who are
> > logged in can access them.
> > But.....
> > If a visitor types the address (URL) to a certain secured page directly in
> > the addressbar of the browser, he/she can still access this page despite
> > he/she is not logged in at all.
>
> > Question:
> > Is there a way to avoid this problem and give a visitor, who accesses a page
> > without using the menu, a kind of warning and redirect to the homepage.
>
> > Thanks in advance.
>
> > Regards,
>
> > Tino Wintershoven
>
> Hi Tino,
>
> I put a code in the top of each page to check for the presence of a
> cookie I create when they login.
>
> If its not there I redirect them to the login page or give them an
> error.
>
> Hope that helps
>
> A

Be aware as well - sessions are fine if you're on a dedicated server
but on a shared server - sessions can be accessed by other scripts on
the same server unless the tmp folder is protected.

Re: Security isseu

UKuser wrote:

> Be aware as well - sessions are fine if you're on a dedicated server
> but on a shared server - sessions can be accessed by other scripts on
> the same server unless the tmp folder is protected.

I've never had a problem on a shared server.

--
-bts
-Motorcycles defy gravity; cars just suck

Re: Security isseu

UKuser wrote:
> On 12 Jun, 16:42, UKuser wrote:
>> On 12 Jun, 16:17, "T. Wintershoven" wrote:

> Be aware as well - sessions are fine if you're on a dedicated server
> but on a shared server - sessions can be accessed by other scripts on
> the same server unless the tmp folder is protected.
>

If concerned your can set the session folder to another...

session_save_path($_SERVER['DOCUMENT_ROOT'] ."/mytemp");

Just have to make sure the permissions on the folder are set...


--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com