PHP: session controll the pages from unauthorized access, with level -


aim

a simple login page check user credentials if correct in database lets user login , check on other pages if sessoin provide let user operation in pages else redirect them out login page authentication.

the connection set , working fine:

the session has started:

for checking input , echo variables simple checking function:

function check_param($val){     $value1=addslashes($val);     $string1=htmlspecialchars($value1);     $string2=strip_tags($string1);     return $string2; }

now user authenticate trough form , runs function check if can login pages , pass $_session['username'] , $_session['password'] , $_session['level'] next page , store browser tell getting destroy command.

public function auth($name = '', $password = '', $level=''){         $sql = "select count(*) dab_users `name`=:name , `password`=:password , `level`=:level ";         $result = $this->conn->prepare($sql);         $passme = hash_value(check_param($this->password));         $result->execute(array(             ":name" => check_param($_post['name']),             ":password" => check_param($_post['passwrod'),             ":level" => check_param($_post['level'])          ));         $num = $result->fetchcolumn();         if($num==1){             $_session['level'] = $_post['level'];                     $_session['is_log'] = 1;             header("location:home/index.php");         }else {         $result->execute(array(             ":name" => check_param(''),             ":password" => check_param(''),             ":level" => check_param('')));             echo "wrong password , user";         }     }

this works ok , can access pages after giving correct password on view of index page after authentication user can access here way have manage restrict unknown user or blank session or correct session page.

index.php:

<?php  if(!empty($_session['is_log'] && !$_session['level'] == 101){     header("location:../login.php"); } else { ?> <h1>header + content + footer</h1> <?php } ?>

question: here after submit form correct user name , password , level in database login index page, , on echoing session see level , is_log on aut class been set. , (if) on index page works , redirect user if not login...

  • is secure?
  • is enough session restriction?
  • is fine session control ?
  • am doing right session controlling?
  • any suggestion or tutorial?

your authentication systems works, if fail check control security on each page have? should learn front controller pattern , see if suits needs better.

related front controller pattern, advice read 2 chapters fantastic symfony documentation (they related symfony talk http / php in general , how , why framework may benefit code in end):

and if worried security seem (and of course should), take @ owasap top 10 web vulnerabilities (a must read every web developer).

specific question session hijacking problem, can find more here.


Comments

Post a Comment

Popular posts from this blog

commonjs - How to write a typescript definition file for a node module that exports a function? -

consider, toml node module can use: // toml.d.ts declare module toml { export function parse(value:string):any; } declare module "toml" { export = toml; } then: /// <reference path="../../../../../defs/toml/toml.d.ts"/> import toml = require('toml'); toml.parse(...); however, node module export single function, such 'glob' ( https://github.com/isaacs/node-glob ). the node usage of module be: var glob = require("glob") glob("*.js", {}, callback(err, files) { ... }); you'd naively expect this: // glob.d.ts declare function globs(paths:string, options:any, callback:{(err:any, files:string[]):void; ...but because typescripts 'import' semantics bit strange, seems can use 'import .. = require()' statement alias modules . trying call: /// <reference path="../../../../../defs/glob/glob.d.ts"/> import blog = require('glob'); results in: error ts2072: mod
Read more

openid - Okta: Failed to get authorization code through API call -

i'm integrating okta own idp server using okta's api. i'm implementing authorization code flow following steps below: in own server, use /api/v1/authn endpoint sessiontoken. use sessiontoken obtain authorization calling endpoint: /oauth2/v1/authorize?client_id=" + clientid + "&sessiontoken=" + sessiontoken + "&response_type=code&response_mode=query&scope=openid&redirect_uri=" + redirecturl + "&state=evanyang&nonce=" it's supposed return response status code 302 , location header containing redirect url code value. however, keep getting response status code 200 , without location header, html body saying "you using unsupported browser." , "javascript disabled on browser." according api documentation: http://developer.okta.com/docs/api/resources/oidc.html#authentication-request , sessiontoken parameter sufficient this: an okta one-time sessiontoken. allows api-based
Read more

thorough guide for profiling racket code -

did googling ("racket profiling", "racket measure performance"), didn't find , there no examples in docs. did google "profile" search on htdp - no luck. (profile (f ...)) output isn't obvious other small snippets. ideally want python's python -m cprofile usage examples. when search "python profiling", both duckduckgo , google give top result: 26.4. python profilers . (although scanned quickly, seems more of reference "thorough usage guide" examples. if had else in mind, perhaps please link that?) the equivalent racket documentation be: profile: statistical profiler . a usage example: #lang racket (require profile) (profile-thunk (thunk (function-to-profile arg0 arg1) )) here (thunk e) convenience (lambda () e) . bigger example: #lang racket (module mod racket (provide f) (define (f) (for/list ([i 10000]) i))) (require (prefix-in mod: 'mod)) (define (f) (for ([i 10000
Read more