How secure is this?
Date: 02/16/05
(PHP Community) Keywords: php, security
Okay, I wrote a authorization class using cookies to access certain pages based on their category.
Now, not being the security god or anything, I wanted to check it's validity as far as a valid way to grant or deny access.
Basically, it does a DB call on every page request, based off the cookie info, but Im willing to put up with the performance hit just because you can update access permissions on the fly, and not have to worry about page cache's, etc.
But the natural language explination is this:
Get the user permissions from the table field, and put them in an array.
If you cant get an array from the information in the cookie, go to the deny message page.
If the current category ($_GET[cat]) isnt in the permissions array, go to the deny message page.
If the current page isnt in the allowed pages array, go to the deny message page.
If any part of the cookie array isnt set, go to the deny page
Here is the method that I wrote. Any and all criticisms, help, etc is much appreciated...
function authorize($page_cat){
$page_base = basename($_SERVER['PHP_SELF']);
$page = $_SERVER['REQUEST_URI'];
$ip = $_SERVER['REMOTE_ADDR'];
$date = date("m/d/y - h:iA");
$exceptionpages = str_replace(" ", "", $this->ExceptionPages);
$exceptionpages = explode(",", $exceptionpages);
$allowedpages = str_replace(" ", "", $this->AllowedPages);
$allowedpages = explode(",", $allowedpages);
if(isset($_COOKIE[$this->UserIDfield]) && isset($_COOKIE[$this->Usernamefield]) && isset($_COOKIE[$this->Passwordfield]) && isset($_COOKIE[$this->Emailfield])){
$auth = $this->getUserArray();
if (!$auth){
header("Location: $this->LogoutPageRedirect");
}
$permissions = $auth[$this->PermissionsField];
if (($page_base == $this->EntryPage) && ($_GET['action'] !== "logout")){
header("Location: $this->LoginPageRedirect");
}
if ($this->PermissionsType == "category") {
$permissions = explode(", ", $permissions);
if (in_array($this->DisabledMarker, $permissions) && $page_base !== "misc.php"){
if ($this->RecordHacks == 1){
$this->insertHack();
}
header("Location: $this->DisabledPageRedirect");
}
if (isset($page_cat)){
if (!in_array($page_cat, $permissions)) {
if ($this->RecordHacks == 1){
$this->insertHack();
}
header("Location: $this->DeniedPageRedirect");
}
}
}
}
if(!$_COOKIE[$this->UserIDfield] || !$_COOKIE[$this->Usernamefield] || !$_COOKIE[$this->Passwordfield] || !$_COOKIE[$this->Emailfield]) {
if ($page_base !== "$this->EntryPage"){
if ($this->RecordHacks == 1){
$this->insertHack();
}
header("Location: $this->LogoutPageRedirect");
}
}
}
Source: http://www.livejournal.com/community/php/260701.html