Re: Login for access to certain pages or parts?

dorayme wrote:
Could someone kindly recommend either a simple tute on the subject or else a simple guide of the steps to be taken to make a login page for a website so that a few password issued people can view a particular set of pages or section of a website. It is not needed to be like Fort Knox, just a simple thing like say a commercial site where only wholesale customers are allowed into some set of pages giving special information for their eyes only.

I suppose it depends on the type of server as to what is best, but assume a Unix with PHP enabled. I have got to the stage of being able to use php includes both for Unix commercial servers and my own on my Mac (in no small measure due to guidance on this ng a while back).

I am easily blinded by science! I know roughly what an .htaccess file is and I have access to more than this on my own server, but not more on commercial servers that host various sites I have made or maintain.


There are a plethora of canned scripts out here to do this. Google "php authorize user".

Below is some code I've been using for a few years. It probably needs updating.

You'll need a database, to store the user's info (name, password, allowable group, etc.)

Embed a script in every page for which you may wish to restrict access, which calls a validation function. This function compares some cookies that get set when the user has first successfully logged in.

You store the user name in the cookie, not the password. The successful login routine sets the cookie by testing to see if the password the user has entered matches the one in your database for that user.

If the user cookie is blank (unsuccessful login), the validation routine automatically fails.

You might at the same time set another cookie for a 'group' (or some other kind of identifier so that only certain users can see certain portions of the site). That would be another field in the database.

If the user var exists, and the group is OK, the page gets loaded. Otherwise you re-direct to another page telling the user there's a problem.

For pages that can be accessed by multiple groups, your authorize function could be passed a comma-delimited list of allowable groups for that page. Using the Explode function you could parse out the groups that can see that page, and if the group cookie for that logged-in user is in that list, go ahead and load the page. Otherwise re-direct.

This code could be improved, as the redirect is using javascript (client-side), which involves another call to the server to load the redirected page. Since you'll know on the server-side whether or not the user is authorized, you could just as easily do an include of the redirected page instead of letting the results get all the way down to the user and then having javascript ask for the new one...

<?php
require_once("path/to/your/script.php");
AuthorizeUser("ALL");
// or
// AuthorizeUser("Admin, Guest, Accounting, AndSoOn");
// Rest of page...
?>

Here are some auth functions you can try (plus a couple of others on which they are dependent). Or roll your own...

<?php
// Authorizes user based on group, redirects if necessary.
function AuthorizeUser($OK_Groups)
{
if ($OK_Users == "ALL" && $_SESSION['Group'] != "")
{
return;
}
else
{
// Name of your re-direct page if authorization fails.
$Redirect = "path/to/redirect_page.php";
$QS = $QUERY_STRING;
if (!((isset($_SESSION['User'])) && (isAuthorized("",$OK_Groups, $_SESSION['User'], $_SESSION['Group']))))
{

$Self = Self();
if (strpos($Redirect, "?"))
{
$QA = "&";
}
else
{
$QA = "?";
}
if (isset($QS) && strlen($QS) > 0)
{
$Self .= "?" . $QS;
$Redirect = $Redirect . $QA . "accesscheck=" . urlencode($Self);
Redirect($Redirect);
}
}
return;
}
}

// Tests to see if selected user is a member of selected group
// Both $Users & $Groups can be either a single entry
// or a comma-delimited string of allowable choices.
// (i.e., $Users = "Bill", $Groups = "Admin"
// or $Users = "Bill, Sally", $Groups = "Admin, Guest"
function isAuthorized($Users, $Groups, $User, $User)
{
return ((in_array($User, Explode(",", $Users))) && (in_array($Group, Explode(",", $Groups)))
}

// Returns name of currently executing script.
function Self()
{
return $_SERVER['PHP_SELF'];
}

// Redirects user to another page.
function Redirect($Url = "/")
{
echo "<script language='JavaScript'>document.location.href='".$Url."'</script>";
exit;
}
?>

HTH
.

Relevant Pages

  • cookie test help needed
    ... "If a cookie created by a page on catalog.acme.com sets its path attribute ... to "/" and its domain attrinute to "acme.com", ... I have a test server on my network. ... sets the cookie then redirects to readcookie.asp. ...
    (microsoft.public.inetserver.asp.general)
  • Re: error code 0x80072EFD
    ... [CallerId = AutomaticUpdates] ... cookie, reporting URL = ... the server with hr = 80072efd. ...
    (microsoft.public.windowsupdate)
  • Chicken and egg issue with Cookie based login?
    ... I have few questions I hope someone can clear up for me with the cookie ... private web server. ... It also says this about the secret key: ... Second, would be an example of the "Session ID" or more general, what is an ...
    (comp.security.misc)
  • RE: Proof of Concept Tool on Web Application Security
    ... You are misreading the script fragment that you quoted. ... What that is intended to do is fetch an image from a server under your own ... and reacting when it sees a new cookie. ... But this require interaction of victim, ...
    (Pen-Test)
  • Re: Getting 12209 error on isa when server tries to connect to cookie enabled site. Xp workstation w
    ... What leads you to a conclusion that this problem is an ISA server related? ... We try to access a certain site which sets cookies by sending cookie ... 2.The conclusion is that when Cookie header is sent from the server to ...
    (microsoft.public.isa)