1,105,578 Community Members

Help with user authentication...

Member Avatar
Chosen13
Light Poster
38 posts since Nov 2009
Reputation Points: 0 [?]
Q&As Helped to Solve: 6 [?]
Skill Endorsements: 0 [?]
 
0
 

Hello,

I have a PHP Login Form and it works fine, but users with Fiddler2 (Web Debugging Proxy) have the ability to hide their PHPSESSID Completely. What is a good system that I can use to prevent this, as anonymous users can cause trouble on the website.

Member Avatar
madCoder
Junior Poster
165 posts since Feb 2010
Reputation Points: 17 [?]
Q&As Helped to Solve: 45 [?]
Skill Endorsements: 0 [?]
 
0
 

Most systems I have worked with test for a valid session with every call to a member's only section of a website. This includes RESTful scripts that should only be accessed by logged in users.

If the session doesn't pass your validity test, redirect them to a login page.
Basically, they can hide the session id and in doing so, they are logging themselves out of your system.

For example:

if(!isset($_SESSION['user'])) {
   header('HTTP/1.1 401 Unauthorized');
   header('Location: http://www.mysite.com/login.php');
}

Put a script like the above any place a user can enter your site that requires authorization. This is often a 'front controller' -- a single script that serves up other pages/articles on your site; if not then each script needs to be secured by including this code with a require_once().

Member Avatar
metalix
Posting Whiz in Training
218 posts since Mar 2010
Reputation Points: 0 [?]
Q&As Helped to Solve: 34 [?]
Skill Endorsements: 0 [?]
 
0
 

madCoder is correct, however be careful using require_once or require as if it dies and results in error, the user can then use directory traversal to hack your site.

Member Avatar
Chosen13
Light Poster
38 posts since Nov 2009
Reputation Points: 0 [?]
Q&As Helped to Solve: 6 [?]
Skill Endorsements: 0 [?]
 
0
 

Thank you, but will this still allow offline users to browse pages?

Member Avatar
metalix
Posting Whiz in Training
218 posts since Mar 2010
Reputation Points: 0 [?]
Q&As Helped to Solve: 34 [?]
Skill Endorsements: 0 [?]
 
0
 

offline browsing is only the user going through their (temp) folder.
So it will always be what they saw last time they were on the site.

You
This article has been dead for over three months: Start a new discussion instead
Post:
Start New Discussion
View similar articles that have also been tagged: