tags:

views:

84

answers:

2
+1  Q: 

Secure a "thanks" page against non-logged in users

When a person registers on my site, or logs in, they are sent to "thanks.php".

The page checks is you're logged in or not and if so, tells you what you can do and if not, gives you a link to the register.php page.

However, anyone can make their own cookie and trick the script like that.

How do I protect myself from this?

One thing I thought of was checking if the $_SESSION['session_id'] is present in the database. Far as I know, you can't generate that yourself and even if you could, you'd need database access to find one out.

I'm not too sure however, does anybody have some advice or experience about this sort of "thanks" pages?

+4  A: 

You cannot generate any Session Data or Database Data without having access to the server. So, a secure way to do this would either be set a SESSION cookie, with some variable, and check for that.

session_start();
$_SESSION['logged_in'] = true;


session_start();
if(!isset($_SESSION['logged_in']))
{
    header("Location: youarentsupposetobehere.com");
}
Chacha102  2009-08-20 16:51:35
No reason the id variable has to be unique. As you say, anything in the SESSION is on the server
Eli  2009-08-20 16:53:47
Ooops .. there we go.
Chacha102  2009-08-20 16:55:07
+2  A: 

Well, yes, when people log in, you should NOT be setting a cookie that says loggedin=true or some such.

You should instead set $_SESSION['loggedin'] = TRUE PHP generally takes care of securing the cookies that manage that session automatically

Eli  2009-08-20 16:52:57
Actually, session cookies expire when you shut down your browser. Don't even have to shut down your computer, just the browser. Search the php.ini file for this variable: session.cookie_lifetime. Its meaning is explained the line above it.
WebDevHobo  2009-08-20 17:00:01
Yes, by default session data only lasts for, well, a session :)
Eli  2009-08-20 17:40:01

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases