In a Nutshell: this is a question, about improving the security of sessions in-order to prevent them from session fixation/hijacking
I have a user registration form, login and article posting form.
Now, when user registers, logs in or posts somethings there is always thank you page different for all three. More specifically 'thankyou.php'
The problem is users can access the static thank you page, by typing the url 'site.com/thanks.php'
I don't want this to happen, I want those page to show up only when a specific tasks have been arbitrated.
So, I thought about about making sql query's to see if users has posts for the last 5 seconds and show thank you page, or show 404 but, It's seems unnecessary to create a query just for than one. And, Since I think PHP is flexible if you guys give me an idea I could probable learn something new on the way, on how to achieve this.
You can restrict the page with the $_SERVER['HTTP_REFERER'] (enter link description here) viewing from they are coming to thankyou.php page.
You Can Achieve this by settling the session like this:
if($_SESSION['registration']=="registration")
{
echo "Thank you for registering";
unset($_SESSION['registration']);
}
elsif($_SESSION['login']=="login")
{
echo "Thank you for login";
unset($_SESSION['login']);
}
elseif($_SESSION['post']=="post")
{
echo "Thank you for Post";
unset($_SESSION['post']);
}
else
{
echo "session is not set,something is wrong";
}
So set the values in session on html page like.
$_SESSION['login']="login";
//like for others also
Related
For a long time, I've been thinking what's best way to display successful or error message. I need to refresh the page and then view the message. If I would use $_GET (for example:/My-Page?status=success), the problem would be that anyone can edit status. It's not a big problem, but I don't know if it's the best idea...
If I use SESSION:
$_SESSION['message'] = "Mail was sent successfully!";
header('Location: '.$_SERVER['REQUEST_URI']);
exit();
//and then:
if (!empty($_SESSION['message'])) {
echo $_SESSION['message'];
}
I would probably have done what I wanted, but if someone would left and then came back to the page (or just refreshed the page), he will still see a message (and that's not what I want)...
So, to sum up, my question is: What's the best way to save the message to variable to only appear once (after the refresh, the message would disappear) and nobody could edit it? I'm sorry for my English, I hope I wrote it all clearly :-)
The simplest option is to slightly amend your session based code to clear the session data after displaying it
if (!empty($_SESSION['message'])) {
echo $_SESSION['message'];
unset($_SESSION['message']); //will not display again
}
I'm fairly new to PHP an was wondering how I have to make the user login before they can go to any other page on the website.
For example on www.cyka.us/p/index.php it will redirect them to www.cyka.us/p/login.php
Have you ever used sessions in php? You can use sessions as a marker if a certain user is logged in or not. It can be implemented like this:
$isLogIn = $session('login');
if($isLogIn){
//go to other webpages
}
Search sessions for further information :)
You simply test for it:
if (!user_is_logged_in()) {
http_response_code(403);
include("p/login.php");
exit;
}
… the specifics of the user_is_logged_in function will depend on how you've implemented your login system.
You can do this with sessions concept in php. For every page you need check whether the user is logged in or not and redirect to (login)desired page.
I want to know how I would get user 'McKenzie' to see his own unique page that he can manipulate and 'Wendy' to see her own page when she logs in.
I've created the login and the pages, connected them to a MySQL database given them ID's etc, so I can do all of this and I know about sessions etc. ;)
So can someone tell me how I would do this, would I have to make different pages for each separate user? I'm thinking something along the lines of
REGISTER PAGE:
Store data in database, get user ID and use "?pageid=1" to then take the user to the id based page.
But I'm not sure how I would make each page without making them manually, as you can imagine making a new page for each separate user would be a pain... and very inefficient. Any ideas?
And please show me an example with code, it would be GREATLY appreciated! Thank you all in advance!
My answer is assuming you want to create fully customizable user data with the added possibility of sharing the page between users (like a profile page). With that out of the way you can do this by creating one php page that searches the MySQL table by $_GET or $_POST data.
Ill expand this answer in to a couple of steps...
SQL Tables
The first thing you will need is your MySQL set-up, ill assume you have a basic set-up already done but I will go ahead and create a simple one.
The basic set-up will be the login data and the custom user data, you can view my set-up here.
php user page
The simplest way would be to get the requested user from the $_GET data. So to do this we would simply get the data and request the users information:
$requested_user = $_GET['id'];
$db = new PDO('mysql:host=localhost;dbname=testdb;charset=utf8', 'root', 'MyPassword');
try {
$stmt = $db->prepare("SELECT * FROM c_userpage WHERE id = ?");
$stmt->execute(array($requested_user));
$mydata = $stmt->fetch();
} catch (Exception $e) {
//error with mysql
die();
}
Now we can simply add the users data to the page!
echo "Hello! my name is {$mydata['username']}!\n";
echo "About Me: {$mydata['custom_data']}";
Sending users to their page
We can simply just use www.page.com/user.php?id=2 And this will request the data for the user with id=2
Extras
If you want to keep user pages private you can simply request the id with $_POST or $_SESSION and then check if the user is logged in!
Full code for user.php
Full code for user.php w/ private page
Here's an example of what you could do:
<?php
if (!isset($_SESSION['user_id'])) && (!isset($_SESSION['user_name'])) {
echo '<p class="login">log in</p>';
//exit();
}
else {
$user_name = $_SESSION['user_name'];
echo('<p class="login">' . $user_name .'\'s page | Log out</p>');
}
?>
There's a lot more you could add, but this is just to generate information on whether they were logged in.. If the $_SESSION['user_id'] is set, you can then generate code based on that information. (note, you would need to create the $user_name or whatever variable, likely from an sql query)
I've been looking through alot of posts about how to check if a user is logged in or not and most answers that I found where making use of sessions (thats how I understood it anyways:-p)
I included the following code in the php file and it kinda seems to work:
<?php
else if ($action =="aboutUs") {
// opens about us page either in secure or unsecured area depending on login
session_start();
if(isset($_SESSION['username']))
{
echo openHTMLsecurearea();
echo aboutUs();
echo closeHTML();
} else {
echo openHTML();
echo aboutUs();
echo closeHTML();
}
}
?>
Basically if the user is loged-in I want to show the secure area and if not, then it should open the "regular" site.
When I first open the browser (and have deleted my history) it works as it is supposed to (opening regular site when not loged in and then secure area when loged in). However, when I then logout again it should show me the regular site again but it doesn't. It still shows me the secure area page.
I think that's because the same session is still running and therefore the username is still set even though I loged off.
I'm pretty sure that there is a way around but I can't figure it out. The openHTML and openHTMLsecurearea set up is probably not the best solution but it's a little too late to change this now so it would be great if someone could help me with a way around this to ensure the user is actually logged in or not.
Any help is really appreciated thank you very much.
First consider using session_start() before any single char outside <?php ?>
Logout code is simply <?php session_destroy ?> and have the same rule as session_start: no html before.
And as everybody tells you... No session, no login system - or really secureless
If possible i'd need help with a reload thing. I mean i have this query, which gets submitted in one page, there is this profile registration, user enters his name and surname, then he proceeds in the next page entering more specific details. if a user reloads the page i.e 4 times, that's the number of times that the user's information get inserted in the database.
is there any reload function to prevent the submission of the query?
I haven't tried anything, if you would ask me that, because i don't know how to start. the only clue i have is about using ajax, but is there any php way to do this?
Thanks
You should follow the POST-Redirect-GET pattern and ALWAYS redirect after a successful POST:
Without seeing your code, you'll need a redirect like this:
if($inserted){
header('Location: mypage.php?msg=reg_success');
exit;
}
Then, on mypage.php, you could so something like:
if(isset($_GET['msg'])){
switch($_GET['msg']){
case 'reg_success':
echo 'Registration successful!';
break;
}
}
Or, you could create an array for success messages:
$success_messages = array(
'reg_success' => 'Registration successful!',
'logout_success' => 'Logged out!'
);
And then on mypage.php:
if(isset($_GET['msg']) && array_key_exists($_GET['msg'], $success_messages)){
$msg_index = $_GET['msg'];
echo $success_messages[$msg_index];
}
You should record all registration data in session and write them once after user click some "Finish" button.
Then redirect him and clear relavant session data.
By this way you can have any number of stage pages and nothing will be duplicated.