tags:

views:

83

answers:

4
+1  Q: 

PHP Is there a better way to protect my pages than using header(location) ???

I am protecting my pages by checking the values of my sessions. Is there a more secure way of protecting my pages other than changing the Header Location if the sessions are not valid??? Am I doing anything right???

I have the following at the top of each page:

<?php
     session_start();

     //VERIFY LOGIN
     $validkey = 'br1ll1ant)=&';

     if ($_SESSION['valid'] != (hash('sha256',$validkey)) && $_SESSION['tokenconfirm'] != hash('sha256',$_SESSION['tokenID']))  {

            header("location:/login/");

         };

?>
+2  A: 

Are you using a templating system? If you are, what you'd do is simply output the login form instead of the page content if the user isnt validated. Even if you arent using one, you can change the output (different set of includes, for example), if the user isnt valid. This way you arent relying upon the end user's browser to protect the content.

GrandmasterB  2010-08-31 17:55:51
A: 

Headers should be fine, I haven't seen people use much anything else.

It is always best to authenticate to gain access to the page, and then check that authentication on every page. If it fails, redirect to the login.

Using a MVC pattern, it is best to check the login status before they even get to a page, and either redirect if not logged in, or load the logged in view.

Josh K  2010-08-31 18:04:21
+4  A: 

using header() is fine, but don't forget to exit(); your script after calling header(). User agents don't have to respect headers, so one could write a client which will simply read the part that comes after the header call.

if(!session_is_valid()) {
  header('Location: index.php');
  exit;
}
knittl  2010-08-31 18:23:57
A: 

Using a front controller pattern you can put all your php files outside the web root. That way they are not directly accessible from a URL. This is fairly common practice in PHP frameworks include those built with Zend 'Framework'.

If your files are in the web root, another method that you might consider is to use constants. This is how CodeIgniter does it. Define a constant in your front controller and if its not defined send them to the web root. Here is how to CI uses constants.

The constant used everywhere

<?php  if ( ! defined('BASEPATH')) exit('No direct script access allowed');

How it is defined.

define('BASEPATH', $system_folder.'/');

$system_folder being a few lines above. 

$system_folder = realpath(dirname(__FILE__)).'/'.$system_folder;
LLBBL  2010-08-31 18:31:33
actually the way to go, but I guess OP's file is meant to be accessed by authenticated users.
Jan.  2010-08-31 18:41:43

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases