php cookies and redirects

Discussion in 'Web Design and Development' started by jsm4182, Dec 5, 2006.

  1. jsm4182 macrumors 6502

    Joined:
    Apr 3, 2006
    Location:
    Beacon, NY
    #1
    on my site i have a login system and a few pages you need to be logged in to see. when you login your name in user id are put in a cookie. the script to redirct people who are not logged in looks like this
    PHP:
    <?php
    if (!isset($_SESSION['first_name'])) {

        
    // Start defining the URL.
        
    $url 'http://' $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
        
    // Check for a trailing slash.
        
    if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
            
    $url substr ($url0, -1); // Chop off the slash.
        
    }
        
    // Add the page.
        
    $url .= '/login.php';
        
        
    ob_end_clean(); // Delete the buffer.
        
    header("Location: $url");
        exit(); 
    // Quit the script.
        

    ?>
    now i'm trying to set up a page where only one person with a specific user id(7) can use. the script i thought would work looks like this.
    PHP:
    <?php
    if ($_SESSION['user_id']!=7) {

        
    // Start defining the URL.
        
    $url 'http://' $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
        
    // Check for a trailing slash.
        
    if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
            
    $url substr ($url0, -1); // Chop off the slash.
        
    }
        
    // Add the page.
        
    $url .= '/index.php';
        
        
    ob_end_clean(); // Delete the buffer.
        
    header("Location: $url");
        exit(); 
    // Quit the script.
        
    }
    ?>
    the problem is anyone that is logged in can see the page and isn't redirected. any ideas on what i did wrong?
     
  2. nightelf macrumors 6502

    Joined:
    Mar 25, 2003
    #2
    I think is a bad idea to use cookies to authenticate your users, because cookies can be edited by anyone using a text editor. You can also use relative or absolute paths in the Location. For example ('Location: login.php'); or ('Location: ../login.php'); or ('Location: /login/login.php');.

    What about something more simple like this

    <?php

    if (empty($_SESSION['userID'])) header('Location: login.php');

    ?>

    <?php

    if ($_SESSION['userID'] != 7) header('Location: login.php');

    ?>
     
  3. stndn macrumors member

    Joined:
    Oct 22, 2006
    Location:
    earth
    #3
    Maybe you've tried the followings, but won't hurt to try again:
    - Did you start the session?
    - Did you make sure that the contents of $_SESSION includes user_id?
    - Did your script ever execute the if() block? Try printing something there.

    Also, as pointed, it's a bad idea to store sensitive information in cookie. But then again, just a cookie won't hurt too much if you're comparing it against the session value later.
     
  4. NoNameBrand macrumors 6502

    Joined:
    Nov 17, 2005
    Location:
    Halifax, Canada
    #4
    re: cookie auth:
    Storing stuff in cookies is bad, but stuff in $_SESSION isn't sent to the client, it's stored in the server's /tmp directory (usually). The cookie sent with the session start is the session ID, which is a long random string.


    I would write a function to handle authentication, so you can make it more complicated as you need it, and spit out a login form as appropriate.

    PHP:
    <?php
    require_once('functions.inc.php'); //where the authenticate() function is

    session_start();

    include(
    'header.inc.php');

    $auth authenticate(); //returns true on verified user

    if ($auth) {
      if (
    == $_SESSION['userID']) {
        
    //special page!
      
    } else {
        
    //regular page!
      
    }
    } else {
       
    //no prize for you page!
    }

    include(
    'footer.inc.php');
    ?>
     

Share This Page