Hello,
I have a PHP Login Form and it works fine, but users with Fiddler2 (Web Debugging Proxy) have the ability to hide their PHPSESSID Completely. What is a good system that I can use to prevent this, as anonymous users can cause trouble on the website.
Jump to PostMost systems I have worked with test for a valid session with every call to a member's only section of a website. This includes RESTful scripts that should only be accessed by logged in users.
If the session doesn't pass your validity test, redirect them to a login page.
…
Most systems I have worked with test for a valid session with every call to a member's only section of a website. This includes RESTful scripts that should only be accessed by logged in users.
If the session doesn't pass your validity test, redirect them to a login page.
Basically, they can hide the session id and in doing so, they are logging themselves out of your system.
For example:
if(!isset($_SESSION['user'])) {
header('HTTP/1.1 401 Unauthorized');
header('Location: http://www.mysite.com/login.php');
}Put a script like the above any place a user can enter your site that requires authorization. This is often a 'front controller' -- a single script that serves up other pages/articles on your site; if not then each script needs to be secured by including this code with a require_once().
madCoder is correct, however be careful using require_once or require as if it dies and results in error, the user can then use directory traversal to hack your site.
Thank you, but will this still allow offline users to browse pages?
offline browsing is only the user going through their (temp) folder.
So it will always be what they saw last time they were on the site.
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.