Wrox Programmer Forums
Go Back   Wrox Programmer Forums > PHP/MySQL > Beginning PHP
| Search | Today's Posts | Mark Forums Read
Beginning PHP Beginning-level PHP discussions. More advanced coders should post to the Pro PHP forum.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the Beginning PHP section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
  #1 (permalink)  
Old March 1st, 2004, 09:25 AM
Registered User
 
Join Date: Feb 2004
Location: Brisbane, QLD, Australia.
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default Session Management / Security / Redirects

Hi,

I'm making my first commercial PHP site. I've used Java for 18 months and have found PHP easy to pick up. The programming isn't hard, but I'm having trouble with low level design from not knowing the API, and PHP's general capabilities. My general problem is not data structures and data manipulation, it's more site navigation / security / user sessions.

What I've done so far is create an authentication script - not too hard. I'm a bit lost on what to do now that I have authenticated the user.

What I want is for a user to login and then gain access to their own directory which holds a small flat file database.

I'm not sure how to redirect the user securely to their own folder. I know the curdir() command can do this, but I don't want people to be able to sidestep the authentification and just type in a URL.

How can PHP lock users out of all directories besides their own and the home dir?

Also, if user is not authenticated, how can I automatically send them back to the login page to retry. There must be a PHP command to change URL's.

I've read up a bit on sessions and am wondering how they may apply here.

Can I have global variables that exist outside of any particular .php file? Is this a session variable? If so, how are they passed around pages, or do they reside in the server somewhere for the duration of the session?

I've asked alot, so I really appreciate any help given.

Thanks in advance,

Justin
  #2 (permalink)  
Old March 1st, 2004, 04:51 PM
richard.york's Avatar
Wrox Author
Points: 5,506, Level: 31
Points: 5,506, Level: 31 Points: 5,506, Level: 31 Points: 5,506, Level: 31
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: Camby, IN, USA.
Posts: 1,706
Thanks: 0
Thanked 6 Times in 6 Posts
Default

There's been a lot of discussion on this on p2p lately.

O.K. there is more than one approach to this. Are you using sessions? If you are, then my second question is are you using Apache as your server?

If so you can lock out users on a per directory basis using .htaccess and sessions (my personal recommendation). Of course there's HTTP authentication too, but that's not as secure, especially if you aren't using SSL.

If you're using sessions and .htaccess you can write a script like this.

Code:
<?php

    // auth_prepend.php

    session_start();

    if (isset($_SESSION['logged_in']) && $_SESSION['logged_in'] == true)
    {

?>

// Secure content

<?php 

    // auth_append.php

    }
    else
    }

        header("Location: go/to/login?refer_id={$_SERVER["PHP_SELF"]}");
    }

?>
Basically this method uses per directory .htaccess php.ini values to secure the directory.

You can use your user registration to automatically generate the .htaccess file in the user's directory. This is what the .htaccess file will look like...


php_value auto_prepend_file path/to/file
php_value auto_append_file path/to/file


If you aren't familar with .htaccess, it gets saved as ".htaccess" and the above is all that needs to appear in it. You can verify that the settings hae taken effect by running a phpinfo() script inside the directory where the .htaccess file is installed. Configuration changes will appear under the "local" heading. If you've never ran phpinfo() this is what it looks like:

<?php phpinfo(); ?>

It just prints out a long, detailed list of configuration options and settings..

Some prerequisites for this to work.. these directives will only work on extenstions configured to be parsed by php.

If that doesn't fit your scenario, then tell us a little more about your set-up and I'm sure someone will be able to help.

: )
Rich

:::::::::::::::::::::::::::::::::
Smiling Souls
http://www.smilingsouls.net
:::::::::::::::::::::::::::::::::
  #3 (permalink)  
Old March 1st, 2004, 10:27 PM
richard.york's Avatar
Wrox Author
Points: 5,506, Level: 31
Points: 5,506, Level: 31 Points: 5,506, Level: 31 Points: 5,506, Level: 31
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: Camby, IN, USA.
Posts: 1,706
Thanks: 0
Thanked 6 Times in 6 Posts
Default

Some more comments.. now that I've gone back and read your post again (boredom sucks).

Quote:
quote:
Can I have global variables that exist outside of any particular .php file? Is this a session variable? If so, how are they passed around pages, or do they reside in the server somewhere for the duration of the session?
Yes. Use PHP sessions. More info available at: http://www.php.net/session.

PHP sessions work like this:

User logs in, data submitted by post
-->

User authenticated using your auth scheme.
-->

Set session variable to know user is logged in. Make sure session_start() is called at the beginning of the script (scroll down for more on that). Use $_SESSION superglobal array. Don't use the session_register function. Just create and assign values like any other variable.

$_SESSION['variable_name'] = 'value';
-->

PHP writes session variable to session file on server
-->

Include Session id in every request
PHP does so with cookies automatically.
Or you can embed it in the url via "&sid=".session_id(); (Recommended, the user isn't guaranteed to use cookies.)
-->

Redirect user to next page
-->

Call session_start() on any page that needs to create or access session information, this will import the data in that session file back into the $_SESSION superglobal and again output a session id in a COOKIE. This function is called without any arguments and must appear before any output (because it outputs a COOKIE in the HTTP headers). No white space before the opening <?php delimiter.
-->

So using the above scheme..

<?php

    session_start();

    // do authentication stuff here

    // user is authenticated
    $_SESSION['logged_in'] = (condition for logged in)? TRUE : FALSE;

// redirect the user
header("Location: url/to/goto.php?sid=".session_id());
?>

Always assign a value to your bool session variable for tighter security. Also, if you use a shared server, to tighten up security look into specifying a custom session directory. Other users on the same server can look in the default session directory look at session data and possibly even highjack your user's sessions.

If you look at the URL I mentioned above there is lots of information on sessions in the PHP manual.

Hopefully I haven't left you too confused!

hth,
: )
Rich

:::::::::::::::::::::::::::::::::
Smiling Souls
http://www.smilingsouls.net
:::::::::::::::::::::::::::::::::
  #4 (permalink)  
Old March 1st, 2004, 11:13 PM
Registered User
 
Join Date: Feb 2004
Location: Brisbane, QLD, Australia.
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks Rich, I appreciate your help. It will take time for me to fully digest your response, in the meantime, I'll read up on sessions in detail. A new concern is that am not using Apache so the .htaccess might not be a solution.

I'm not running my own server, I'm using catalog.com for shared hosting (Bad host but good support; run by salesmen, not techies .). I don't want to change servers yet. They had major trouble getting PHP installed properly with Apache & Linux. They moved me over to IIS, which seems ok. Is there something similar to .htaccess on IIS?

I noticed in your code example above you prematurely ended an if statement in a <?PHP ?> block, wrote HTML code, then opened a new <?PHP ?> block and continued the if statement - this is quite cool, I didn't think this would be possible. How does this work? I would have thought that all local variables and current processes would have ended with the closing of the <?PHP ?> block - obviously not.


Thanks again,
Justin
  #5 (permalink)  
Old March 2nd, 2004, 12:42 AM
richard.york's Avatar
Wrox Author
Points: 5,506, Level: 31
Points: 5,506, Level: 31 Points: 5,506, Level: 31 Points: 5,506, Level: 31
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: Camby, IN, USA.
Posts: 1,706
Thanks: 0
Thanked 6 Times in 6 Posts
Default

Well I don't know if IIs has a .htaccess equivalent. I did a bit of searching on the topic and I don't think so. I think you'd be better off with an apache server. That's very strange that they can't get PHP working with Apache on a Linux machine.. PHP being a member of the open source family and all.. as far as I know most Linux distributions already come with Apache, PHP and MySQL. Anyhow, if it comes down to you *not* being able to append/prepend files you can always do it the manual way.. just include the code in every file that needs protection. It isn't as dynamic but it works. And like I said before this isn't the *only* solution to the problem. You can use templates, a DB backend instead of directories, HTTP authentication.. there are several solutions to this problem.

The <?php and ?> can indeed be broken up like that, in fact besides regular if/else chains you can do it with loops too. PHP remembers all the variables and whatnot from block to block. This is one of the main features that distinguishes PHP from Java and Perl and other languages. You can open and close PHP blocks as much as you want throughout a page. I beleive ASP can also do that.

<?php $foo = 'Hello, World!'; ?>

<html>
    <head>
      <title><?php echo $foo; ?></title>
    ...etc..

:::::::::::::::::::::::::::::::::
Smiling Souls
http://www.smilingsouls.net
:::::::::::::::::::::::::::::::::
  #6 (permalink)  
Old March 3rd, 2004, 08:43 PM
Friend of Wrox
Points: 2,570, Level: 21
Points: 2,570, Level: 21 Points: 2,570, Level: 21 Points: 2,570, Level: 21
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: San Diego, CA, USA
Posts: 836
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Another way to think about it is that you only have three scopes -- global scope, class scope, and function scope. Variables created in global scope are accessible anywhere else in global scope.

All HTML and plain text in a PHP script is just automatic output in global scope. All <?php does is enter you into a PHP code block in global scope. The ?> tag puts you back into "text output mode" in global scope.

It's important to see it this way because it explains fundamentally why variables don't cease to exist at the end of a PHP code block -- you're not actually opening or closing scopes. PHP doesn't handle nested scopes within any scope context (i.e. global, class, function).


For example:

<?php

// In C, C++, and Java, the next line would open a new scope:
{
   $foo = "hello, world.";
}

// In C, C++, and Java, $foo wouldn't exist here, because its life
// would be confined to the curly-brace scope block defined above.
// PHP has no such "nested scopes".

echo $foo; // prints "Hello, world."

?>



Take care,

Nik
http://www.bigaction.org/


Similar Threads
Thread Thread Starter Forum Replies Last Post
Session management Gemz .NET Framework 2.0 1 October 26th, 2008 04:56 AM
Session Management yohandh General .NET 2 December 12th, 2005 10:45 PM
session management G_Zola General .NET 2 June 12th, 2005 07:58 PM
Session management texasraven ASP.NET 1.x and 2.0 Application Design 6 April 21st, 2004 04:42 PM
Session Management ManoYaka ASP.NET 1.0 and 1.1 Professional 1 January 23rd, 2004 07:02 AM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.