Jump to content

Security Question Reguarding Login Form


TCH-RobertM
 Share

Recommended Posts

Hi everyone, Hope all is well with you.

I have a pretty general question that could produce complex responses so please bare with me.

 

Fist let me try to explain what it is I am wanting to try and then let you know what I think is a solution.

Now, prior to me coding this up I would like to ask for some general concerns and pitfalls I might encounter and or any scenarios that might cause a break in my project.

so here goes..

I have my website up ( basically using it as a Learning site )

I am currently teaching myself all the programming that I am using , PHP,CSS,(x)HTML,MySQL I think that about covers what I am using currently.

What I would like to do is have those users come to my site to have open access to most of the pages. There are some pages though that I would like to have Username Password protected. ONLY Authorized users can access those pages.

The way I currently have the site set up I am thinking of using a PHP MySql solution for login authentication. Once the user is Authenticated then on the Rightside of my page links will become available that Normal users will not see.

 

I have created the form portion of this login that can or will call an authenication php file once the user is authenticated I think I can test that with the if(isset($_POST ..........user valididated.

What I dont want is for spiders, non authorized users to gain access to those links and or content on those pages.

Should I keep the pages in a non-public folder below the www folder ?

would this cause problems for authorized users accessing them ?

what kind of open issues might I expect.

how easy would it be for someone to get to the pages bypassing the authentication login?

any thoughts would be greatly appreciated

Thanks

Robert

Link to comment
Share on other sites

Hi Robert.

A couple of thoughts; certainly not a complete answer:

 

Should I keep the pages in a non-public folder below the www folder ?
Do you mean folders outside www? There are no non-public folders below www.

 

I don't know how spiders handle such things, but I have had some success by putting a PHP check at the top of any page I don't want seen by unauthorized viewers:

session_start();

if(!$_SESSION['pw']) {

  header('location: rf_login.php');

  exit();

}

Then of course the login page does the appropriate authentication and redirects back to the requested page. Once the user is authenticated, the pages just appear normally until the browser is closed.

 

As I say, not a complete answer by any means, but it may shed some light, or at least occasion further discussion.

Link to comment
Share on other sites

I would think simply using a password protected folder would be all thats needed. Place the pages and data under it and anyone attempting to go there will need to authenticate.

 

Using PHP to authenticate a menu with the links only protects access to the menu. If someone knows the links they can still gain access to the pages by manually typing the URL. Not very secure in my opinion.

Link to comment
Share on other sites

Thanks for some of the thoughts guys,

 

Madmanmcp

I would think simply using a password protected folder would be all thats needed. Place the pages and data under it and anyone attempting to go there will need to authenticate.

I probably did not state everything that was going through my mind originally, I needed a more robust way of controlling users access to certian pages on the site based upon there id.

I guess in a way, a sort of CMS (content management system)

 

Having to password protect directories certainly would be one solution that I think would work for a few users.

I am more interested with the learning process and the flaws associated with implementing such a process.

 

I do thank you and should have been more clear in what I was after... One of my many shortcomings that I will have to try to work on.

 

btrfld

Thank you for the piece of information reguarding Sessions. This is something that I did more research on and have been playing with pretty much all day.

 

while researching I found a Tutorial that I happened to find extremely useful as it broke down the actual steps and explained it pretty well for a newbie such as myself

Here is the link if anyone is interested.

Managing Users with PHP Sessions and MySQL

 

I am sure there are pitfalls to any type of security implementation and I will try to find better ways of doing this going forward.

Thank you both for your thoughts

This TCH FAMILY FORUM is by far the best arena I have experienced for users trying to help other users out.

I hope that I can be helpful to you in the future.

 

If you have any questions please feel free to ask me

Take care

Robert Rock Sign

Link to comment
Share on other sites

while researching I found a Tutorial that I happened to find extremely useful as it broke down the actual steps and explained it pretty well for a newbie such as myself

Here is the link if anyone is interested.

Managing Users with PHP Sessions and MySQL

 

Thank you for that link. I went through the entire article and found it very useful.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...