Webcoding Question

[CK9]

Okay, so I'm working on the coding and layout for my site (again...this time it will be better...I think...) and I can't figgure out how to do something.

basically, I have an If...else statement that checks for something in PHP sessions.  If it is there, I want it to automatically open a different webpage (a primitive security setup, but I really dont need more than that).  At first I thought a page redirect would suffice, but when I read the tutorials on redirects, it's always about redirecting visitors from a non-existant page to a differnt one.

The PHP method I found uses the header, so unless there is another method looks like I can't use PHP (:'( )

In javascript, it's just within the <script> tags, so I think I could put it in a function, but I'd rather confirm that before doing it (I'm writing the page codes down on paper before actually working on my site.  If I don't, I know I'll never finish (just like how it is now!))


So yea, help please (and any spam here will be deleted by me personally

[AmIMeYet]

The new page doesn't have to be in a new window/tab, right?

Then

Code: [Select]

header("Location: http://www.example.com/page.ext");

should suffice.

The PHP manual says

Code: [Select]

$host  = $_SERVER['HTTP_HOST'];
$uri   = rtrim(dirname($_SERVER['PHP_SELF']), '/\\');

can be useful to get your base url (url or uri? Is there a difference?)

And, following that manual, you might want to use

Code: [Select]

exit;

to stop PHP from parsing.

The PHP method I found uses the header, so unless there is another method looks like I can't use PHP (cry.gif )

Why can't you use this header method?

And I think you really shouldn't use javascript for *instant* redirects..

[CK9]

If it's in the header, does it not instantly re-direct the page upon loading?  I don't want that.  I want the page to first carry out its check.  If the item is missing from the session variable, then it will give the person an error message.  If the session variable is there, it will open the other page (in the same window).

From what I'm seeing, I could set the javascript redirect as a function and use the if...else to trigger it.

[AmIMeYet]

If that session variable is there, do you want it to show anything before the redirect?
Because you can just put header() anywhere in your file, as long as you don't output anything before that header() call.

If you use that header(), take this scenario:

-Someone connects to http://www.example.com/login.php
-If you have the session variable, go to http://www.example.com/success.php
-If you don't have it, output "<html><body>FAIL</body></html>"

So you can still do all your php functions, you just don't output anything and go to a different page afterwards.

[CK9]

and here I thought the header HAD to go on the top of the page...go figure

[Hooman]

First, JavaScript can be disabled. Particularly if people turn up their security settings. It's not particularly wise to rely on it for core functionality.

The best way to do redirects is probably using the HTTP headers, such as setting "Location: URL". Most environments will cause the server to reply with a 30x reponse code, instead of the usual 200 OK. There are a few different 300 level redirect responses, with slightly different meaning. Remember that the URI must be a full URI to be standards conformant. It will likely work with a number of browsers if it isn't a full URL, but you should avoid relying on this behavior.

The HTTP headers must be sent before any content. However, a number of environments may do output buffering, which may allow you to set the header after code that outputs some HTML. It works, in some cases, because the HTML hasn't been sent to the client yet, and so it can insert the proper modified HTTP header before the content.

Most browsers, if they see a 301 with a Location header, will automatically redirect right away, and you won't see any content that was sent after that header.


If you want a page to display for a few seconds first, and then redirect to a new page, you're going to need to look at JavaScript. But remember, JavaScript can be disabled, so make sure to provide a link on the page for them to manually click in case the JavaScript code to redirect doesn't work.


Remember, JavaScript is pretty much the only way to get a client to do something on it's own. HTML and CSS doesn't really have many ways to specify behavior (links, form submits, and rollover highlighting), and PHP is all server side, so it only tells the server what to do. To get a client to wait a few seconds and redirect means client side programming, which generally means JavaScript. (Sure, you can use VBScript for IE, but not everyone uses IE as their browser).


Of course, if JavaScript seems like it's somehow needed, maybe reconsider what the original problem you're trying to solve is, and see if there might be a better way to solve it. Maybe the message can be displayed directed on the final destination page?

 

[CK9]

So, in short, I might be better off making it display a button that says "proceed" instead if auto-redirecting?

[Hooman]

It doesn't have to be a button, it could be a link.

And you can certainly add some JavaScript to auto redirect too, just make sure that link is there. The link is always potentially useful, but the JavaScript auto-redirect is simply nice and slightly more convenient when it works. Plus, if someone is sick of your messages and doesn't want to wait to redirect, they can always just click the link.

[CK9]

lol, I personally thing a button looks more...neat (as in tidy, not cool) than a long as hell url.  That's just me, though

[AmIMeYet]

Just came back from a 24 hour in-school lanparty, so I haven't been able to reply earlier but:
I'm kind of confused here.. do you want the page to redirect instantly (making the page pretty much transparent, but still act as a real page for the server), or do you want it to display something for a few seconds?
I also don't quite understand why you have now chosen a button/link, instead of a redirect.. but maybe that's just because I've been awake for 28 hours now..

[CK9]

I don't see how you can be confused, I explaind what it does in the most simple words I can think of...

maybe an outline form:

login page --> this page

if name & pass correct, then continue to next page

if name or pass incorrect, then display error messsage and don't redirect.

Which is why I finally did a button with a success message.

[AmIMeYet]

Yes, I got that, but do you want that redirect to be instant, or do you want something to be displayed for a few seconds (like a lot of forums do, saying things like 'login successful, redirecting..')

Is this the behavior you wanted? http://amimeyet.hostcell.net/temp/opu_redir/index.php

[CK9]

I'm afraid of the auto-redirect because I don't know that it won't ignore the case of incorrect user/pass

[Hooman]

Umm, CK9, a link's URL does not need to be the link's text. You can have a short descriptive text, and a long messey URL underneath to do the redirect.


But, now that I know more about what you're doing....

A lot of web apps have a number of pages all being displayed from 1 source file. Essentially, that page gets variables passed to it that identify which page to display. If none are passed, you can probably assume the login page should be displayed. Internally, you use something like a big switch statement to display each page. Perhaps the code to output each page is it's own function, or maybe it's own class.

Partial Ruby Example (I'm more familiar with Ruby than PHP):

Code: [Select]

  # Rather than a switch, I'll use a hash (called a map or associative array in other languages)
  pageList = { 'login' => DisplayLoginPage, 'main' => DisplayMainPage}
  page = params['page']
  pageList[page](params)

  def DisplayLoginPage()
    # Output Login Page HTML here
    puts '<html>'
    # ...
  end

  def DisplayMainPage()
    # Output main page (after login) here
    puts '<html>'
    # ...
  end

You'll notice the forum software does something similar. It always uses index.php, but you'll see different variables passed to it after the "?" telling it what page of the forums to display. Instead of the "page" variable used in the example, the forum seems to use an "act" (action?) variable.


Handling Form Submissions
There are two ways for the browser to fetch a page. There are "get" requests, and there are "post" requests. Following a link is always a get request, as is fetching referenced images, and other files (CSS, JavaScript). Form submissions are usually handled by post requests, although, they can also use get requests. Generally, if the submit button causes a permanent action on the server, such as submiting a post, which is then written to a database, you'd use post. If it's more of a read only request, such as a search button, you might use a get request. The method chosen affects how variables are passed to the server, and the maximum size of the data passed. It also has some security implications. The security implications are probably the best reason to separate out the get and post requests according to that guidline I've just stated.

Clearing Post
There is one annoying thing about post requests however. After you've fetched a page with post, if you hit F5, or select "Refresh", it will pop up a dialog box asking if you want to resubmit the form variables. This is rather annoying, and in the case of a login page, if you clicked yes, it would actually go through the login process again. To avoid this, any post requests can be changed to a get request by using a redirect. What you do, is set some form processing code to handle the post request, and after the action has been completed, redirect the client to a proper landing page. After the browser sees the redirect response, it will make a get request to the landing page, thereby clearing the post, and not prompting them if they try to refresh the page. Note that if the action may succeed or fail, the form processing code may choose to redirect the client to either a success or failure page (or an existing page with an extra variable set to display an error message).

Usability and Security
If someone copies and pastes a URL to someone else, containing all the messy get variables at the end, then someone else can see that page. This could be nice for dynamic pages, such as search results, where something interesting comes up that you want to share. Hence, a get request, by exposing the variables in the URL, allows you to send someone else that URL so they can also see the same page. This is not possible with post requests however, as the variables are sent in the body of HTTP request, which only get sent by filling out a form and clicking it's submit button. Hence, any secure "actions", should be done with post requests, to prevent the old "hey, look at this!" trick, where someone pasts a link to do a bad action, on the unsuspecting user's account.

Example: Suppose there is a banking application, that has a form to transfer money, and it is handled by a get request. Some unsuspecting user A has logged in to this banking application, and is checking on their finances. Some evil user B somehow knows or suspect user A is currently logged in to that banking application, so they send them a link about "the generic interesting news event that just happened", which is really a link to the form's action URL (that leads to the form processing function), and has variables set to transfer all the money from user A's account to user B. Unsuspecting user A thinks "generic news event" is interesting and decides to click the link (either not noticing the underlying URL, as it may be hidden, or perhaps because they don't understand all that computer mumbo jumbo even if they did see it). The broweser makes a request to the bank to "get" that URL, with all the variables attached, and also sends any cookies current set by that site with it, such as User A's login credentials. The bank then validates that User A's login credentials are valid (which they are, because user A just happens to be logged in currently), and proceeds with the requested action. Now user A is in the poorhouse.


Login Pages
The login page, is generally a form. It will probably take some option variables to display messages such as "Invalid Username or Password". These variables will default in such a way that nothing is displayed. When the user submits the login form, the server handles a post request. If the login is good, it setups up session variables in some local database or similar (as HTTP is stateless, so they have to be remembered somehow), and sends back a redirect request, which also sets the login session cookie. The landing page will be the main one after login, which might be a URL such as "www.yoursite.com/someFolder/index.php?page=main". If the login is bad, it redirects back to the login page using a URL such as "www.yoursite.com/someFolder/index.php?username=CK9&Message=1". I included a userName in the URL so the login page can auto fill it in as a default, so they don't need to retype it if their password is wrong. The message variable can then be used to select some predefined message, such as "Bad Username or Password".


I should mention there are also quite a few important security considerations when writing login session code, but perhaps I'll save that for another post.

[CK9]

Well, I've started building the new index page (basically the same with a few tweeks) and based on how that's set up, it's doing this instaed now:

main index --menu link--> file login --login button-->new window

when: login information is correct (going to try the delayed redirect with the link)

when: login failed --> smaller window with login fail message

how do I get it to only do the resize in the second case?  I looked into javascript, but only found how to get it to resize the window when you open it from the original window.  I looked at a PHP forum to see if there was a topic that covered it, and saw something that the person said was something wouldn't reccomend doing for a few reasons.



Also, I'm planning on using dynamic images to prevent poeple from stealing my images (you never know when it will happen).  I can't seem to find the site I used for function and variable reference when I last built a dynamic image file.  Know of any good sites that list the functions and what they do instead of using examples that I have to try to decifer and modify pieces of?

[AmIMeYet]

Nope, can't help you there..

Anyway, this is the code I used for the instant redirect:

Code: [Select]

<?php
  //The if statement here can be exchanged with anything really
  if ($_GET["auth"] == "admin") {
    //~login successful
    $host  = $_SERVER['HTTP_HOST'];
    $uri   = rtrim(dirname($_SERVER['PHP_SELF']), '/\\');
    $extra = 'success.php';
    header("Location: http://$host$uri/$extra");
    exit;
  }
  else {
    //~login failed
    //Same as using questionmark> to escape php here to simplify a large html output
    echo "<html><head><title>Success!</title></head><body>Login failed.. use ?auth=admin</body></html>";
  }
?>

Also, yay ruby!

[Hooman]

How exactly are dynamic images going to prevent people from stealing them? Or do you mean adding a check against the referrer or something to prevent people from hotlinking them? What about screenshot?

I don't think I know the JavaScript to do what you want to do. Although, I do somewhat question the design.

How exactly is the security going to work?
 

[Moley]

on a related note, i have a question that seems to go here, how do i pass the said "?blahblahblah" into my webpage, i'm trying to get a page that searches and displays data out of an xml, and i know about how to do that, but i want it to be in as few pages as possible.

[AmIMeYet]

on a related note, i have a question that seems to go here, how do i pass the said "?blahblahblah" into my webpage, i'm trying to get a page that searches and displays data out of an xml, and i know about how to do that, but i want it to be in as few pages as possible.

The retrieval of that ?var1=val&var2=val can be achieved in php using:

• $_GET["var1"]  for url (GET) values
• $_POST["var1"] for POST (mostly with forms) values
• $_REQUEST["var1"] for both GET and POST

What do you mean with "but i want it to be in as few pages as possible."?

Also, more on-topic: alistapart.com seems to have a nice tutorial on this, if you're willing to edit .htaccess's, and use Apache

[CK9]

Well, Hooman:

for images:

I just don't want people linking to them on my site if they want to use them on their site.  I was thinking of using sessions along with a dynamic image file to prevent them from being able to use the image they want to.  If the session variable isn't there/correct, it will use a 'theft' image telling anyone who views the site that the owner is less than reputable.

I tested out a sample of what I am trying to accomplish, but ran into an error.  On PHP code freaks, someone said I should use readfile() instead of a dynamic image, but I haven't seen an example of how that would work.


for files security:

if they don't login properly, they can't just bypass into the file folder.

[Hooman]

The image itself doesn't need to be dynamically generated, you just need to add extra checks to control the serving of the image. The obvious way seem to be to check the Referrer header. I noticed the article link from AmIMeYet mentions this header, and seems to go a bit further. I haven't read it yet though.


I had to build a web site with confidental/sensitive corporate information in images, and so fetching of the images had to be secure. What I did, is place the images outside of any web folders, and I had a script that checks and validates their login session for the image request. If their credentials weren't valid, then it'd reply with a 403 Forbidden message. If it was valid, then it'd "puts File.read(imageFileName)" (that is, return the contents of the premade static image from outside the web folder). It'd know what image to display based on variables passed to the script. Note that you should NOT allow them to pass any part of the filename in such variables, not unless you're really paranoid about checking what they pass. They could pass a file name such as "/etc/passwd", or "../../etc/passwd". You have to make sure they can't somehow specify something unexpected. Usually it's safe to convert input to numbers (as it's all passed as strings), and then perhaps convert and format it back into a string of an expected form.


Keep in mind that by default there is nothing stopping someone from typing the URL of a page/image/resource just because you haven't linked to it from outside of "login" section. You actually have to code checks and block access to things people shouldn't see. This is perhaps one of the benefits of keeping an entire webapp controlled by one file (such as index.php). You can put the authentication checks into this one file, and then depending on whether or not they've authenticated, you can choose from two different sets of resources that can be served. If you write your app as seperate files, then each file with secured content will need to have authentication checks put into it. If you ever forget, you'll have an information leak in your web app.

 

[CK9]

soo...because I'm not using that login thing for images, I  should just use my idea?

[Hooman]

I guess so. But what I brought up might still be useful for your file section, which you seemed to suggest was secured. You can also use the PHP readfile way to prevent hotlinking instead of Apache rewrite rules. Instead of tying access to a login session, you'd be examining the same header values that the rewrite rules check.
 

[CK9]

not sure what you're saying hooman...I'm an engineer not a programmer, I don't know the terminology all that well.

[Hidiot]

I'm sorry for this rather useless comment, but...

Do a CS major and your life will be much better. Confirmed by several CS major graduates, plus Hooman.