[NecroWinter]

This isnt really a code question so to speak, creating a text box to authenticate a user isnt challenging. When you create code to authenticate a person, you can check if the password is correct, if it isnt, you can echo out some html and say its incorrect or redirect them to the original page where they tried logging in from

However, if they are correct, one would assume that they are given access to an entire site. Echoing out a full page worth of html just doesnt seem right. if a user is authenticated, you can redirect them to a php or html file that they were trying to have access to, problem is, whats to stop a person from just bypassing the login by guessing where the redirect goes to? I imagine you could create a private folder, and have the desired site located there, but im not sure how to grant access to a private folder via php.

if this isnt the right forum for this topic, sorry.

[Dormilich]

usually protected pages are "protected" by a session, i.e. if there is no session set (via authetication), the access is denied.

[creativecoding]

Yeah, sessions cannot be edited by the user so this makes it pretty much your best bet. I don't know where I'd be without sessions.

[NecroWinter]

thanks guys, ill definitely research sessions

[CTphpnwb]

A hacker won't need to get to session variables if they can sniff unencrypted traffic as some one logs in, so if security is important then SSL should be used.

[dallbee]

Quote

whats to stop a person from just bypassing the login by guessing where the redirect goes to?

The trick is to not actually put any of your php files into an http accessible folder.
Say you have a www folder where all of your files can be seen by the web. This folder is located at something like /user/www/ . Inside of /user/www/, you can place an index.php which serves only to include files for authenticated users. The rest of your files are placed in /user/yourwebsite/

Session Security:
Encrypt your sessions with AES-256 and a 256 bit key.
Lock sessions to an IP Address.
Use SSL, but don't rely on it.
Hash your passwords with either scrypt, bcrypt, or pbkdf2 (Ordered best to worst)

[Dormilich]

dallbee, on 15 September 2012 - 08:48 PM, said:

The trick is to not actually put any of your php files into an http accessible folder.
Say you have a www folder where all of your files can be seen by the web. This folder is located at something like /user/www/ . Inside of /user/www/, you can place an index.php which serves only to include files for authenticated users. The rest of your files are placed in /user/yourwebsite/

Though that only works, if you have access to one such directory. That is no problem on your own machine, public webservers usually don’t let you do that (unless, of course, the provider allows you to do so (for a fee))

[dallbee]

I've never seen a shared hosting webserver that doesn't give you access outside of your www directory. Typically you get your own folder, with a public_html or www inside of it.

[Atli]

Yea that's been my experience too. Only one host I've used didn't let me access the web root's parent directory, and that one was extremely cheap. (If it sounds too good too be true... It didn't even have mod_rewrite.)

But even so, it wouldn't exactly be a big problem to overcome. Just create the directory inside the web root and drop a .htaccess file in there with a Deny all directive. Now it's treated basically the same as a dir outside the web root. Hell you can even make it return a 404 code instead, making it appear not to be there.

[creativecoding]

I usually use the MVC framework. Inside of the controller I would check if the user is logged in. If they are, let them view the page they were trying to view. If they were not, force them to go to the login page. Works rather well if you ask me.