I am just starting to learn about web development and something has been niggling me for a while now, How a website controls what you can access and cannot access.
For example, a website like Facebook. When i first go to the site, it presents a login form, once i am logged the same page that i tried to access before now shows information relevant to me that i could only access once logged in, i can navigate to a different site and then comeback to google and it still allows me to use if without logging on again.
How exactly would a site block someone trying to access a particular page when they are not logged in, lets say the page viewProfile.php. How does the website know who to allow access to this page?
I realise this question may seem confusing and elementary but its just a something that came to me whilst viewing facebook.
Thanks.
This is a very simple concept called sessions.
When you visit facebook, it reads unique information sent to it via the connection such as IP address, browser, and some other minor information, when this information is combined it creates a unique identifier.
this unique identifier is then stored in a file like so:
d131dd02c5e6eec4693d9a0698aff95c.session
So when you login with your credentials there application add's information into this file such as last activity etc.
When you go away and come back, facebook will then read the information that's sent with every requests, it then add's it all together and creates a unique hash, if this hash exists within it's storage system it will open it up and read the contents, and know exactly who you are.
all this is combined with cookies, the unique hash is sent back to the browser and stored in your cookies folder, this cookie file is sent back to facebook with every request.
PHP Handles this for you internally so it's pretty basic to get it up and running: http://php.net/manual/en/features.sessions.php
Here's an example that may help you understand the concept a little more.
<?php
/*
* The session_start generates that hash and send a cookie to the browser
* This has to be first as you can only send cookie information before any content
*/
session_start();
/*
* Anything storeg within $_SESSION is what's been read from the session file and
* We check to see if the information has already been set on the first time the user
* visited the site
*/
if(!isset($_SESSION['hits']))
{
$_SESSION['hits'] = 0;
}
/*
* Now we increment the value every time the page is laoded
*/
$_SESSION['hits']++;
/*
* now we display the amount's of hits the user has loaded the page.
*/
echo 'You have vistited this site <strong>' . $_SESSION['hits'] . '</strong> times.';
?>
if you load this page and then hit F5, the session value get's incremented every request so you should see something like:
You have vistited this site 1 times.
You have vistited this site 2 times.
You have vistited this site 3 times.
You have vistited this site 4 times.
...
The session file is unique to each person visiting, thus meaning that when using the session variable in PHP it would be to that user only, so everyone get's there own individual session.
as your researching it's goods to search StackOverflow for certain tags, such as PHP and sessions.
https://stackoverflow.com/questions/tagged/php+session
Here's a good question in regards to cookies and sessions advantages etc.
Purpose Of PHP Sessions and Cookies and Their Differences
A website uses something called a "cookie" to store information on your computer.
This information can hold any text string, but in this case it is probably a unique ID that Facebook knows (probably stored in a database somewhere) is tied to a certain user. Cookies can only be read by the website that sent them and by the browser itself.
The login page sends a POST/GET request to a script that generally checks the username/password combo against data in a database a database. If the data is found to be valid, then the user is granted access to the websites landing page (the page after login) and a cookie is stored. If it is not, they are sent back with a error message.
Cookies can also have a "lifespan". This lifespan can be anything: for a certain amount of seconds; until you leave the site; until you close your browser; or forever (there are probably more.)
The website that sent a cookie can also delete a cookie before it expires. This is how most "logout" buttons work.
To allow only logged in users to view content you can first check for a sign that they are logged in, such as look for an active session and that it has a flag which tells you they're logged in ( which you control ). In PHP at the top of a page you can simply:
<?php session_start();
if(!isset($_SESSION['loggedin'])){
header('Location: http://example.com/login.php');
}
?>
which will redirect non logged in users to a login page. Upon success login, you should set $_SESSION['loggedin'] to a value.
To check whether a person who is logged in is allowed view a particular profile is down to looking up where the page is restricted to friends only, and if so, checking that the loggedin user's id is in the profile owner's friend field in the DB.
It is done with cookies. When you log in, the site puts a cookie into your browser for a set amount of time (generally a very long time so that you can stayed logged in). When you access the site again, your browser sends the cookie back to the site (and the site sets a fresh cookie). In any browser, you can find the list of cookies somewhere in the options.
If you want to know more about cookies, you can read the wikipedia: http://en.wikipedia.org/wiki/HTTP_cookie
Do a Google search for "Session Management."
Summary
when you login to a site you get a unique id. That id pulls your data from the database and then populates a dynamic page, like viewProfile.php with your data. So each user pulls the same file, viewProfile.php, but gets different results based on their unique id.
Related
On a fitness website I'm working on, I use php $_SESSION to recall the user's username across the various php scripts that my pages use.
I had a tab open in Chrome that was logged in to one of my testuser accounts on a fitness website I was working on.
As I wanted to test the Update BMI feature on another user account, I opened a second tab and login-ed to another testuser account. The feature worked successfully, and my second user BMI was updated in the database.
However, when I went back to my first tab and tried the feature for my first user, it updated the BMI for the second user, not the first. This alarmed me immediately. I refreshed the page and realised I was actually now logged into the second testuser account.
This must be because a browser cannot store two different set of session variables. Is there anyway to allow a browser to do so?
Session variables are 1.
$_SESSION['user'] = 1;
So throughout your website, value of user is 1.
Now if you change the value,
$_SESSION['user'] = 2;
Whole website will have user value as 2 in session.
You have faced that problem because you have not refreshed the page.
Same browser cannot have multiple values for same variable, but its possible in different browser.
So 2 sets of value for same session variable is not possible in same browser.
Working:
Each session created will have an unique id , and that unique id is stored in cookies. Cookies in turn are store in browser. Every time you make request for session variables to server, it looks up for the session id in cookies.
Hope this helped you. Any doubt, you can ask.
A browser can only work with one session at a time.
However you can open another browser or use a private session(Ctrl+Maj+P) to test another session without loosing the first one.
I am developing an application in which security plays main role. When I am trying to login with username and password, other login on any other system with same username should be deactivated.
How can I do this? When I google this issue I am not getting any related ideas.
I logged in from my home and when I login to my system from office my
personal system session should be destroyed
In terms of specifically "personal session being destroyed" would mean remotely clearing your home browser history (to delete sessions/cookies etc).
Which is possibly not necessary (depending on security level you need), or better to just have remote access to your PC.
A solution if you do not actually need to destroy "home" sessions.
A basic method would be something like:
Upon successful login, script sets a local session ID and stores it in the DB.
Each page/section within the secure area checks your local session ID with the one in the DB.
If match, you are shown the page, otherwise redirected to the login page.
Every time you successfully login, it resets the session stores in the DB, so when logging in at work you would not be logged in at home as sessions no longer match.
Your Scenario
You login in at home, a session is created and the session ID is stored in the database and referenced in your local browser (cookie by default).
Each secure area page will check if the users local session ID matches the one in the database.
At home, currently, it does.
You go to work, go to login page (which finds no session/cookie so allows you to try to login).
When you login successfully, the script will set a new session and session ID, update the database with that new session ID.
Now when you browse the secure area at work the scripts check your local session ID and database and they match up, so can see the secure stuffs.
At home, someone tries to browse your logged in area and the local session ID no longer matches the one stored in DB, as it's now the session ID you set from logging in at work.
So they are redirected to login page.
Security Note
This is just a basic example, and while the above will work, it is not a perfectly secure "login system" in itself. Best practice of having a secure login system is already covered in many other questions/answers/tutorials (ie using HTTPS, IP log, browser data check, timestamp + auto logout, etc).
I want to show different home page when user visit every time my site, means new html page on every new visit or repeat visit.
When user open a site the first time he/she see x.html next time y.html next z.html and so on.
Please help me
You may use cookies to store information on user (client) side that he/she has already visited your site. Please refer to: http://php.net/manual/en/features.cookies.php for info about cookies in PHP. It requires that user accepts cookies in the browser. In the cookie you may keep info about already seen pages.
Yet another way is to store such information on server side but it may be risky because it is not obvious how to identify unique user on server side (combination of IP + browser - may not always work - users from the same private network may provide the same externally visible IP).
The last solution that comes to my mind is to force user to login to your page. Then, upon login, you may count a number of times the given user (identified by username) has been on your page and provide diffent page each time.
Create a script that will choose a different page at random.
Store the pages in an array
$pages = array('page1.php','page2.php','page3.php');
Get random number
$rand = mt_rand(0,2);
Use that random number to choose page from array
$rand_page = $pages[$rand];
Then show the page to the user
include($rand_page);
I have a url shortener that I created to track incoming links. Currently the php sets a cookie and inserts visitor information into the database. It attaches an id to the redirect url and redirects the user to the website.
The website has javascript on the page that takes the id and tries to set a cookie on the front end. If cookies are disabled, the javascript attempts other things to store that id. The reason I am setting the id is due to the javascript sending random pieces of information to the backend.
Is there a way for php to have a fallback if the person doesn't have cookies enabled? I don't want to create a new database entry for someone who visits the same link multiple times who doesn't have cookies enabled. Don't want to be tracking the same person as 2 or more people.
Edit
If I can't prompt the user that their cookies are disabled, are there any alternatives?
2nd Edit
One of the comments brought this up, so I thought I'd post the link here: User recognition without cookies or local storage
So I have the example-google.php script working, after loging in it throws the default user string has logged in. But my question is how does this protect anything?
Lets say I have //127.0.0.1/example-google.php and I added a href to //127.0.0.1/abc.php after the login is successful.
Well what keeps someone from just typing 127.0.0.1/abc.php? granted I could use $_SESSION to verify that "someone" logged in. But is that going to be enough? Is there a way to re-verify that the user that is trying to access abc.php is truely logged in when thrown from the other page?
Generally, the idea is that you use the session store, indeed.
For example, in my site I have a OpenID login using Steam Community. When a user logs in, after the mode / validate checks etc. from the LightOpenID example, I save their unique identifier in the session store (in this case a SteamID, in your case an email address presumably), then can just use this freely for subsequent requests.
As the session store is server-side, a user cannot impersonate another one without gaining their session cookie (session hijacking is another topic that someone else can go into much more detail on, but I'll give it a shot if requested), but most attacks will be defeated by also storing and validating the requesting IP address.
I keep a couple of mysql tables (one for sessions and one for user information) and store session information in the session table and include a reference to the users table. When a user successfully logs in with their OID provider they are sent back to my site with the confirmation from the provider. I keep track of my user from then on via their session id.
I wipe the session if they choose to log out, but maintain the user info for comments/posts on the site to track who said what.
I actually put a link to "?login={service}" which sends the request to the OID provider and redirects back to that page and on return from the provider it takes the successful login and stores the appropriate information and redirects the user back to the original page where they clicked the "login" button for whichever {service}. You only display the "members only" content if they are verified via OID. You don't create a standard HTML page at abc.php without any sort of way to confirm ID and I think the header redirect is important because it cleans up the URL displayed in the address.