hi.my.name.iz.nate (himynameiznate) wrote in php,
hi.my.name.iz.nate
himynameiznate
php

How secure is this?

Okay, I wrote a authorization class using cookies to access certain pages based on their category.
Now, not being the security god or anything, I wanted to check it's validity as far as a valid way to grant or deny access.

Basically, it does a DB call on every page request, based off the cookie info, but Im willing to put up with the performance hit just because you can update access permissions on the fly, and not have to worry about page cache's, etc.

But the natural language explination is this:
Get the user permissions from the table field, and put them in an array.
If you cant get an array from the information in the cookie, go to the deny message page.
If the current category ($_GET[cat]) isnt in the permissions array, go to the deny message page.
If the current page isnt in the allowed pages array, go to the deny message page.
If any part of the cookie array isnt set, go to the deny page

Here is the method that I wrote. Any and all criticisms, help, etc is much appreciated...

function authorize($page_cat){

$page_base = basename($_SERVER['PHP_SELF']);
$page = $_SERVER['REQUEST_URI'];
$ip = $_SERVER['REMOTE_ADDR'];
$date = date("m/d/y - h:iA");
$exceptionpages = str_replace(" ", "", $this->ExceptionPages);
$exceptionpages = explode(",", $exceptionpages);

$allowedpages = str_replace(" ", "", $this->AllowedPages);
$allowedpages = explode(",", $allowedpages);


if(isset($_COOKIE[$this->UserIDfield]) && isset($_COOKIE[$this->Usernamefield]) && isset($_COOKIE[$this->Passwordfield]) && isset($_COOKIE[$this->Emailfield])){



$auth = $this->getUserArray();

if (!$auth){

header("Location: $this->LogoutPageRedirect");

}

$permissions = $auth[$this->PermissionsField];

if (($page_base == $this->EntryPage) && ($_GET['action'] !== "logout")){
header("Location: $this->LoginPageRedirect");
}
if ($this->PermissionsType == "category") {

$permissions = explode(", ", $permissions);

if (in_array($this->DisabledMarker, $permissions) && $page_base !== "misc.php"){

if ($this->RecordHacks == 1){

$this->insertHack();

}

header("Location: $this->DisabledPageRedirect");
}
if (isset($page_cat)){



if (!in_array($page_cat, $permissions)) {

if ($this->RecordHacks == 1){

$this->insertHack();

}

header("Location: $this->DeniedPageRedirect");

}
}

}
}

if(!$_COOKIE[$this->UserIDfield] || !$_COOKIE[$this->Usernamefield] || !$_COOKIE[$this->Passwordfield] || !$_COOKIE[$this->Emailfield]) {

if ($page_base !== "$this->EntryPage"){

if ($this->RecordHacks == 1){

$this->insertHack();

}
header("Location: $this->LogoutPageRedirect");
}
}
}
Subscribe
  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 13 comments