I want to learn something, that I couldn't find on the internet.
I create a simple website, more like a simple web app, we the following structure.
index.php --> handles log In or Register
home.php --> main state of website.
So basically I want when a user log in, the website will direct him to home.php. I did it already. But I get a really annoying bug.
If I redirect bruteforce in www.someexample.com/home.php, the user can bypass the main log in screen. O.o
So I thought that if I can use a session checker to see if the user is log in or just a brute forcer -sorry about the bad term- the website will redirect him to log in screen. And if the user don't want every time to log in he can check a Remember me button to remember the session.
So in the end I want to have two methods. one to check if a user is log in or not and the other to save his session even after if he close the computer until he poush the log out button.
I have checked many articles on the web but I couldn't find how to start in my own project. Can you guys help me start of with a basic structure. i use MySql.
It sounds that this is an asked/answer. You need a redirect. Have them login at the index.php page and post back to it. Have it check the login for it to be correct and if it is then redirect to home.php with a posted hashkey to check against so that you know that the login was valid. You can skip the cookies altogether which some browsers have turned off regardless.
See here for how to redirect.
Related
I am using a publicly made login to test and modify, however no matter what I do when a user logs out, they are able to log right back in by using the back button in their browser, refresh the page, and still be logged in. What is the best way to prevent this? I am new to PHP and am in the process of learning. Any help would be greatly appreciated.
You can find all of the files necessary here: https://github.com/devplanete/php-login-advanced.
You can also test it here: http://www.php-login.net/demo3.html
I think that there are only 2 possibilities that are wrong.
First you do not delete the cookies and the sessions properly which makes the user is not logged out.
Secondly, you don't check on the page they try to access if the user is logged or not.
Update: As said above in the comments, you need to separate your login form treatment from the index page if you want not the user to be able to re log again from the logout page by pressing back key.
Your template is currently index.php => index.php login treatment then displaying
You need to do index.php => login.php login treatment => redirect back to index.php
I have a log in widget included on every page on my website. Currently when they log in, they are redirected to the home page. However I want it so when they log in, they stay on the page they are currently viewing.
On my forum you have to be logged in to post (obviously). I would like it so they will stay on the forum post they are trying to reply to after logging in, rather than having to find it again. How do I do this?
The simplest (albeit not completely reliable way is to use HTTP_REFERER and redirect to the referer page. You might need to pass this around a bit in case your login action spans multiple page.
The more proper way is to set the current (unlogged) page in session and redirect to that session value page on login.
You can bind your current page inside your login widget inside a hidden field and tell the authentication page to redirect to this binded value as a page after login success .
Or if you want to be more secure try using sessions and bing the current page inside it then extract the variable binded into this session in your authentication page then redirect to it as a valid page
and you can also check this variable if is a valid page by using file_exists so plz try that and tell me the result
It depends on the case but a couple options come to mind;
Having a redirect parameter that will redirect the user once he logs in.
Using the HTTP_REFERER to refer the user back to where he came from.
Depending on the login form; you could send an ajax request to login the user without moving him
But I think it ultimately depends on your environment and since you haven't provided any information/code other than my forum I can only be as vague as your question.
I see many sites (like ones using vbulletin) that have a...
Thank you! You were succesfully logged in. Click here to continue
page.
Are there any benefits/advantages of doing such? What's the difference between that and not redirecting?
The flow with the redirection site is the following (opener page here means the first page of your "logged in"-area):
login page --(login data)--> redirect page ----> opener page
as opposed to this flow without it:
login page --(login data)--> opener page
The difference appears, when the user is on the opener page and hits reload. In the first case just the page reloads and everything is (hopyfully) fine.
In the second case, however, the login data is sent again. This has two consequences:
Most browsers will display a "Do you really want to resend that data?" dialog to the user. Probably confusing the user; maybe even so much, that he leaves your site.
On the backend side another login process may be triggered. This can mess up some protection against multiple logins or your logging of user activity.
In general the first consequence is much more critical, as the second can be prevented by you as the page developer. So basically you save your users some time by not confronting them with a (unnecessary) dialog box and a happy user is a recurring user.
edit after the comments
#Christoph: The above pattern is called PRG-pattern
#CodeCaster: Instead of a separate page, just send a 302-redirect in the response header directly after the login.
This solution is the best in my mind when you don't want to use javascript to proceed to User login.
You can use this but I prefer auto-redirect user after login.
The best for user interaction is in my mind Javascript login.
You don't redirect the user, don't reload the page and it's faster
I am trying to have a user login to a Joomla site from an external site and then be redirected to a page where only registered users can view it. I used this script and it seems to be working somewhat. I can see the user logged in via the Joomla admin panel, however when I put in a redirect at the end of the script ie.
header('Location: registered page url');
Joomla prompts me to login in order to view the registered page. What am I doing wrong? The original post never did discuss how to redirect the user. Also, when I don't put the redirect in the code the browser just goes to a blank white page. Is that normal? Shouldn't it go to the home page of the curled site?
Also note that I've tried adding a return url to the code:
$loginRedirectUrl = 'index.php?option=com_content&view=article&id=146&Itemid=178';
$loginRedirectUrl = base64_encode($loginRedirectUrl);
$postfields['return'] = $loginRedirectUrl;
When I did a print_r($postfields) it returned everything filled up. Including the encoded return url and token. So, I'm highly confused as to why it looks like I'm logged in but the browser still somehow isn't keeping the cookies or something like that.
Cookies are not disabled.
Any help would be greatly appreciated. Thanks in advance.
Let's see if we can cover this one step at a time. The bit of code in the other post just handles the logging in stuff. If you run it unedited, then you will just end up with a blank page when it runs, so that is normal.
Next, if everything including the token is showing up in $postfields then the next thing I would check is to see if the Joomla admin shows a logged in session. If it does, then the problem is in the cookie being transferred to the the browser. If it isn't then it would indicate that the session was created but the login failed for some reason.
On my website that I'm developing I've already got all my login sorted, and it works correctly, including session saving.
To improve the user's security and privacy I'd like to implement some kind of "confirm your password" page whenever the user requests to view a sensitive page (such has an activity log, or changing some settings) to further prevent against session hi-jacking. I am, however, not sure how to go about doing this.
I'm unsure of the security best practises for this, and as this project site is a learning curve for me, I'd appreciate being taught.
The structure that I think I'm aiming to achieve may be like this: current page --(user goes onto history log)-> Please confirm your password --(user gets the correct password)-> history log page 1 --(user wants the next page of the history log)-> history log page 2 --(user goes to the home page)-> home page --(user goes onto history log)-> Please confirm your password --(user gets the correct password)-> history log page 1
From what I understand about doing this correctly I need to make it so that once the user navigates away from the History Log they're no longer authorized to view it.
If someone could provide some tips on how to do this I'd be greatly appreciated. I've tried to search for some tutorials, but couldn't find any (it's completely possible I chose bad search terms), if someone could even just offer a link to a tutorial then that would be greatly appreciated too.
Thanks, Jordan.
I would simply add a $_SESSION variable for this user that gets reset when he navigates on any page that is not the history log.
Further more, i'd use a general mechanism like this:
On all your pages, set a
$page_section = 'something';
And then, include a small snippet that does:
if(isset($_SESSION['last_visited_section']) && $_SESSION['last_visited_section'] != $page_section){
//New section visited, you could reset $_SESSION['last_visited_section'] or anything relative to your security mechanism here
}
Is that of any help?
If you are concerned about session hijacking, use https and set the session cookie https only.
For confirming a password, ask them to enter it the same way you do for login and check to make sure the hash matches what it is your user table the same way you do for login.
I create an object called $scookie which I use to define how I want my sessions.
session_set_cookie_params(
$scookie->lifetime,
$scookie->path,
$scookie->rootDomain,
$scookie->secure,
$scookie->httponly);
session_start();
In above, when I am concerned with hijacking (anything that has a user login), I make sure $scookie->secure is set to true.