RE: [PHP] Semi-OT: PHP Login with client security

IMHO, you should be testing this long before taking it to the customer and having another failure to show off.

Personally, 2 failures is good reason NOT to purchase someone's services...

Wolf

-----Original Message-----
From: Tim Thorburn <immortal@nwconx.net>
Sent: Monday, May 19, 2008 3:20 PM
To: php-general@lists.php.net
Subject: Re: [php] Semi-OT: PHP Login with client security

robert wrote:
>
> On May 18, 2008, at 10:14 PM, Tim Thorburn wrote:
>
>> Hi all,
>>
>> Having a slight problem with a demo I gave at a clients last week -
>> looking for a little advise. Part of my demo involved a password
>> protected area - the simplified process is: client enters password on
>> login page > if login/password match encrypted database, PHP session
>> is created, form forwards to a secured area > secured area checks to
>> make sure PHP session is valid > if valid display content, if not,
>> return to login screen.
>>
>> This procedure is what I've used for many years, tested on a variety
>> of servers and connections. It works. During the demo with my
>> client, I was able to enter login/password info, the PHP session was
>> created - however the screen would not forward to the secured area.
>> Instead I was pretended with a blank screen (client only has an
>> outdated/non-updated version of IE6). If I were to type in the URL
>> to the secured area, it would display content properly. As a test, I
>> logged out, closed my browser and started again, this time entering
>> an incorrect login/password - again it would not forward to the next
>> screen properly, however this time when I typed in the full URL, it
>> would not display as the session hadn't been created.
>>
>> I've spoken briefly with my clients IT person, however he's unwilling
>> to share any firewall information or really anything regarding their
>> security setup - which I understand as I'm not an employee and just a
>> contractor.
>>
>> So, after long winded description - does anyone with network security
>> experience have any idea either a) what I would need to ask the IT
>> person to allow for their site only, or b) have any suggestions for
>> alternate password authentication that may work given the above
>> conditions?
>>
>> TIA
>> -Tim
>
>
>
> try to use a full url instead of relative. e.g.
>
> header('location: thankyou.php');
>
> vs.
>
> header('location: http://www.mysite.com/thankyou.php');
>
> or use $_SERVER['DOCUMENT_ROOT'] for portability.
>
> i think this is some weirdness on IE6. this worked for me.
>
I'll try $_SERVER['DOCUMENT_ROOT'] during my next demonstration which
should be sometime next week. Odd that this issue has never come up
before O.o

Wolf wrote:
> IMHO, you should be testing this long before taking it to the customer and having another failure to show off.
>
> Personally, 2 failures is good reason NOT to purchase someone's services...
>
> Wolf
Yes, I'm well aware of this - the point which you've continually failed
to realize is that this code works on a large variety of servers (shared
hosting, VPS, and managed), browsers, and internal network setups for
the other 20+ clients I deal with regularly. The problem is specific to
a single clients internal setup. In the future, kindly refrain from
hitting the reply button if you simply don't have an answer beyond the
standard "your code is bad" response.

Tim