I've got a little website project on which I'd like to implement a login-process. I have a login page, which gets me to a second page on successful login. On the second page I check wether the user is logged in with:
if($_SESSION['login']==1) {
Do PHP stuff;
}
But when testing with xampp and navigating directly to the second page I am able to fill in the form and perform actions without having logged in first on my first login page.
My question now is (I already know, that by default the SESSION variable lasts for about 24minutes), is the SESSION variable dependent on ip addresses or do I need to worry, that when one user is logged in and does stuff another user, who knows the url to my second page can just go to my second page and do stuff there without logging in properly?
Thanks for your help in advance :-)
Related
I made a php script that acts as a to-do list. On the admin side (just admin.php), there is a display table, and this table fetches each record from the to-do list table in mysql, then places a remove button next to each record.
Every remove button has an anchor tag with an ID based on the specific associated row from mysql. So when someone clicks the remove button, the url goes to /remove.php?id=ROWID
The issue is that someone could enter that url from any page with the proper rowid, they could delete the data. On the remove.php, I am using the $_GET method, to get that ROWID. I could make a form and have that POST, which I have for other functions on the site. But even for those, if someone types in add.php, they could still access the add functions within the php script.
I tried starting a session using session_start(); in the admin.php page (which will eventually be locked to only authenticated users who have admin rights), but if someone knows the link, they are still able to go to /remove.php?id=ROWID even without being in the session, or stating a session from admin.php
Am I missing something? Is there a way to prevent access to remove.php expect for users who are authenticated or within the session?
Thanks to the above post,
I used:
if (isset($_SESSION['ID'])){
code goes here for if they are authenticated
}else{
die("You're not logged in as admin");
}
This will start a session on page1.php and on page2.php will check if a session was started from page1. If not, the error (die) message will be displayed.
If you want to expire the user’s session based on some length of time, use this example:
http://thisinterestsme.com/expire-php-sessions/
I am using a publicly made login to test and modify, however no matter what I do when a user logs out, they are able to log right back in by using the back button in their browser, refresh the page, and still be logged in. What is the best way to prevent this? I am new to PHP and am in the process of learning. Any help would be greatly appreciated.
You can find all of the files necessary here: https://github.com/devplanete/php-login-advanced.
You can also test it here: http://www.php-login.net/demo3.html
I think that there are only 2 possibilities that are wrong.
First you do not delete the cookies and the sessions properly which makes the user is not logged out.
Secondly, you don't check on the page they try to access if the user is logged or not.
Update: As said above in the comments, you need to separate your login form treatment from the index page if you want not the user to be able to re log again from the logout page by pressing back key.
Your template is currently index.php => index.php login treatment then displaying
You need to do index.php => login.php login treatment => redirect back to index.php
I have a log in widget included on every page on my website. Currently when they log in, they are redirected to the home page. However I want it so when they log in, they stay on the page they are currently viewing.
On my forum you have to be logged in to post (obviously). I would like it so they will stay on the forum post they are trying to reply to after logging in, rather than having to find it again. How do I do this?
The simplest (albeit not completely reliable way is to use HTTP_REFERER and redirect to the referer page. You might need to pass this around a bit in case your login action spans multiple page.
The more proper way is to set the current (unlogged) page in session and redirect to that session value page on login.
You can bind your current page inside your login widget inside a hidden field and tell the authentication page to redirect to this binded value as a page after login success .
Or if you want to be more secure try using sessions and bing the current page inside it then extract the variable binded into this session in your authentication page then redirect to it as a valid page
and you can also check this variable if is a valid page by using file_exists so plz try that and tell me the result
It depends on the case but a couple options come to mind;
Having a redirect parameter that will redirect the user once he logs in.
Using the HTTP_REFERER to refer the user back to where he came from.
Depending on the login form; you could send an ajax request to login the user without moving him
But I think it ultimately depends on your environment and since you haven't provided any information/code other than my forum I can only be as vague as your question.
I'm directing users to a page on my site from email (possibly an email client). When they reach the site they are presented with login screen and the address where they were headed is lost.
How can I capture the entire address that they were trying to visit, so that I can redirect them to it once they log in?
You need to capture the address as you redirect them to the login page, (ie when you check if they are logged in) I'd recommend storing it in a session. A very quick method would be to redirect to /login.php?from=store.php for example, however this is not the best way as the $_GET['from'] could be hijacked to redirect the user somewhere else, which is why I use $_SESSION to store this value.
First of all, I don't know much about Symfony so I will let you know what I do in PHP.
There are a few techniques I use depending on the app.
Option 1: I send the user to the page they are to log into, e.g. mydomain.com/landing.php and set a SESSION variable with the URL before redirecting to the login form. When the login is performed successfully there is a header function that will redirect to the originating page where the logged in user can now interact with the page.
Option 2: I create a login function and where there is no login SESSION or COOKIE the form is called, upon submitting the form using action="<? echo $_SERVER['PHP_SELF']; ?> I set a POST variable and before any HTML tag is called I have something like
if(isset($_POST['run_login'])) {
include('my_login_handler.php');
}
This takes care of the login activity and doesn't require any redirection to the target page as it is handled inline.
Option 3: Like option 2, I create a login function here there is no login SESSION or COOKIE, but this time I POST the data to my_login_handler.php rather than including it. Upon successful authentication to the site I call header('Location: '.$_SERVER['HTTP_REFERER']); that will redirect to the referring page meaning I don't need to set any special COOKIES or SESSION variables to handle to redirect back to the target page.
The right option, regardless if it is here or not, is going to depend on your application and what you can/need to do. So have a play with the various suggestions and see what works best in the application you're currently working on.
Good luck!
Is there an option to set Duplicate user login in PHP? When im logged in one tab and if i open another tab. It must display duplicate user or user already logged in. Kindly send me suggestions or the ways in which i can handle Duplicate user Login.
Well, store the user info in _SESSION vars
And at the top of page
<?php
check_login();
And on check_login() function
function check_login()
{
session_start();
if(isset($_SESSION['is_logged']))
{
echo "user is already logged";
}
else
{
echo "user is not logged";
}
}
I am sure if you put this on top of every page, you will be able to do it so.
This will work for same browser. But for different browser, it will not work.
I'm afraid you can't do it since (as far as i see) e.g. Google's dupe login can't do the trick too. When you switch account within Google they actually switch the user but you can't login with two different identities in the same browser. Maybe somehow you can trick the browser but probably that will come with a security issue.
Btw, have you tried tricking cookies to do it?
Update:
build a database backend for manage (dupe) logins
use cookies beside sessions (store a unique value to differentiate each login)
on every page request compare your cookie > session > database to decide who requested the page
Note: this is a rough outline for the task, you'll need to take care of unique session_id's, etc.