stackoom
  简体   繁体   中英

How to prevent user from bypassing php authentication

 原文  2015-03-17 11:39:55       php/ html/ mysql/ authentication

Question

We call it html1 for simplicity.

When a user goes to html1, there's a login2.php login page to enable access to client.php which is the hidden page.

It then goes to checklogin.php...if the password and user name matches...it then goes to the hidden client.php page...if not..it goes back to homepage.

The user has to login to be able to view the contents of hidden client.php page.

However the user can access client.php by typing in ..../client.php on the address bar...therefore bypassing the auth page and rendering it useless. I can just type servername/client.php...and it still shows me the contents of client.php...but I want client.php...to be private!

How do I prevent this from happening?

thanks.

first login page... 

<html>
<head>
<title>Login Form</title>
</head>
<body>
<h2>Login Form</h2>
<table>
<form method="post" action="checklogin2.php">
<div id="name">User Id: <input type="text" name="****"></div>
<div id="password">Password: <input type="password" name="*******"></div>
<div class="button"><input type="submit" value="Login"></div>
</form>
</table>
</body>
</html>

then it goes to.... checklogin2.php 

 <?php
    $*** = $_POST['****'];
    $***** = $_POST['***'];

if($uid == '****' and $***** == '*****')
{
        session_start();
        $_SESSION['sid']=session_id();
        header("location:securepage.php");
}


else
        {
                header("location:index.html");
        }
?>

Then it goes to... securepage.php 

<?php
        session_start();
        if($_SESSION['sid']==session_id())
        {

 header("location:client.php");

                echo "<a href='logout.php'>Logout</a>";
        }
        else
        {
                header("location:login.php");
        }
?>

3 answers

solution1
 3 ACCPTED  2015-03-17 11:44:05

In the beginning of your every page you have to check if user is authorized.

On checklogin.php if user entered correct login and password, just set something like 

$_SESSION['authorized'] = TRUE;

...and on other pages just check if user is authorized: 

if (isset($_SESSION['authorized']) && $_SESSION['authorized'] === TRUE) {
    // Alright, let's show all the hidden functionality!
    echo "Psst! Hey! Wanna buy some weed?";
} else {
    // User is not authorized!
    header('Location: login.php');
    exit();
}

Note that you don't have to mess with cookies, session IDs etc. - just add session_start() before everything and freely use $_SESSION var.

This is the main pro of sessions (and $_SESSION variable in particular): you can remember some data among different pages on same website.

solution2
 2  2015-03-17 11:45:44

All pages has to check if the user is authed. I would recommend using objects, and always inherit a class that checks this for you. It's not fun to have the same code everywhere, doing the same thing.

solution3
 0  2018-04-27 16:57:52

if($_SERVER["PHP_SELF"] == '/yourpagefolder/yourpage.php' && !isset($_SESSION['login_user'])){
    header('location: login.php');
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to prevent from bypassing registration form when the user's inputs are incorrect? PHP MySql user account bypassing cookies How can prevent user from uploading php files with ftp? PHP: How to prevent session from expiring while user is still logged in How to prevent a user from accessing contact php page by writing URL? Bypassing website authentication Bypassing Controller Authentication Prevent “ssi_function=something” from bypassing normal control flow PHP prevent user from pasting invalid character Prevent User from accessing admin.php
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM