tags:

views:

63

answers:

2
+1  Q: 

(PHP - Session) How can user restrict to access direcly to controller.php , only allow access from view.php?

Hi, I am a beginner in PHP.

How can I restrict user access to controller.php and allow access to it only via view.php?

My proposal:

I don't know if this is proper, or how to avoid robots accessing it directly.

view.php:

  <?php
    session_start();
    $_SESSION['isFromView'] = true;
    ?>

  <html>
   <body>
    <form action="controller.php">
    <input type="submit"/>
    </form>
   </body>
  </html>

controller.php

<?php
   session_start();
   if(!isset($_SESSION['isFromView'])||!$_SESSION['isFromView']){exit();}
   else{

   //code here

   $_SESSION['isFromView']=false;
   }
?>

Please write what do I miss and in which way my controller can be access directly or other security problem (if you can examples please).

Edit:

In case that I dont have user login it can be secured by killing the session it controller.php after code executed, then when the user return to view.php new session ID will be created.

In most cases, though, we cannot kill the session because of other components of the site.

Thanks

+1  A: 

The solution proposed is fine. Alternative solutions:

  1. use some hash in some hidden field in view.php form (in view.php create some md5('secret') and then check that in controller.php). This solution is the most secure approach.
  2. check the referral url (I strongly disagree because it's security issues) - $_SERVER['HTTP_REFERER']. This variable can easily be spoofed (changed by the client) so it's a security risk to rely on it.
narcisradu  2010-07-09 10:20:21
How can i check referral url ?
Yosef  2010-07-09 10:25:08
you can find it in $_SERVER['HTTP_REFERER']
narcisradu  2010-07-09 10:26:54
Why $_SERVER['HTTP_REFERER'] have security issue?(Can you give example please).
Yosef  2010-07-09 10:29:27
I just edited my answer. $_SERVER['HTTP_REFERER'] might easily be spoofed by the client and this is the reason I said it's a security issue.
narcisradu  2010-07-09 10:34:20
Ok I understand, what about first option hidden field?why it can be easily spoofed by client also, only if put the hidden id md5 to session variable its can not be spoofed r - or i have mistake? Can you write please or link to example that you mean about hidden field solution.
Yosef  2010-07-09 10:55:58
<input type="hidden" value="<?php echo md5('some secret phrase')"> - If you submit the form, you will compare in controller.php md5('some secret phrase') with you value submitted by form.This solution cannot be spoofed.Only the http referrer might be spoofed by the client.The session method you provided is just fine. The hidden field solution is just another approach.
narcisradu  2010-07-09 11:14:43
Ok, thanks you very much!
Yosef  2010-07-09 11:18:32
+1  A: 

First thing of note is that it appears your usage of 'Controller' and 'view' seems to be radically different from mine - I would have interpreted this as being part of an MVC pattern - in which case the browser would never request 'view.php' it should be an include file invoked via include/require from the controller file. Also, as an include file, it should not contain any inline code - so even if it were directly accessible from a browser - it would not do anything when called from a browser.

If you simply mean that you have two scripts, and the second should only ever be called by the first, then the issue is one of Cross-site request forgery - there's lots and lots of discussions about how to avoid this on the internet, most of which will explain why using $_SERVER['HTTP_REFERER'] is a complete waste of time.

Passing transaction-related data via the session should be avoided at all costs - not least because of the problem of session aliasing.

C.

symcbean  2010-07-09 12:01:04
its simple 2 scripts, not mvc project
Yosef  2010-07-09 12:23:38

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases