I made a php script that acts as a to-do list. On the admin side (just admin.php), there is a display table, and this table fetches each record from the to-do list table in mysql, then places a remove button next to each record.
Every remove button has an anchor tag with an ID based on the specific associated row from mysql. So when someone clicks the remove button, the url goes to /remove.php?id=ROWID
The issue is that someone could enter that url from any page with the proper rowid, they could delete the data. On the remove.php, I am using the $_GET method, to get that ROWID. I could make a form and have that POST, which I have for other functions on the site. But even for those, if someone types in add.php, they could still access the add functions within the php script.
I tried starting a session using session_start(); in the admin.php page (which will eventually be locked to only authenticated users who have admin rights), but if someone knows the link, they are still able to go to /remove.php?id=ROWID even without being in the session, or stating a session from admin.php
Am I missing something? Is there a way to prevent access to remove.php expect for users who are authenticated or within the session?
Thanks to the above post,
I used:
if (isset($_SESSION['ID'])){
code goes here for if they are authenticated
}else{
die("You're not logged in as admin");
}
This will start a session on page1.php and on page2.php will check if a session was started from page1. If not, the error (die) message will be displayed.
If you want to expire the user’s session based on some length of time, use this example:
http://thisinterestsme.com/expire-php-sessions/
Related
I am trying to create a website where a user logs in or creates a new account if they are not already a user. I have that working, but what I cannot seem to figure out is how to have PHP or HTML save the username through different pages. A user logs in, and then based on the specific user, my website will show different exercises the user has completed in the past, as well as allow the user to add more exercises in the future. My website uses PHP, HTML, and MySQL to search different tables in my database and output the results.
I have tried many different possible solutions, such as sessions in PHP like this, but it did not work. Each PHP page has this at the beginning:
session_start();
and then further down, I have:
$_SESSION["Username"] = $_POST['Username'];
I have also tried hidden input values in HTML, but that did not seem to work quite right either. Each HTML page has this:
<input type="hidden" name="Username" value="Cbartowski">
I have tried a lot of ways to try to have my web page save the username and use that data throughout my pages, but I haven't had any luck. Would sessions in PHP be the way to go? Or hidden input in HTML? Or something else entirely?
Any help would be greatly appreciated!
First of all, using hidden input to store the username is a critical threat to your website.
One can easily check out the username of the person by viewing the source code.
Using PHP sessions is the way to go here.
What i have understood is that you are initializing
$_SESSION["Username"] = $_POST["Username"];
on every page. Now, consider you have two php pages.
One is form-request-handler.php and other is display-user-preferences.php
Now, when user submits the form the username gets set into session variable using the above code snippet on form-request-handler.php page.
Now, when user hits the display-user-preferences.php page, you again set the value of session variable. But since, no post request has been made to this page so Null is get saved into session variable and you are not able to retrieve the required information from the database.
So, whichever php page is handling the post request just initialize your session variable there and use it on other pages.
Sessions variables will be available to you unless you call
session_destroy();
Hope, this helps :)
html hidden input is not a good way because users can see it with the browser show source action.
are u shure session file are saved and the session ID is include in your links ?
if not sessions start a new session each time the user click a link.
have a look in your temp folder each time your clicking a link; if a new session file is created it's because you forget the session ID.
maybe it's the problem.
Check your form method : Should be POST
Check your variable using:
var_dump($_POST['Username']);
So from experience, its better to use post methods when doing user authentication. Purely for security reasons. In addition to this, using PHP's session variables is also the recommended way of passing user information from one page to another.
if you want to store the user name in the session variable, here are some steps you can follow
start the session using session_start();
name the session variable and store the information you want
$_SESSION['what-ever-you-want-to-call-it']=$what-you want to store
eg.$_SESSION['Username']=$_POST['Username']. Note the use of single quotes
You can now call $_SESSION['Username'] anywhere in a php script provide the session has been started before calling it. That is session_start();.
Note break apart the code your working on and ensure each individual piece works. eg,is the post providing you with the username??
I've got a little website project on which I'd like to implement a login-process. I have a login page, which gets me to a second page on successful login. On the second page I check wether the user is logged in with:
if($_SESSION['login']==1) {
Do PHP stuff;
}
But when testing with xampp and navigating directly to the second page I am able to fill in the form and perform actions without having logged in first on my first login page.
My question now is (I already know, that by default the SESSION variable lasts for about 24minutes), is the SESSION variable dependent on ip addresses or do I need to worry, that when one user is logged in and does stuff another user, who knows the url to my second page can just go to my second page and do stuff there without logging in properly?
Thanks for your help in advance :-)
I'm having a big trouble here: In my company we have a huge system and too many people access it every day. We are having the following problem:
User access his account on the pc A.
He goes to write his text
He write all his text but doesn't save it. Then open a new tab.
In the new tab, he access the account of his customer.
Using the account of his customer, he goes to write the customer's text.
After type the customer's text, he goes to the previous tab to save his own text and after save the customer text.
The two texts appears on the customer's page.
I was thinking in a way of the current screen store somewhere the actual session id, and then when the user click in a link, or post a form, the current page send the session id loaded when it was rendered to the requested page.
Can you help me please?
Thanks!
Its a little difficult to follow the use case specified, but it sounds like you need to check access rights to save 'text' to a particular account.
at the moment it appears that your authenticated customer account is saving to an account that isnt theirs?
for eg, in the new text method, before anything happens:
if($currentUserID != $accountOwnerID)
{
// throw a 403 exception here
}
this way if they happen to change identity during a session, their access rights will always be checked before anything else can happen.
The best solution is to use named sessions. See: session_name()
By using it, you can have different (and isolated) sessions which will not conflict to each other, even if in the same computer, same browser.
For your particular case, I would create a session named after the user logon, which is unique. That way, if user A logs in, he will have his own session. If a new tab is opened, and he logs as user B, a different session will be created, and both tabs will work simultaneously and correctly, each on it's own session space.
Just add session_name($UserLogon); before session_start(), should work good.
You can use session keys to check.
For that first you need to create a random session key and store it in a session variable. Also provide this value as a hidden element in your form. During the insertion you can check whether the value in hidden element is same as the session key, then insert. Else through error message. After successful insertion reset the session key again. It will overcome your problem.
Hope it helps.
I have users coming from both organic and paid search.
organic users land on page.php, paid users land on page.php?source=paid.
A PHP variable on page.php would change according the source string, to help me identify where the user initially came from, for example, if he purchase something on my site right from the same page, I would have an indication.
The problem:
I have multiple pages in my website. once a paid user decides to navigate to another page such as page2.php, the indicating variable won't work, as he navigated to page2.php, and not to page2.php?source=paid.
So one possible messy solution, would be to drag the string all over the website, by placing on every link, an IF/ELSE that would insert at the end of all the href in the page, a ?source=paid string, in any case that the user initially landed with the ?source=paid string.
But, is there another option? I suppose there's a way to do this with cookies? but I have never dealt with cookies, and rather not to, unless it's easy.
Thanks
This is exactly what sessions are for:
Sessions are a simple way to store data for individual users against a unique session ID. This can be used to persist state information between page requests. Session IDs are normally sent to the browser via session cookies and the ID is used to retrieve existing session data.
To solve this I would recommend you to use Sessions.
On the first page you need to set the session variable with something like this:
<?php>
session_start();
if isset($_GET['source']) {$_SESSION['source'] = $_GET['source'];}
and the rest of your first page goes here..
?>
On the other pages you can recall the sessionvariable like this:
<?php>
session_start();
if ($_SESSION['source'] == 'paid')
{ paid version}
else
{unpaid version}
?>
I make this post because I am really confused about session in PHP. I have a page (index.php) and I save in session a lot of variables (for example, one of this is $_SESSION["FID"]) and i redirect the user in a third party iframe. When the user enter successful his data in iframe, the iframe redirects the user again in index.php and also saves in session other variables.
When the user enters again in index.php I check the session, which comes from iframe (every time the session is set) and after that I make a check if $_SESSION["FID"] isset.
The problem is that most of the times (regardless the browser or something else), $_SESSION["FID"] is empty. Why is this happening? How can I find a solution in this?
I 've tried to be clear and not to confuse you.
You must put session_start(); at the top of every page you want you $_SESSION data to exist.