Quick question to do with sessions

[krappleby]

HI all,

i have a website, which i run from one index page..

i call the contents, which are located in another page..

now.. when a member logs in a session called sysuser is created containing their member id..

now the problem comes with the pages, i have three folders..

one is called ADMIN (contains the admin pages)
one is called MEMBER (contains the members pages)
the third is just called Pages (contains the main site)

now, what i have noticed is that if someone types in for instance ?pageid=ADMIN/page

then they can access that page but i need to stop that,.

now i have a small piece of code

if ($sysuser <> "100001")
{
$PageID = str_replace("Admin/","" , $PageID);
}
if ($sysuser == "")
{
$PageID = str_replace("Member/","" , $PageID);
}

which removes the folder name, if they are not logged in.. but now i get a no such file or directory. because for example ADMIN/Member exists but MEMBER does not.

how can i change this so that if Admin/ appears at the starte of PageID it chages Pageid to something else completely..

there are a lot of pages in Admin and Members so i could do it for each page, btu that is a waste of coding..

please help

 

[krappleby]

so something lont the lisnes of

if ($PageID Contains "Admin/" and $sysuser <> "100001")
{
$PageID = "welcome";
}

if ($PageID Contains "Member/" and $sysuser == "")
{
$PageID = "welcome";
}

somthing like that

 

[jpadie]

before providing access to any functionality a properly designed application should both authenticate the user and validate the user's authorisation for that action.

If a user is not authorised to take an action he should be expressly told that he is not authorised and his actions reported to the systems administrator for consideration of what further action may be replied (disciplinary, in the context of employment, for example).

so i would not simply change one folder to the next, but redirect the user to a public access site on the crimes enshrined in the computer misuse act, or if you are feeling benign, a disney site or something.

 

[feherke]

Hi

?pageid=ADMIN/page

Personally I do not like such things. I prefer it like ?section=admin&pageid=page . Then the conditions are simple, no need for additional string operations.

[teal]<?php[/teal]

[navy]$section[/navy][teal]=[/teal][navy]$_GET[/navy][teal][[/teal][green][i]'section'[/i][/green][teal]];[/teal]
[navy]$page[/navy][teal]=[/teal][navy]$_GET[/navy][teal][[/teal][green][i]'page'[/i][/green][teal]]?[/teal][navy]$_GET[/navy][teal][[/teal][green][i]'page'[/i][/green][teal]]:[/teal][green][i]'welcome'[/i][/green][teal];[/teal]

[gray]// check if section is valid[/gray]
[b]if[/b] [teal]([/teal][navy]$section[/navy] [teal]&&[/teal] [teal]![/teal][COLOR=darkgoldenrod]in_array[/color][teal]([/teal][navy]$section[/navy][teal],[/teal][b]array[/b][teal]([/teal][green][i]'admin'[/i][/green][teal],[/teal][green][i]'member'[/i][/green][teal])))[/teal] [teal]{[/teal]
  [navy]$section[/navy][teal]=[/teal][green][i]''[/i][/green][teal];[/teal]
  [navy]$page[/navy][teal]=[/teal][green][i]'ihateyou'[/i][/green][teal];[/teal]
[teal]}[/teal]

[gray]// alternative for the above ( more flexible and less secure )[/gray]
[b]if[/b] [teal]([/teal][navy]$section[/navy] [teal]&&[/teal] [teal]![/teal][COLOR=darkgoldenrod]is_dir[/color][teal]([/teal][navy]$section[/navy][teal]))[/teal] [teal]{[/teal]
  [navy]$section[/navy][teal]=[/teal][green][i]''[/i][/green][teal];[/teal]
  [navy]$page[/navy][teal]=[/teal][green][i]'ihateyou'[/i][/green][teal];[/teal]
[teal]}[/teal]

[gray]// check permission[/gray]
[b]if[/b] [teal](([/teal][navy]$section[/navy][teal]==[/teal][green][i]'admin'[/i][/green] [teal]&&[/teal] [navy]$_SESSION[/navy][teal][[/teal][green][i]'sysuser'[/i][/green][teal]]!=[/teal][green][i]'100001'[/i][/green][teal])[/teal]
[teal]||[/teal] [teal]([/teal][navy]$section[/navy][teal]==[/teal][green][i]'member'[/i][/green] [teal]&&[/teal] [navy]$_SESSION[/navy][teal][[/teal][green][i]'sysuser'[/i][/green][teal]]==[/teal][green][i]''[/i][/green][teal]))[/teal] [teal]{[/teal]
  [navy]$section[/navy][teal]=[/teal][green][i]''[/i][/green][teal];[/teal]
  [navy]$page[/navy][teal]=[/teal][green][i]'notallowed'[/i][/green][teal];[/teal]
[teal]}[/teal]

[gray]// check file[/gray]
[b]if[/b] [teal](![/teal][COLOR=darkgoldenrod]file_exists[/color][teal]([/teal][green][i]"$section/$page.php"[/i][/green][teal])[/teal] [teal]{[/teal]
  [navy]$section[/navy][teal]=[/teal][green][i]''[/i][/green][teal];[/teal]
  [navy]$page[/navy][teal]=[/teal][green][i]'notfound'[/i][/green][teal];[/teal]
[teal]}[/teal]

[red]include[/red] [green][i]"$section/$page.php"[/i][/green][teal];[/teal]

[teal]?>[/teal]

[small][maroon]Warning[/maroon] The above code was not tested[/small]

Feherke.

http://free.rootshell.be/~feherke/

 

[alan92rttt]

I would not code a site where the full path to a page is included in the url.

Pass a unique token to the page you want and then have your program look that up and then call the appropriate page. The lookup could be a large if/if else block or a table lookup. I'd suggest looking it up in a table as the table can have security information and the correct file to retrieve.

 

[bswip]

Along the same lines as the alan92rttt, my web sites perform a table lookup, or you could create a MySql index for each page. Each entry could have more information as to what is being displayed etc...

Then in the script called to display each page, I would add the following code:

<?php
$SCRIPT_NAME = $_SERVER["PHP_SELF"];
//
if ( $SCRIPT_NAME != "/index.php") { // Was this called from our main script?
include("intrusion.php"); // No, Send illegal access message
exit;
}


HTH

 

[feherke]

Hi

you could create a MySql index for each page

Please avoid kitchen language. MySQL index has its well defined meaning, so people will think to database index. Which is a nonsense in this case.


Feherke.

http://free.rootshell.be/~feherke/

 

[DonQuichote]

I still don't get it. YOU (the programmer) are resposible for what choices the user has. So if you have to log in, I assume you use sessions. Upon login, just make sure that the only options you give and accept are the ones the user is entitled to. Furthermore, if something is not to called from outside (like your admin include section, as I see it), don't put it where anyone can reach it!

I have a similar situation where my "admin" pages do not require a login into the application. It is to view the error log, or to run the unit tests. Therefore, I put the callable files in an admin directory which is password-protected by the web server.

For logins into the application itself, I hash any predefined option and only send those hashes to the browser. When the user has made a choice, I look up the hash and find either nothing (that option did not exist for him, maybe the session timed out) or the option I gave him. Options that exist but not for this user can simply not exist in this session and can therefore never be selected.

Of course, all my include pages are outside the web root, so going "around" my pages is impossible without hacking the web server. Just make sure that there is no backdoor to your site.


+++ Despite being wrong in every important aspect, that is a very good analogy +++
Hex (in Darwin's Watch)

 

[bswip]

I agree completely with what you said. In fact, the root of a web site should contain minimal files (index file, cascading style sheet, robot.txt and site icon). The rest of your pages/scripts should be in deiretories that only you, the programmer knows about.

If someone tries to hack your system, make sure that any called script is being called from the correct script.
(i.e php_self)