tags:

views:

26

answers:

2
+3  Q: 

How server side page decide a request to a page is authorized?

It's normal case, user inputs a username with password, and after that the entire system can be accessed. Suppose I have a page a.php(or ASP), how can I restrict only the user that has been authorized can view a.php, for other user if they type (http://host/a.php) in browser, they will get an error?

And furthermore, is it done thru cookie? If you can explain the details under the hood I would appreciate more :)

+1  A: 

It can be done with Cookies but most PHP sites use Sessions.

See for detailed information: http://www.php.net/manual/en/session.examples.basic.php

The steps involved:

1.) Create a sign-in page that checks for valid username and password then save a key value to a session variable that references the user table. signin.php (sudo-code)

session_start();

if(username is correct && password is correct)
{
  $_SESSION['userkey'] = GUID from database
}

2.) Create a PHP page that has the session variable and checks if the variable is set.

signincheck.php (sudo-code)

session_start();
$is_signed_in = false;

if (isset($_SESSION['userkey'])) 
{
    if(isvalid userkey)
    {
    $is_signed_in = true;
    }
}

3.) Require that page in each of your pages that needs to be for registered only.

require('signincheck.php');

if($is_signed_in === true)
{
  allow access to page
}
else
{
  header redirect to some other page
}
Todd Moses  2010-09-16 04:07:00
Is it easily to be attacked? If the session ID is stolen... And I thought the session is implemented by Cookie?
Bin Chen  2010-09-16 04:28:15
Nothing is 100% but a Cookie is stored on the client machine and a session is on the server so a session is more secure.
Todd Moses  2010-09-16 14:22:51
+3  A: 

This is somewhat lengthy topic and needs so much explanation to fit in this space. I'd advise you to go through the following beginner level tutorials on how to create a Login system with PHP. You will then understand what happens under the hood:

  1. PHP Simple Login Script Tutorial – Very details guide to create a PHP and MySQL login system.
  2. Creating a Secure PHP Login Script – How to create a secure PHP login script that will allow safe authentication.
  3. Developing a Login System with PHP and MySQL – another greate PHP and MySQL login tutorials.
  4. Login – Logout with a Session in 1 file – Write a php code for login and logout in one file.
  5. Creating a file based login system – PHP Login system without mysql database
  6. Login system – Learn to create a PHP and Mysql Login system by using cookie
  7. PHP Log In Script – video tutorial – Video Tutorials how to create a PHP and Mysql login system.
shamittomar  2010-09-16 04:16:51
Thanks, but how to write a login is not the question I am asking, maybe my question is obscure, sorry about that. I am more backgound prone :)
Bin Chen  2010-09-16 04:34:59
@Bin, I am not asking you to create the login. I am suggesting to read these tutorials and you will clearly know *what's going under the hood.* :)
shamittomar  2010-09-16 04:38:03
@shamittomar, btw, is all the login implemented by cookie? How about the cookie is captured and reused by an attacker?
Bin Chen  2010-09-16 04:44:44

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?