sessions and email
am 12.11.2009 19:17:43 von Dan Shirah
--001636d33c7c3932f70478308f58
Content-Type: text/plain; charset=ISO-8859-1
All,
I am using sessions for my application to verify a user has logged in:
// Verify the user is logged in.
if (!isset($_SESSION['basic_is_logged_in'])
|| $_SESSION['basic_is_logged_in'] !== true) {
// If not logged in, redirect to the login page.
header('Location: login.php');
exit;
}
If anyone tries to go to any page in the application via the address bar,
they are correctly redirected to the login page.
However, if someone that is currently logged into the application using I.E.
goes to File -> Send -> Page by Email, the person they email the link to can
open it and use the application without logging in and the address bar uses
a local path like: C:\Documents and Settings\my_name\Local
Settings\Temporary Internet Files\OLK18\My Page (2).htm
How can I prevent the emailed pages from being able to access the
application if it is a local path or the user hasn't logged in?
--001636d33c7c3932f70478308f58--
Re: sessions and email
am 12.11.2009 19:21:46 von Ashley Sheridan
--=-pp40EXQtW5yZKGwsg6vP
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
On Thu, 2009-11-12 at 13:17 -0500, Dan Shirah wrote:
> All,
>
> I am using sessions for my application to verify a user has logged in:
>
> // Verify the user is logged in.
> if (!isset($_SESSION['basic_is_logged_in'])
> || $_SESSION['basic_is_logged_in'] !== true) {
> // If not logged in, redirect to the login page.
> header('Location: login.php');
> exit;
> }
>
> If anyone tries to go to any page in the application via the address bar,
> they are correctly redirected to the login page.
>
> However, if someone that is currently logged into the application using I.E.
> goes to File -> Send -> Page by Email, the person they email the link to can
> open it and use the application without logging in and the address bar uses
> a local path like: C:\Documents and Settings\my_name\Local
> Settings\Temporary Internet Files\OLK18\My Page (2).htm
>
> How can I prevent the emailed pages from being able to access the
> application if it is a local path or the user hasn't logged in?
You can't really. When someone is emailing the page, it's the equivalent
of them saving the page to their local computer, and then sending that
as an attachment. As this is all client-side, it has no contact with
PHP. You could have some sort of Javascript to detect the domain the
page has, and then redirect if it's not your domain, but this fails when
someone turns Javascript off. Apart from that, I don't know of any other
way you could stop someone from emailing a page, aside from making the
site completely Ajax based and pulling in every scrap of content via
Ajax.
Thanks,
Ash
http://www.ashleysheridan.co.uk
--=-pp40EXQtW5yZKGwsg6vP--
Re: sessions and email
am 12.11.2009 20:26:49 von Andrew Ballard
On Thu, Nov 12, 2009 at 1:21 PM, Ashley Sheridan
wrote:
> On Thu, 2009-11-12 at 13:17 -0500, Dan Shirah wrote:
>
>> All,
>>
>> I am using sessions for my application to verify a user has logged in:
>>
>> // Verify the user is logged in.
>> if (!isset($_SESSION['basic_is_logged_in'])
>> Â Â || $_SESSION['basic_is_logged_in'] !== true) {
>> Â Â // If not logged in, redirect to the login page.
>> Â Â header('Location: login.php');
>> Â Â exit;
>> }
>>
>> If anyone tries to go to any page in the application via the address bar=
,
>> they are correctly redirected to the login page.
>>
>> However, if someone that is currently logged into the application using =
I.E.
>> goes to File -> Send -> Page by Email, the person they email the link to=
can
>> open it and use the application without logging in and the address bar u=
ses
>> a local path like: C:\Documents and Settings\my_name\Local
>> Settings\Temporary Internet Files\OLK18\My Page (2).htm
>>
>> How can I prevent the emailed pages from being able to access the
>> application if it is a local path or the user hasn't logged in?
>
>
> You can't really. When someone is emailing the page, it's the equivalent
> of them saving the page to their local computer, and then sending that
> as an attachment. As this is all client-side, it has no contact with
> PHP. You could have some sort of Javascript to detect the domain the
> page has, and then redirect if it's not your domain, but this fails when
> someone turns Javascript off. Apart from that, I don't know of any other
> way you could stop someone from emailing a page, aside from making the
> site completely Ajax based and pulling in every scrap of content via
> Ajax.
>
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
And even then, it has become part of the DOM and will be saved with
the rest of the page. The presence of Javascript in the page *might*
remove it/hide it/obscure it/etc., but it will still be there in the
saved document.
Andrew
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php