Tracking Forums, Newsgroups, Maling Lists
Home Scripts Tutorials Tracker Forums
 
  HOME    TRACKER    PHP




Access A Secure Page By Changing The Url


how can i stop people getting into a secure logged in page by just typing
www.somesite.co.uk/admin/index.php.

theres a login set up, but i can bypass it by just entering the url location, this is a major security issue that i need to solve relatively quickly before i publish the pages.

what i need/want is if someone isn't logged in it just goes to a page saying "you must be logged in to access this page" then prompts them to login.php.




View Complete Forum Thread with Replies
See Related Forum Messages: Follow the Links Below to View Complete Thread
Secure Mail Password Changing Script
Would it be possible to create a script that securely changes one's email password (POP3 inbox) over the web without using a secure server? Is there a way of encrypting stuff before it is sent to the server?
How To Access A Secure Directory When Using Dir()?
Is there a way to access a secure directory on a NT machine using the dir() function? I get an error of:

Warning: OpenDir: Invalid argument (errno 22) in C:wwwrootdevelopmentmenu.php on line 47

Fatal error: Call to a member function on a non-object in C:wwwrootdevelopmentmenu.php on line 50

These errors are on the lines where I try to open the directory and then access the files in that directory. Any ideas?
Transfer Session_id() Between A Secure Page To An Unsecure Page - SSL
I am having problems understanding how to transfer session_id() between a
secure page to an unsecure page. When I move from the secure page to the unsecure page the session_id changes.

Here is the script:

Secure page:
<?php
session_name('thename');
session_start();
echo session_id();
..
..
Is Using LDAP Or SESSION More Secure For Authentication And Access Control?
I am considering a large project and they currently use LDAP on MS platform.
It would be moved to a LAMP platform. OpenLDAP is an option though I have
not used it before. I do feel fairly confortable with my ability to use
SESSIONS for authentication and access control.

Would it better to learn and use LDAP or can you REALLY have just as secure
authentication and access control using Sessions?
Changing Db Within Page
I have a php page that flips between dbs and sometimes it works and sometimes it doesn't... e.g. the first query runs from this db, the second query runs from a different db and then the third query runs from the first db again... the first query will run, the second query will run, but then the third query will not.

Each time that I switch to a query that calls a different db, I used include_once "db_whatever"; before the query, thinking that, that would work, but it doesn't... Is there something I need to do to kill the previous db connection prior to moving onto another one?
Changing Password From Web Page
I have a need to allow a 'email only' user to change their password on the system from my home page. Normally the user does not log in.

1) need them to login to confirm user/pass
2) enable them to change pass using the _passwd_ file.
Since Apache runs as nobody I need a funtion or two to do the above.
NOT using a sql database but just the usual _passwd_ file. using Linix - RH6.0 - Apache with php3_mod I don't mind doing the reading if I know what to read!
Changing Title Of Page
does anyone know how to use PHP to change the title of a page?

Let's say my title is currently "GOGOGO" , but I want to add a string "$x" to it

so it says "GOGOGO $x", using PHP does anyone know how to do that?
Forcing Secure Page (https)
I am a novice at secure pages (just installed mod_ssl and open_ssl).

The main question I have: If a page is "secure" (https://blah) and you don't want people to get there by typing http://blah, how to you stop that?

I want users to login, but I want the login to be https://domain/login.php not http://domain/login.php. How do I stop someone from being able to access the login page insecurely?
Printing HTML When I Want To (secure Page)
I built a class called userlogin to secure my pages and things like this, you know.. basically its a login system. What I want is that it will be easy for people (or just me) to use it, so they would just have to change the html code..ok the only way I could figure out doing it was like this..access.php: PHP Code:
Page Not Found On Secure Server
I have several php pages on a secure server with hyperlinks or form buttons connecting the pages. All of the links are absolute (https://full.url...). The pages work well as long as I don't leave a page on the screen for more than ~ a minute. If the page is on the screen for any length of time, when I click the hard coded link, I see the following error:

The page cannot be displayed The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings. If I refresh, everything works ok again. It only occurs with secure pages.

The timeouts on the server are set the same as all of our other servers, so it doesn't seem to be a page timeout problem. The hyperlinks are absolute and are correct because they work when I refresh any page. I checked the logs and there are no 404 errors (or other errors)showing in the server error log. Code:
The Best Way Of Writing Login Page To Be Secure
i use session to secure my login page
i register a key in every session that store IP's who login to admin
control panel and timestamp.
but i think it is not so secur
do u have the best way using of session
Sessions In PHP Crossing Over To A Secure Page
I have pages on my website, some are secure, and some are non-secure. My problem is that when I go from a non-secure page to a secure page, all of my sessions variables dissapear. I'm guessing this is because the session ID changes, but is there any way to stop this from happening? I keep all my login variables in a session array, and I need it for the secure pages.
Changing Text On Page Via Dropdown Box.
I have a webpage that draws various text decriptions from a mySql database. The description displayed on the page is controlled via a dropdown box. Currently I am using Javascript with a dropdown box (onChange handler) to change the value of a textbox.

Can anybody think of a way that I don't have to use a textbox(with its' scrollbars and background)? How can I change the value of a php variable by changing the selected index of a dropdown box?
Changing The Variable As You Pass It Through To The 2nd Page
I am using a form to push variables through to another page. In the form, (a drop down), the code is:

<select name="1"><option>L</option><option>P</option></select>

Now on the second page I could display the P or the L by saying <?php echo $1 ?> which is fine. What I want is, if someone selects P then it prints 1 on the next page and if they select L then it prints 2. Is this possible?
Changing A More Link Into Page Numbers
I have the following code which I've tried to edit to fit some examples others have posted on here, with no luck. I have a page that displays More and Prev links but not the page numbers. How can I change this code to have page numbers instead of the More Prev? PHP Code:
Changing Titles Per Page With Inc Files.
The way my script is set up now, I have an index.php which calls on inc files.  The problem is that each page (inc file) is using the title set in the php.index.

My goal is to have a title for each page.  I've looked and looked but can't find anything. 
Changing An If Statement To Html Page
How do I change the following code from my process page to a new page with the detials on it. I made a html page cut and pasted it into this spot but it did not work. What do I need to change in order for it to be a html page is shows. Code:
SSL Error Pop Up - Page Contains Both Secure And Nonsecure Items
I recently took over a site written in PHP. We utilize a third party
to perform a job match, search, and application. When this page loads
in IE, we get a pop up that says:

The Page contains both secure and nonsecure items. Do you want to display the nonsecure items? How can I get rid of this as people going to fill this application out...
Changing Pictures On Index-page When Reloading
I am a beginner but quite curious anyway.

My problem: I have seen websites that show different pictures whenever you enter the site. By doing this, the sites look always fresh and attractive and I like the idea a lot. Now I like to have the same function on my site but I do not know how that works...

Is there anybody who can give a good "explanation for dummies" on how to do that?
Script Show The Requested Secure Page Apear In The Right Frame?
How do I have my formscript show the requested secure page apear in the right frame instead of popping up this page in a new window. I tried to fix it by writing " target=top" into the script line. Doesn't work ! Code;
Page Access
I have a 3 page PHP script. I only want people to be able to access the
first page of the script by URL. The other 2 pages need to return a
message such as "This page can not be accessed directly." if someone
tries to call it up by URL.

I did this a month or so back using an If statement at the beginning of
the PHP code. Something along the lines of:

if (access_method=POST){
Perform PHP Code
}

Else{

echo "This page can not be accessed directly.";
}

I just can remember the correct method to call to check against, and I
can't find the old script I worked on previously.
Can't Access Page
i have install apache in winxp ,this pc have public ip address  and i want to access the php page from the internet but it give me cannot display the webpage, from localhost the page run
Restrict Page Access
how can I restrict access to certain pages to people who are logged in?
Prevent Page Access Outside Website
I have a php webside with a guestbook and I want access to the guestbook
only via the homepage. How can I modify the index.php of the guestbook to prevent access from outside the website?
Blocking Access From All But One Referring Page...
I have a subsection of my site that gets tons of hits, but my main page doesn't get that many. I know this is a simple problem to fix, but hell, I dunno.

Anyway, I want this particular page to only load up if the referring page is my homepage.... something along the lines of http-referrer=x or die?
How To Limit The User Access To The Page
how to make a user management in php, i mean that i want to limit the user
access to my page. the script will not allow 2 user have an access to my
page at the same time. the script only allow 1 user to access the page.
the second user will have the queue massage.
[Q] Automatic (i.e., Scheduled) Access To Another Web Page
I need to be able update my web site with info from a remote web site. At
this other web site, the info I require is updated every 30 minutes, 24
hours per day. Life would be cool if a way existed by which I could
"schedule" my code to run periodically so that my info could remain
[reasonably] synchronized with the info on this other site.

In the PHP docs / books I have I've been unable to find functions / services
/ examples that might permit me to implement this functionality. Do [php]
services/classes exist that would meet this need? Do I need to invoke the
services of my WEB server (apache on both ends)?
PHP Code To Access Password Protected Page
I have written the following HTML/PHP code to validate and provide
access to a password protected page to users who are given the user ID
and password through a separate e-mail. The required page,
Articles.html, however does not load when the valid user ID and
password is provided. Instead, the response is a blank page.

validate.php
<html>
<head>
<title>Login Authentication</title>
</head>
<body>
<?php

if (($_POST["username"]=='cutedog')AND($_POST["password"]=='puppy'))
{
header("Location: http://www.domain.com/Articles.html");
exit();

}
else
{

echo "Login denied to the page - Articles.html";

}
?>
</body>
</html>

Does any other file need to be included for HEADER function to work? I
currently do not have CGI or SSI active on my hosting account. I am
using the following HTML form for the user to submit the user ID and
password to access the password protected page.

<html>
<head>
<title>code</title>
<script LANGUAGE="javaScript">
<!--
function validateForm()
{
with (document.saveform)
{
var saveit = true;
if (username.value.length < 4)
{
alert ("Username too short. The username must be at least 4
characters in length.");
username.focus();
username.select();
saveit = false;
}
if ((password.value.length < 4) && saveit)
{
alert ("Password too short. The password must be at least 4
characters in length.");
password.focus();
password.select();
saveit = false;
}
else if (saveit) submit();
}
}
//-->
</script>
</head>
<body>

<form
ACTION="http://www.domain.com/validate.php"
name="saveform" METHOD="POST" align="center">

<div align="center"><center>
<table border="0" width="93%" cellspacing="0" cellpadding="0">
<tr>
<td width="52%"><div align="center"><center><table
border="0" height="59"
width="310" bgcolor="#808080" cellspacing="1"
cellpadding="0">
<tr>
<td width="248" height="19" bgcolor="#C0C0C0"><div
align="right"><p><font color="#000000"><small>Add
Your test username:</small></font></td>

<td width="123" height="19" bgcolor="#C0C0C0"><div
align="left"><p><input NAME="username"
VALUE SIZE="8" MAXLENGTH="16" tabindex="1"></td>
<td width="47" height="19" align="center" bgcolor="#C0C0C0"><div
align="center"><center><p><a
href="javascript:alert('The username must be between 4 and 16
characters long.')"><small><small>Help</small></small></a></td>
</tr>
<tr align="center">
<td width="248" height="17" bgcolor="#C0C0C0"><div
align="right"><p><font color="#000000"><small>Add
Your test password:</small></font></td>
<td height="17" width="123" bgcolor="#C0C0C0"><div
align="left"><p><input type="password"
name="password" size="8" tabindex="2" maxlength="8"></td>
<td width="47" height="17" align="center" bgcolor="#C0C0C0"><a
href="javascript:alert('The password must be between 4 and 8
characters long.')"><small><small>Help</small></small></a></td>
</tr>
<tr align="center">
<td width="248" height="1" bgcolor="#C0C0C0"></td>
<td width="123" height="1" bgcolor="#C0C0C0"><div
align="left"><p><input TYPE="button"
NAME="FormsButton2" VALUE="submit" ONCLICK="validateForm()"
tabindex="3"></td>
<td width="47" height="1" align="center" bgcolor="#C0C0C0"><a
href="javascript:alert('Click to save the
details')"><small><small>Help</small></small></a></td>
</tr>
</table>
</center></div></td>

</tr>
</table>
</center></div>
</form>

</body>
</html>
No Access : Fedora Linux Page Displaid
Ever had a big problem with webpage displaid? We are runing Apache version is Apache/2.0.50 (Fedora) for pc-linux- gnu on i686 mysqladmin Ver 8.23 Distrib 3.23.58, And webpages do not display correctly (very long time).
Variable Across Domains From Non Secure To Secure
have a variable ($basket) that is a unique identifier for my users. ties user browser to the contents of their shopping cart. I have to pass this variable from domain 1(unsecure) to domain 2(secure) using the url (http://www.domain.com/order.php?basket=9874e5dfkg9).

Approx 1 in 10 people lose this variable and their shopping cart is then "empty"

I tried passing the var with a cookie (set the cookie on domain 2 by faking the browser [img_src="domain2.com/setcookie.php"] but the problem persisted...)

i try to replicate the problem but have only gotten it to happen to me once by accident, and i didn't notice any abnormal procedures that would have caused it... it's has occured on opera, MSIE and Netscape browsers on Mac, and Win (all flavors).
Is PHP Secure For Secure Transaction?
I have a site for one customer but now he wants their clients can pay wuth credit card. They site is done in PHP/Apache/MySql but he told me that somebody said that it is not secure environment for credit card payment. I need some help to demostrate that is not true. I dont know use this.

I need information that how can I do a secure site using SSL, I have installed , Apache with SSL but I need info that is a certificate and how it is works. All information that u can tell me will be apreciated. If you know a site that paying with credit card using PHP, Apache and MySql please send me this address to check this. Really this combination is secure?
How Secure Is Php??
hi i just started using (learning i guess?) php for a week or two, and i think it's really great in terms of functionality and everything... i just have a little doubt about it's security tho.. say, is that possible for web users to grab .php source off any website? i wanna find this out beceuase when using php to access any database, the password is stored inside the source, and it'll be horriblie if someone else have access to the source. i tried a naive act of creating a link to a php file and "right-click-save" it, luckily all i got was a processed html but not the source. but i'm just wondering... and what should i do to pretend (reduce) any potential security attacks to php and mysql? thanks millions!
Secure Session
I would like to know any tips to make session somewhat more secure.

Also, is there problem with SID generate by PHP? Should we create our own SID to make session somewhat more secure?
Secure Area?
I would like to do the following, and need some advice.

There is a login page, where users can log on(and e.g. the admin.)
from there you can go to several other pages, where you need to be logged on.

Since I don't want to use cookies, how do I pass the login information to the other pages, so they can evaluate if the user is allowed to view them.

I can't pass any of this data thru the url I guess because everyone could read it in the browsers history if a person logged on earlier, then use this link with the info supplied.
The same goes for session ids I think, or don't I have to pass the session id to subsequent pages?

Can anyone give me advice how to implement pages that should only be viewed by currently logged on persons.
Secure Pages
I have a login system that checks the database for auth and sends them to the destination according to auth.

Now what I need is some way to secure the pages so you cant go straight to the pages by typing it to the browser. I would like for you to get directed to the login page if you try to go straight to the page(s). Is there some code I can put to keep from viewing the page(s) without logging in first.
Are Sessions Secure?
I'm fairly new to PHP as you prolly know by the other dumb questions on here by me! I've recently written my site using sessions to log a user in and out. I've basically got my session variable holding login details and other user related material.

My question : is this a secure way to do this? i mean, is it possible for a site visitor to read the session variables? Is there a better method of having a user log in and out?
PHPNuke & Secure ?
I was wondering if it is true that portals as PHP Nuke or PostNuke or
insecure ? People told me it can be easily hacked. Can they just hack the
portal or the full server where it is running on ?
Secure A CMS W/sessions
I'm extremely confused now. I'm almost finished creating my Content system and the one of the things I need to finish is the login/validating part (important huh?). It also seems that everyone has a different example and a different opinion and I'm trying to make my CMS as secure as possible but with all these opinions, different examples, and some that don't work, is there one example we can all agree on, or is any good examples you can recommend?
Secure Form
I am looking for a php script that can process a form with credit card information. I have an SSL already. All i need is the script to encrypt the credit card information and store it encrypted on the server and then I can access it with a password. Then once I download it I can decrypt the credit card.
Secure Portal
Anybody knows how should we implement a portal-like website that allow its members to communicate through the private message but does not allow them to exchange email address or any other contact details? It is much like the FriendFinder implementation.

I imagine the if we rely on the word filtering on every private message (like filter the @ character) it will not guarantee that we could avoid such email address being passed to one another.
How Secure Is My Code?
After my last post, I had my eyes opened to many issues in my code. I have now redesigned my code so feel free to comment on any security vulnerbilites or suggest better ways of doing things.

The following code is a simple login script...
Secure File
I have sessions working where individual users have their own person
information and can't view others personal info... The problem is, the
sessions block them in php but I can't block them from files that I can't
have the session security.

I tried imbedding the file into a secured php file but it did not work, my
code is below that I used. For reference, 00231 is the username to login so
it checks if the username is the same etc.

<?
// Agent Access - secure page

// session check
session_start();
if ($SESSION_UNAME != "00231" )
{
// if session check fails, invoke error handler
header("Location: error.php?e=2");
exit();
}
Stable Secure ID
i'm pretty sure that i can create a stable non-replicating ID using this code (but i'm not comletely sure): PHP Code:
PHP & SSL For Secure Cookies
I'm trying to implement the protocol used at
http://www.cse.msu.edu/~alexliu/pub...okie/cookie.pdf to
create cookies that can't be forged. I got everything working, except
I have run into one problem:

I don't know how to get the session key used for the encryption. I'm
completely new to SSL and I just installed it on my server, and got it
all set up that it works using http://mydomain.com. So that said, to
my understanding, using public/private key encryption, the server and
client negotiate a key to encrypt data with from that point on, and
that this doesn't change for a client, but it unique for every client.

It seems like that cookie protocol requires that you get that session
key and store it in the cookie to verify that the cookie hasn't been
stolen.

I guess my question is really that I just want to make sure I am
understanding what they mean by session key properly, and how you
would get it. I figured I should have access to it since I am the
server.
Secure Downloads
I am currently working on a project with a very secure feel to things (SSL, password only, etc, etc), it's an extranet site. I need to generate PDF files for the clients to download. I have made my own session management system which tracks, by IP address, and changes the Session ID every page, but I need to allow the users to download the PDF files securely. I have a few ideas so far:

1) Generate the PDF files in a directory not accessable by apache, and then enter a row into the MySQL database saying this session/user has a PDF to download. Then a link can be shown to the user, such as /downloads/Report.pdf?SID=<Session ID> (where SID = Session ID). I could make all .pdf files be processed by PHP (therefore act like a PDF in the /downloads/ directory), in the apache config. When the Report.pdf is run it checks the SessionID, then looks in the database for a valid PDF file, and then reads the file straight out to the client. Will this work? Any ideas/suggestions?

2) Justr make the PDF file on the fly, but this will have problems with users who want to be able to save the PDF file.

I'd like to go with option1, but I'm not too sure whether this will work. This is not just related to PDF files, it can mean any file type (and I will also need to do a similar things for .zip, and .csv later on) Any suggestions please. I dont want the PDF files saved into a /downloads/ directory on the server, as some1 in theory could take the file, and to make this not the case/harder to do, the filename would have to be very very long... and random gemerated, which is not nice for the client.
Secure Login
Does anyone have the source, class, or link for a secure login using
sessions? Preferably with MySQL.
Secure Registering...
I am developing a PHP project, where users must register and get
entered into a database - this is nothing new. It must be provided that
a malicious script cannot fill the database with garbage entries. I
have seen on some advanced pages how after sending register data a user
gets presented with a picture containing some text or number that
cannot be recognized by machine while easily by human. The user must
enter that number and send it back; only then gets he entered in the
DB.

This method seems to be rather secure, and I would like implement it in
my project.

Here is my question :

Where do these pictures come from? Are there any PHP-functions that
allow to generate them programmatically? Or any other way?
Secure Hosting
How can I make a secure hosting with PHP? So, whats the problem? mod_php executes with apache's permissions (usualy apache.apache or nobody.nobody) and everybody can see scripts and datas of other users. Suexec doesn't solve the problem, because suexec works only with CGI scripts.
A Secure Log-in System
I want to make a login system as secure as possible on a website I develop.

* The user shall log on using a Username and a password (which is stored in
a mySQL database)
*The server which I use to run my application has "register_globals"
activated (set to "on"), so that has to be taken into concideration
*The system should be secure even if the user do not click "log out" when he
is finished. (Users often just close the browser window)
*It is good if the system works even if coockies are not enabled on the
client

How can I make a login-system as secure as possible based on this?
Do I have to use session-variables, or are there other ways?
Copyright © 2005-08 www.BigResource.com, All rights reserved