PDA

View Full Version : Login Tutorial (security not working the same as tut)


smitho
02-18-2008, 02:51 AM
I've noticed that to get the security working the same as shown in the vid tut I've had to change the order of the include.

In the vid tut it's set up like so:


require_once("Connections/dwc.php");//database connection
include("includes/security.php");
session_start();

To get this working I had to set it up this way.

require_once("Connections/dwc.php");//database connection
session_start();
include("includes/security.php");
Would there be any issues in setting it up like this?

davidj
02-18-2008, 07:10 AM
this is fine

in fact probably an oversight on my part so yours is correct

you need to initiate session_start() before dealing with any sessions so it needs to be called first

smitho
02-21-2008, 05:03 AM
Using the security example I've created a status level from guest (level 1) through to superadmin (level 5).

Using this


include("include/status.php");

if($status < "5"){
header("location:login.php");
exit;
}The user will be bumpped back to the login. Is it possible to bump them back the last page there where on?

davidj
02-21-2008, 06:43 AM
could the last page be different each time?

page1 > page2
page3 > page2
page4 > page2
page8 > page2

so in the above example page2 could have many pages to return to

is this the scenario your on about

smitho
02-21-2008, 10:08 AM
If you that this example:

include("include/status.php");

if($status < "5"){
header("location:login.php");
exit;
}

My status.php does a query on the user table and mathces the users access level with he status table.

So in the above example I've put this code on the user maintenance page where only level 5 people show can access the page.

Like the example you had in the login tut I want to stop people who may be registered but not give the access to certain pages, maually typing in the name (URL).

If a person with member access how knows how to get around decides to type in the URL for the user maintence I want to block them.

Rather than bump them back to the logon screen I was wondering if I could bump them back to where they where.

So user currently on list.php page they try and type in userupdate.php they are redirected back to the list.php page.

Hope this makes sence.

davidj
02-21-2008, 10:39 AM
OK

IMHO i would set an access level in the db and yes your right check each page for this level in an include

this would be a good idea to write a function to do this

i would, however still bounce them back to the login and make sure you report this activity in a audit activity log (every app should have one)

reasons

they tried to bypass the functionality of your system but you stopped them

bounce them back to the front screen and display a message...

"It was detected that you tried to gain access to an area of the system which you do not have access to! This has been recorded in the log file and the security team notified!"

then watch em squirm

the other option is to build a function which can utilise the javascript history object

check that they have tried to access the page via the URL and then in your security function call a java function which will use history.back() method onload

Personally i wouldn't build it. I would kick them out and display the message

they arnt going to complain to anyone are they ->

"when i try to hack your site i get kicked out - this is extremely unfair"