making sure user is Authorized for access

phence

I am having trouble protecting some parts of my site from certian users. I have allready developed join and login scripts. The Join script collects and stores user information in a mysql database. The login script verifies the supplied username and password and then authorizes the user.

Now I need a script that i can place on certian pages that will make sure the user is logged in, before they are allowed to access that page.

I tried using the script below, but nothing happens when i place it on the page i want to protect.

<?php
  // begin auth check 
  session_start();

  $loginScript = "login.php";

  // Set a boolean flag to check if 
  // a user has authenticated
  $notAuthenticated = !isset($_SESSION["authenticatedUser"]);

  // Set a boolean flag to true if this request
  // originated from the same IP address
  // as the one that created this session
  $notLoginIp = isset($_SESSION["loginIpAddress"]) && ($_SESSION["loginIpAddress"] != $_SERVER["REMOTE_ADDR"]);

  // Check that the two flags are false
  if($notAuthenticated)
  {
    // The request does not identify a session
    session_register("message");
    $_SESSION["message"] = "You have not been authorized to access the " .
                                "URL {$_SERVER["REQUEST_URI"]}";

// Re-locate back to the Login page
header("Location: " . $loginScript);
exit;
  }
  else if($notLoginIp)
  {
    // The request did not originate from the machine
    // that was used to create the session. 
    // THIS IS POSSIBLY A SESSION HIJACK ATTEMPT

session_register("message");
$_SESSION["message"] = "You have not been authorized to access the " .
  "URL {$_SERVER["REQUEST_URI"]} from the address {$_SERVER["REMOTE_ADDR"]}";

// Re-locate back to the Login page
header("Location: " . $loginScript);
exit;
  }
?>

I have also tried to use it as an include file

<?php include 'chkauth.inc'; ?>

I don't know? if anyone could help me i would greatly apreciate it!
Thank-you

Stinger51

Send them a cookie called something like "Authorization" when they originally log in (sign up) the first time. If they don't complete the log in process then skip the cookie.

Then, at the beginning of each page, check for the cookie. If there isn't one, then you know they've tried to "back door" their way onto the page and you can block them by using some redirection.

You can even use this scheme just to make sure that someone comes thru the "front door" of your website by sending them a session cookie (one that expires when they leave). If they don't have this session cookie (that you sent them when they visited your home page) then they can't go any further, even if they have the other pages URLs.

If that's about as clear as mud, I can send you a snippet of code or two. But I think you get the general idea, no?

phence

yes, i understand what your saying. But some browsers do not support cookies, and some users decide to disable cookies. So that would not work unless all users supported cookies.

Stinger51

But if they don't have your cookie, for whatever reason, then they can't access those pages that check for one.

You might lose a few people that way. But since IE, NS, Opera, and Mosaic (all of which support cookies) have about 99.5 percent of the market, it would be very few indeed.

For any app I develop that requires cookies, I always notify people that this is a requirement. Same with Javascripting. And I hardly ever have a complaint. If you've ever disabled cookies, or set that option to "notify" you will quickly tire of all those dialog boxes you have to wade thru, and soon turn your cookies back on. Try it and you'll see what I mean. 😃

phence

yes i have done that before, and i agree that i wouldn't lose many users.

i still don't understand why the session attempt isn't working 🙁

Stinger51

I am reading conflicting infromation in the on-line manual about sessions (which may be part of your problem).

First of all, Sessions are only meant to last for, well, a session. But the on-line manual also seems to indicate that you can save sessions across sessions, which is an oxymoron. It may just be my interpretation of the manual, which is about as clear as mud on many topics, dunno.

Ok, so you can can save a "session variable" with session_register($varname); But once the person leaves your website, this variable is toast. So I doesn't matter whether you set the variable "loginIPaddress" or not, once that person leaves your website.

If you don't want to use cookies, then the only way I can see around your issue there is to check their information against your database each time they access a page by using the REMOTE_ADDR data (which you obtained from the first page they visited). True, this is a DB hit for each page, but I don't think it will slow things down very much, if at all.

You might also try just simply setting a session variable to some value, any value, on the entry page. Then, if someone comes in the back door (tries to access another page without going thru the entry page) there will be no session variable and you can redirect them. Of course, once they are logged into your site, they will still be able to jump to any page they want, assuming they have its address.

Also, the manual lists over a dozen "session configuration options." So unless you are running your own server and have set all of these the way you want them, one of these may be killing you without you even knowing it. It's just a thought.

Programming can be so much fun. 😃