php auth sending specifc users to a specific page - php

first off third question I've asked and all have been answered well! So thanks to everybody who reads my posts (and others I guess)
I've gotten as far as I can without complete help on this one. I need to create a username and password section. I've done this before using htaccess, htauth files. Works well. Secure, and log's them in fine. What I'm looking for though is some sort of script that will take a specific user to a specific page after login.
User1= user1.php
user2= user2.php
Ect.
Is this possible without a whole lot of work? I can make workarounds where the users login to the main index, then go where they need to, but then anyone logged in can go to anyone's page.
I'm not asking anyone to write the code. But even some guidance to some tutorials would be great!

If the page is authenticated using .htaccess, upon successful login the username is available as $_SERVER['PHP_AUTH_USER'].
So you can either redirect the user using Location, or even better, directly include() the desired file.
You can place the user1.php, user2.php, ... files in a directory of their own, with a .htaccess that disallows direct access. This won't stop PHP from being able to include the files, and this way only the authenticated user can have access to his file.
if (isset($_SERVER['PHP_AUTH_USER']))
{
$pvdir = './user_private_files/';
// "basename" in case we log in little Jack Folders (Bobby Tables's cousin)
$user = basename(strtolower($_SERVER['PHP_AUTH_USER']));
$file = $pvdir.$user.'.php';
if (file_exists($file))
{
include $pvdir."any_common_code_at_the_beginning_of_user_files.php";
include $file;
include $pvdir."any_common_code_at_the_end_of_user_files.php";
exit();
}
include ugly_error.php;
}

htauth is .. old :D
Well, in any case. You can fetch the user credentials from the $_SERVER variable somewhere and switch based on that.
var_dump($_SERVER); to see which property you need.
Then use header("Location: /go/here.html"); to redirect the user.

Related

Best way to redirect user upon form submit to URL using input as directory

Hello! I am trying to put together a landing page that will allow individuals to visit, enter an access code, and be redirected to a directory that corresponds to the access code. For example, access code is 12345, user is redirected to example.com/12345 upon submit. We will be using direct links for the most part, but in the event that someone hits a 404 or try to visit the root directory, we want to have an interface for returning to the project / an alternative way for people to access the page.
What might be the best way to redirect a user after they enter the access code in the form?
Thanks for your advice!
It's really hard to say what the 'best' solution would be as it's open to interpretation. Here's what I would do.
Instead of routing to a specific page, I would route them to a controller that includes the code and/or content from the user directory. This will allow you to secure any contents of the user directories through server configurations, and give you better programmatic control of what happens when something goes wrong.
The user key should be set to a session key but if you don't want to do that, you could set it to a POST or GET parameter just as easily.
if(array_key_exists("user",$_SESSION)){
include_once("/".$_SESSION['user'].".php");
//use the included file if it won't automatically run itself
}
else{
echo "error - missing user key";
}

Automatically logging in to pages which has htaccess in directory

I have a certain directory where I have .htaccess file.
I want to write something in PHP, for example, that will allow me to log in automatically to my site and then I can go to other sites in this directory.
I know that I can use http://user:pwd#mysite.com, but it doesn't work on IE.
I tried to use a curl option, but I'm not sure how can I use it to get anything useful for me.
So do you have any ideas if and how I can do this? Any examples will be very appreciated.
I haven't found yet explicit solution, but for now I have some workaround for this problem.
I used .htaccess file to write few rewrite conditions and rules.
Then I have:
Authentication.php - where is array of users, who have access to pages and where is function of checking if sent login and password are correct;
Router.php - where is list of special pages which should be always accessible (especially when user is not logged in) and where is function file_get_contents to get whole code of certain page;
SessionCheck.php - where is function of checking if user has his own token in session (whether he is logged in);
index.php - there are checking all above functions.
The point is to redirect all pages (*.html, *.htm, etc.) to index.php file, which verifies if current user is logged in. If he is, then there is downloaded code of page (which he wants to see) and it is showing by using echo function.

How to avoid a login bypass in my webpage by entering URL

I am trying to set up a secure web page at home. I created a login page with HTML and PHP, and it actually works when a user tries http://example.com. However I noticed that if a user enters in the URL http://example.com/documents.html (where documents.html is a page in my website) it get access to the page contents without login in first.
I have been looking for a solution for several weeks without success. I’ve tried to use the .htaccess capabilities of Apache without success, (get same results as above). So if someone could lead me on how to avoid this, that would be great.
This question is very broad. There are many possible solutions. It is going to be very hard to give a best answer.
My personal choice would be to remove HTML pages from the public area of the website and then create a PHP page which checks for permissions based on the requested page. If that is OK, then the PHP page would read the non public HTML page and simply echo out the contents.
This will secure the HTML pages without the need to rename them or alter them in any way. This is often times better because there is usually a reason that you have HTML pages instead of PHP pages. If they are being generated somewhere else it could be very difficult to keep those changes updated too. It will also allow you a chance to add to or modify the output in code before you display it.
One PHP file could be made per HTML page or you could use one PHP file for all pages and use a request variable to choose which HTML page to authorize and display. That is up to you.
As a bonus, this type of system can also be used for any other type of file you'd like to secure but still give (what seems to be) direct access to. To do that, just replace mystaticfile.html with mystaticfile.zip (or whatever) and make sure to send the correct header.
For me I added this code in the start of webpage that should be only accessible of logging in.
<?php
if(isset($_SESSION["username"])) {
//Code to run if logged in
} else {
//This will return the user to login page if the user is not logged in
header("Location: login.php");
}
?>
This will protect the exclusive pages for user page even if the url is manually typed.

php scripts activating by themselves

All right so I've been looking all over the net and I can't seem to find any solution for my problem. My apologies if this has been asked in the past.
I'm sure there's a very simple answer for this: A while back I built a website for a client. This website has an administration system in which some pages are locked using a $_SESSION variable called 'level', which basically checks whether the user is an administrator or not. Furthermore, some pages are locked with the usual log in session variables, to ensure that only logged in people can access these pages.
Now the problem is that on two of my pages, the php scripts seems to run completely by themselves. The first page is just a page that resends all of the activation emails to every user in the DB. This page can only be accessed by being logged in, and being an administrator. The second page can only be accessed by going through PayPal. The PayPal script has fallback support which checks whether there are PayPal post variables.
Anyone know why these scripts are running by themselves? It gets bothersome when random emails are continually sent to customers or administrators. I probably did something wrong somewhere. I thought it might just be the Google crawler activating the scripts, but wouldn't the crawler have to be logged in to access the scripts?
It could be a number of things.
One approach could be that search engines are executing your scripts.
A couple of years ago I was hired to look into what could be causing the deletion of all pages made with their homemade CMS.
Looking through their access logs revealed that two search engines was trying to index the content in the administration frontend. Including all the Delete page links.
The reason why this could occur was a combination of two things.
The first was the administrators browser plugins from the two search engines. Documentation proved that pages a client visited was sent to the search engines from their plugin.
Secondly, when the search engine attempted to index a session protected page, the original developer of their CMS forgot to put an exit; after the header('Location: ...');part which meant that the rest of the code on the page still got executed.
The solution
I fixed the problem by adding exit; to the code:
If( ! isset($_SESSION['level']) )
{
header('Location: login.php');
exit; // stops further execution of code
}
I hope this can help.
Check the access logs of your server and see when and what is calling those pages (if they are being called).
If something is accessing those pages (spider, person, etc) that shouldn't be, you have a security issue.
I highly doubt the scripts are 'calling themselves'
To find why they are being called, after you check if the session variable is set, and you find it isn't, add
file_put_contents('./log/log.txt', print_r($_SERVER));
Create yourself a directory "log" and a writabel file "log.txt" and the source should appear in there.
The other useful function is debug_backtrace(). Bit trickier to use this, but:
if ($handle = #fopen('./log/log.txt', 'a')) {
for ($i=1; $i<count($aBack); $i++) {
if (isset($aBack[$i]['file'])) {
fwrite($handle, $aBack[$i]['file'] . '/' . $aBack[$i]['line'] . "\n\r";
} else {
fwrite($handle, 'Anonymous function' . "\n\r";
}
}
fclose($handle);
}
Should give you a log of what oath was used. (Code typed verbatim - sorry for typos, but you should be able to work out from there)
Note that most client information (IP, referer etc) is forgable, but the calling URI isn't. It'll give you lots of info about what's calling them.

Hide pdf to non registered users

I've hit a dead end with this code I'm working on. I have a website where users can register and will be able to view certain pdfs when they are logged in. My question is though, how do I hide this file to make sure that only those currently logged in can subscribe. I keep track of my users with a MySQL database and have been using PHP for all the server side coding. Ideally, the solution won't involve the user having to sign in again or anything like that. I'm not necessarily looking for code (though its always appreciated :D), but any bump in the right direction would be great.
Thanks for any help you guys can offer.
if(isset($_COOKIE['login']))
{
header('Content-Type', 'application/pdf');
readfile('secret/books.pdf');
exit();
}
else
{
include('login.php');
}
The only way to secure the URL to the user is to require a login, which is something you don't want to do. (Obviously as long as the session is open via a cookie or whatever you are using, the person could access it.)
But keep in mind that once a person as the link to the PDF, they can download it and give it to somebody else. So in my opinion, you should simply focus on making it impossible for the average person to guess the URL.
In other words, simply putting the PDF on a URL that is not guessable is sufficient security given that a person can easily duplicate the PDF.
That said, if you want to lock it down a bit, you could give each user his own unique URL for the PDF. Thus if somebody does copy the URL around, you know who did it. Also, you could have URLs expire after a certain time.
That URL could be stored in the database as a url -> pdf lookup. No authentication would be required to access it.
Two thoughts on that:
1) store your PDF outside of your public readable WWW folder and include it to an authenticated user like ayush proposed
2) protect the file with a username and password using htaccess and access it with curl. cURL can provide the correct credentials without making the user re-authenticate.

Categories