Safe login script? How to redirect users to previous page with header? - PHP Server Side Scripting forum at WebmasterWorld - WebmasterWorld

Forum Moderators: coopster

Message Too Old, No Replies

Safe login script? How to redirect users to previous page with header?

dbzfyam

6:57 pm on Aug 16, 2005 (gmt 0)

10+ Year Member

I finished my CMS now, but I have a few questions before I launch it. Can someone tell me if this login script is safe enough (which is at the top of each php file):

session_start();
if ($_SESSION['authorized']!="yes")
{
header("Location: newsLogin.php");
$message = "You are not logged in or you used a wrong username or password. Please try again.";
exit();
}

$_SESSION['authorized']

will be changed to 'yes' after checking the password with the one in the database (using the sha1 encryption). If this is not safe, can someone suggest a other way?

Also, when I go to addNews.php for example and I haven't logged in yet, the script redirects me to newsLogin.php. When I log in, the script sends me to the main page (

header("Location: newsPanel.php");

). Is it possible to redirect the user to the page he wanted to access with headers? If so, how can I do this?

My last question: I want that normal users can only post plain text and allow the administrator to use every code he wants. Is the code below sufficient to stop normal users from posting javascript and html etc?

$subject = htmlspecialchars(trim(strip_tags($_POST['subject'])));

Thanks in advance,
Stefan

coopster

10:19 pm on Aug 16, 2005 (gmt 0)

WebmasterWorld Administrator

10+ Year Member

Quite a few questions there!

tell me if this login script is safe enough

Seems fairly straightforward and common. If user is not authorized, send them off to get authorized. Quite common. As long as you are the only person (via your scripting program) that can change the $_SESSION variable, it looks fine. Make sure register_globals is Off and you have your SESSIONS writing to a directory that is *secured* -- meaning if you are on a shared host, don't use /tmp or any other directory that others have access to.

Is it possible to redirect the user to the page he wanted to access with headers?

Yes. You could create a $_SESSION variable to hold the requested URI before you send them off to the login page and then upon a successful login use that variable in your

header("Location: " . $_SESSION['theRequestedURI']);

function. Note, the $message variable you are assigning here is doing nothing by the way, it never gets used as you are redirecting your user before anything could ever be done with it.

sufficient to stop normal users from posting javascript and html etc?

Looks pretty good to me, if that's what you want. I mean, if I truly wanted the original characters I wouldn't use htmlspecialchars(). And that is where what really matters is how you treat it afterwards. That's where the danger lies. If you are reading it and pushing it back out to a browser make certain you are using htmlspecialchars or htmlentities.

dbzfyam

8:50 am on Aug 17, 2005 (gmt 0)

10+ Year Member

Quite a few questions there!

;)

Make sure register_globals is Off and you have your SESSIONS writing to a directory that is *secured* -- meaning if you are on a shared host, don't use /tmp or any other directory that others have access to.

Register_globals is off. I read on a site that it is indeed better to use a secured directory. However, I don't know exactly how to do this on a shared host (I currently use the tmp dir). Can you tell me how this can be done in the script itself?

Yes. You could create a $_SESSION variable to hold the requested URI before you send them off to the login page and then upon a successful login use that variable in your header("Location: " . $_SESSION['theRequestedURI']); function. Note, the $message variable you are assigning here is doing nothing by the way, it never gets used as you are redirecting your user before anything could ever be done with it.

Thanks! It's working now. I forgot to remove the $message variable. I wanted the script to send a given error to the browser depending on the error, but I changed the login script so it displays a general message when an error occures.

Looks pretty good to me, if that's what you want. I mean, if I truly wanted the original characters I wouldn't use htmlspecialchars(). And that is where what really matters is how you treat it afterwards. That's where the danger lies. If you are reading it and pushing it back out to a browser make certain you are using htmlspecialchars or htmlentities.

This part is for a sort of news script for the 'staff' of a website, but since you can never trust other users' input I only wanted to allow ', " and <BR>. The news is then put into the database and will be displayed on the news page.

coopster

7:37 pm on Aug 17, 2005 (gmt 0)

WebmasterWorld Administrator

10+ Year Member

Register_globals is off. I read on a site that it is indeed better to use a secured directory. However, I don't know exactly how to do this on a shared host (I currently use the tmp dir). Can you tell me how this can be done in the script itself?

Change the session save path [php.net]. Put it inside your own directory structure, below the public document root. Don't forget to change the permissions so your scripts will be able to use the directory as needed.

This thread is a good read regarding sessions, management and garbage collection.
[webmasterworld.com...]

dbzfyam

8:09 pm on Aug 17, 2005 (gmt 0)

10+ Year Member

Thank you very much for the help, coopster! I changed the default directory to a new one below the /public_html directory and everything seems to be working fine. I checked the folder when I logged in with several different accounts to see if my script uses this directory instead of /tmp and found a few files which started with sess_ (and a bunch of numbers and letters behind it).

Thanks again for the help,
Stefan

coopster

8:38 pm on Aug 17, 2005 (gmt 0)

WebmasterWorld Administrator

10+ Year Member

Yep, that would be your session files. You are quite welcome.