Hello,

I have a problem with websites and applications that I had made using dream-weaver. This problem is meant by user authentication when two or more websites created by dream weaver on the same server.

When user is granted access to one of them , the user become able to access the other website.

How could I change this behavior possessed by dream weaver?

    Unless we know how dreamweaver is handling authentication, we can't help you. Does dreamweaver build php code for session based authentication for example? Can you show us some code?

      Here is the code of dreamweaver.

      // *** Validate request to login to this site.
      if (!isset($_SESSION)) {
        session_start();
      }
      
      $loginFormAction = $_SERVER['PHP_SELF'];
      if (isset($_GET['accesscheck'])) {
        $_SESSION['PrevUrl'] = $_GET['accesscheck'];
      }
      
      if (isset($_POST['username'])) {
        $loginUsername=$_POST['username'];
        $password=$_POST['passwd'];
        $MM_fldUserAuthorization = "priv";
        $MM_redirectLoginSuccess = "index.php";
        $MM_redirectLoginFailed = "login.php?MSG=loginError&bad";
        $MM_redirecttoReferrer = true;
        mysql_select_db($database_konn, $konn);
      
        $LoginRS__query=sprintf("SELECT uid, upasswd, upriv, uname FROM users WHERE id=%s AND upasswd=%s",
        GetSQLValueString($loginUsername, "text"), GetSQLValueString(md5($password), "text")); 
      
        $LoginRS = mysql_query($LoginRS__query, $konn) or die(mysql_error());
        $loginFoundUser = mysql_num_rows($LoginRS);
        if ($loginFoundUser) {
      
      $loginStrGroup  = mysql_result($LoginRS,0,'upriv');
       $loginStrName  = mysql_result($LoginRS,0,'uname');
      
      //declare two session variables and assign them
      $_SESSION['MM_Username'] = $loginUsername;
      $_SESSION['MM_UserGroup'] = $loginStrGroup;	 
      $_SESSION['MM_Name'] = $loginStrName;     
      
      if (isset($_SESSION['PrevUrl']) && true) {
        $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
      }
      header("Location: " . $MM_redirectLoginSuccess );
        }
        else {
          header("Location: ". $MM_redirectLoginFailed );
        }
      }
      
      

        Ok, this looks pretty typical. You also need to show your snippet of code that does the session-based checking for pages that require authentication.

        As you know, sessions work by sending your users a cookie with a random token (session id.) Each time you call session_start() on a page, that page watches for the cookie with it's corresponding session id (or creates a session and sends a cookie if no cookie is sent.) Cookies are only sent back to a website if its url matches the url of where the cookie was originally obtained. In other words, browsers are not supposed to share cookies with other urls. So I ask, do these websites use the same url? I guess an example would be that each one has it's own folder under the same url.

        Now it seems that a malicious user should be able to see what the session id is for one authenticated website (look at http headers, etc) and pass it in a url for another website. If session.use_trans_sid is enabled, this action, in theory, would tell php, "look for a previous session called: 75baed2b542603e49e16ea01b32f2d3e and use it." I do not believe php uses anything to identify a session other than this session id. In fact, it's probably trivial to send an http header with PHPSESS=75baed2b542603e49e16ea01b32f2d3e added to the cookie even if session.use_trans_sid is disabled.

        Just to be safe, I'd start injecting server name into my session:

        //declare two session variables and assign them 
        $_SESSION['MM_Username'] = $loginUsername; 
        $_SESSION['MM_UserGroup'] = $loginStrGroup;     
        $_SESSION['MM_Name'] = $loginStrName; $_SESSION['MM_Servername'] = $_SERVER['SERVER_NAME'];

        Then in your authentication checks include:

        if ( !(isset($_SESSION['MM_Servername']) && $_SERVER['SERVER_NAME'] == $_SESSION['MM_Servername']) ) {
        	header("Location: ". $MM_redirectLoginFailed );
        }
          Write a Reply...