trying to make a secure webpage with cookies

Hoangsta

I added this line to a member page. In doing so, I would assume it would stop anyone from reacing a member's page before logging in...or after they have logged in, they can't just copy the url and get back into the member's page. If they did, it would send them back to the login.php

require_once('emailpass_funcs.php');
require_once('login_funcs.php');
if (!user_isloggedin()) {
  header("Location: [url]http://www.buzzabiz.com/login.php[/url]");
}


From the code above, the !user_isloggedin is from my login_funcs.php and it is simply this...

function user_isloggedin() {
  // This function will only work with superglobal arrays, because
  // I'm not passing in any values or declaring globals
  global $supersecret_hash_padding, $LOGGED_IN;

  // Have we already run the hash checks? 
  // If so, return the pre-set var
  if (isSet($LOGGED_IN)) {
    return $LOGGED_IN;
  }
  if ($_COOKIE['user_name'] && $_COOKIE['id_hash']) {
    $hash = md5($_COOKIE['user_name'].$supersecret_hash_padding);
    if ($hash == $_COOKIE['id_hash']) {
      return true;
    } else {
      return false;
    }
  } else {
    return false;
  }
}


Can anyone give me a route to take because as of right now, i can just go into my member's page after logging in, copy the url, paste it to a new browser, and get straight in the back door.

planetsim

Firstly

header("Location: <a href="http://www.buzzabiz.com/login.php" target="_blank">http://www.buzzabiz.com/login.php</a>");

No Html within the header

so it should be

header("location: http://www.buzzabiz.com/login.php"); sorry you cannot open a new window with header();

When returning true and false i like to do it this way

if (user_isloggedin() != false) {

Hoangsta

I do have this in my php code...

header("location: http://www.buzzabiz.com/login.php");

somehow when i put it in php tags it becomes this

header("Location: <a href="http://www.buzzabiz.com/login.php" target="_blank">http://www.buzzabiz.com/login.php</a>");

weird...

I took your code of..

if (user_isloggedin() != false) {

doesn't work. i think it's more complex than that...i think i acutally have to use session or something...but cookies and session mix up is a NO NO

drawmack

a cookie is a text file on the client's machine, therefor nothing that relies on cookies is secure.

However I think you've done an excelent job of stopping joe blow from bookmarking a member's page - congrats.

tekky

Originally posted by Hoangsta
I do have this in my php code...

header("location: http://www.buzzabiz.com/login.php");

somehow when i put it in php tags it becomes this

header("Location: <a href="http://www.buzzabiz.com/login.php" target="_blank">http://www.buzzabiz.com/login.php</a>");

weird...
....

turn off "automatically parse URLS" when posting things like that.... otherwise the board will make them into what you saw in the previous posts... really really ugly to read those 🙂

Hoangsta

thanks, can you give me a suggestion on protecting my page using the codes that i supplied? is there something that is missing?

Maximum

Actually, sessions are by far the easiest way😉

The following can be adapted to your page that verifies login.
If login is correct.....

session_start();
header("Cache-control: private");
$TempPassCode = session_id();
$_SESSION['KeyCode'] = $TempPassCode;
header("Location: MembersPage.php?SessionID=$TempPassCode");
exit;

This will produce the URL ending such as this (with the actual variable
value length being determined by your host, but is irrelavent
since is somewhat self created by the "session_id()"):

MembersPage.php?SessionID=3be4ae6b8c1e05f760f6c2b44538c8e9

Now, within the MembersPage.php, you would include the following:

<?php
session_start();
header("Cache-control: private");
$Verify1 = $_SESSION['KeyCode'];
$Verify2 = $HTTP_GET_VARS['SessionID'];
if($Verify2 == "") {
header("Location: login.php");
exit;
} else {
if($Verify1 == $Verify2) {
echo 'Your HTML for the member's page goes here...';
} else {
header("Location: login.php");
exit;
}
}
?>

What this does is check to make sure the current LIVE session-key
we named "KeyKode" on the previous page matches that of the
passed one in the URL. If so, echo HTML of page. If not, redirect
back to login page! You'll notice that the header
("Location: login.php"); is there twice. This is to cover a
failure of some PHP configurations. 1st one sents back to login if
the variable is blank, the other if present but no match. Oddly
enough, without both of them some configs will show as valid on
a blank or non-passed variable (the "?SessionID="). By using
this, if they close browser (even if bookmark for next time) or
copy+paste to another window, they will be sent right back to
the beginning😃

Notice that both pages start with
session_start();
header("Cache-control: private");
This is neccessary, even though you would think you've
already "started" the session. Sessions are not kept-alive from
page to page (not kept open like MySQL) literally...So you have to
tell each page to keep going with the session.

To add this protection of them being required to be in the same
session on all members pages, you can include this check-system
in all the pages...JUST MAKE SURE to remember and pass

the "SessionID" variable.

To log them out, and kill the session - In the logout page:

<?
session_start();
$_SESSION = array();
session_destroy();

?>

This isn't perfect, but I think it should solve the problem without you going nuts over it😃
A basic tutorial over session can be found at PHP Freaks. And go check-out PHP.net and look-up "sessions"🆒