Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 19

Thread: access logger

  1. #1
    Regular Coder
    Join Date
    Nov 2002
    Posts
    180
    Thanks
    0
    Thanked 0 Times in 0 Posts

    access logger

    how can i make many pages no body can access them except the autherized persons?
    or how to make access logger?

  • #2
    New Coder
    Join Date
    Apr 2004
    Posts
    14
    Thanks
    0
    Thanked 0 Times in 0 Posts
    These are two TOTALLY seperate things!

    For restricting access, use a login form and php sessions, at the top of each restricted page check their session - logged in cool, not logged in bugger off.
    Check sessions in php manual!

    For logging, just run an insert query every page and dump some info in a table.

    zigo

  • #3
    Regular Coder
    Join Date
    Nov 2002
    Posts
    180
    Thanks
    0
    Thanked 0 Times in 0 Posts
    when i wana use session variables, what should i register in these variable? the username and password or only the username or none of them?

  • #4
    New Coder
    Join Date
    Apr 2004
    Posts
    14
    Thanks
    0
    Thanked 0 Times in 0 Posts
    After the login form

    1. Check the username and password against those in the DB

    2. If match,

    PHP Code:
    $_SESSION['valid_user'] = $_POST['username']; 
    3. Then check every page:

    PHP Code:
    if(!isset($_SESSION['valid_user']))
         
    header("Location: buggeroff.php"); 
    Then out put the rest of the page.

    You may want to give them a message if there username/password didn't match DB.

    zigo

  • #5
    me'
    me' is offline
    Senior Coder
    Join Date
    Nov 2002
    Location
    Warwickshire, England
    Posts
    1,229
    Thanks
    0
    Thanked 0 Times in 0 Posts
    A more secure way than relying on HTTP header relocation would be to die();.
    PHP Code:
     if(!isset($_SESSION['valid_user']))
      die(
    'Please login to view this page'); 
    David House - Perfect is achieved, not when there is nothing left to add, but when there is nothing left to take away. (Antoine de St. Exupery).
    W3Schools | XHTML Validator | CSS Validator | Colours | Typography | HTML&CSS FAQ | Go get Mozilla Now | I blog!

  • #6
    New Coder
    Join Date
    Apr 2004
    Posts
    14
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Yeah! Good call, me'!

    If your going to redirect them, put exit() straight after header() call!

    PHP Code:
    if(!isset($_SESSION['valid_user'])) 
    {
        
    header("Location: buggeroff.php");  
        exit();


  • #7
    Regular Coder
    Join Date
    Jul 2003
    Location
    New Zealand
    Posts
    435
    Thanks
    1
    Thanked 0 Times in 0 Posts
    i dont use header() any more, i couldnt be bothered with "headers already sent on line...." so i just use:

    echo '<script>location.replace("page.php");</script>';

    works fine for me

  • #8
    me'
    me' is offline
    Senior Coder
    Join Date
    Nov 2002
    Location
    Warwickshire, England
    Posts
    1,229
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Scrowler
    i dont use header() any more, i couldnt be bothered with "headers already sent on line...." so i just use:

    echo '<script>location.replace("page.php");</script>';

    works fine for me
    Even less secure, what if someone has Javascript disabled? Plus you need a type attribute on that script,
    Code:
    <script type="text/javascript">...</script>
    David House - Perfect is achieved, not when there is nothing left to add, but when there is nothing left to take away. (Antoine de St. Exupery).
    W3Schools | XHTML Validator | CSS Validator | Colours | Typography | HTML&CSS FAQ | Go get Mozilla Now | I blog!

  • #9
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Scrowler
    i dont use header() any more, i couldnt be bothered with "headers already sent on line...."
    Realy.

    Maybe something is wrong with your coding-logic, if you wan't to redirect the client to another page, after output was sent to that same client
    Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

  • #10
    Regular Coder
    Join Date
    Nov 2002
    Posts
    180
    Thanks
    0
    Thanked 0 Times in 0 Posts
    what is the difference between:
    session_register("username");
    and:
    $_SESSION["something"]=$username;
    ?

  • #11
    Regular Coder
    Join Date
    Nov 2002
    Posts
    180
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Unhappy

    is it secure that we use the session variables? i think anyone can set the session variables and log in, just by the knowledge of the username of someone, is it right?

    i read in one book about making access logger,it checks for the username and password first, then calls this:
    Code:
    setcookie("auth", "1", 0, "/", "yourdomain.com", 0);
    and in the beggining of the secret page:
    Code:
    if($_COOKIE[auth] == "1")
         You are authoraized. 
    else {
         header("Location: somepage.php"); 
         exit; 
    }
    so, should we check with session variables or with cookies?
    Last edited by Aymen++; 04-18-2004 at 01:15 PM.

  • #12
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Aymen++
    what is the difference between:
    session_register("username");
    and:
    $_SESSION["something"]=$username;
    ?
    session_register("username"); will only work on servers where register_global=on. $_SESSION["something"]=$username; will always work and is what i would recommend to always use.
    is it secure that we use the session variables? i think anyone can set the session variables and log in, just by the knowledge of the username of someone, is it right?
    No. It's not that simple to set sessionvariables. But it's also not completely impossible. A bigger related securitythreath is session-hijacking. If you manage to steal a sessioncookie or the SID from aother user, then you automatically can request pages and this other persons session-variables would be used, and possibly disclose sensitive information to you. But since http is a stateless protocal, you need something to identify the requesting client with, hence sessions.
    To reduce securityrisks, you can keep 'session-info' inside a db, where you keep a sessiontable that also checks for the IP and possibly a persistent cookie + you can use session_regenerate_id() on each request to reduce the risk of sessionhijacking + you could use SSL and other encryption-methods to secure your communication + use a Kerberos ticketting-service or something similar.
    (That is, after you made sure your code itself doesn't have security-issues...)

    <edit>
    Sessions are securer and more universal then a persistent cookie. This code basically reinvents one of the most common uses of sessions.
    In my opinion, using a db and checking on both the SID, the IP and a persistent cookie is still the most secure way.
    </edit>
    Last edited by raf; 04-18-2004 at 01:23 PM. Reason: posts crossed
    Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

  • #13
    Regular Coder
    Join Date
    Nov 2002
    Posts
    180
    Thanks
    0
    Thanked 0 Times in 0 Posts
    thank you very much.
    and what about this:
    i read in one book about making access logger,it checks for the username and password first, then calls this:
    Code:
    setcookie("auth", "1", 0, "/", "yourdomain.com", 0);
    and in the beggining of the secret page:
    Code:
    if($_COOKIE[auth] == "1")
    You are authoraized.
    else {
    header("Location: somepage.php");
    exit;
    }
    so, should we check with session variables or with cookies?

  • #14
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,073
    Thanks
    11
    Thanked 98 Times in 96 Posts
    whilst the `some users won't have cookies` argument is not really a good one it is certainly occaisionally true , sessions are far more secure anyway , e.g. its far easier to forge/steal a cookie than hijack a session.

    Sessions are useful for so many things that its well worth getting to know them.
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #15
    Regular Coder
    Join Date
    Dec 2002
    Location
    Seattle, WA
    Posts
    116
    Thanks
    1
    Thanked 0 Times in 0 Posts
    I like to md5() the password before storing it in the session. Maybe I'm just fooling myself but it feels more secure.


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •