[Tfug] PHP + Following Links
Adrian
choprboy at dakotacom.net
Thu Feb 15 23:39:51 MST 2007
On Thursday 15 February 2007 23:01, Christopher Robbins wrote:
> I've moved our old content management system from old server to a shiny,
> super-fast dual-Xeon server running openSUSE 10.2
>
> For some dumb reason, our login system fails. One is able to login and see
> the first screen you see after login, but everything else after
> that kicks out to the login screen. I'm a bit confused and wondering if
> there's a setting I missed in the php config somewhere. I'd
> offer more info, but it was a custom setup and getting in touch with the
> vendor is...unpossible.
>
Can you atleast look at the PHP source code for the pages or is it compiled?
My first guess would be that it is a PHP server config difference... probably
something like the app requires/was built to use "register_globals=yes". The
register_globals option is now off by default as it presents a major security
hazard. See as example:
http://www.onlamp.com/pub/a/php/2003/03/20/php_security.html#step3
This may be something like the app assigns a variable uid=<long alphanum> and
puts it in every form/URL generated as a hidden input to track/link the user
response back. But instead of doing a $_POST['uid'] or $_GET['uid'] as
appropriate and doing the long:
if(isset($_POST['uid'])){
$response_uid = $_POST['uid'];
}elseif(isset($_GET['uid'])){
$response_uid = $_GET['uid'];
}
the programmer instead just took a shortcut and set register_globals:
$response_uid = $uid;
Continuing on my first guess... I would think that every page, other than the
login and index pages, would do a if(!valid_user($uid)){<redirect to login>}
type of check first thing to see if the user has authenticated, and if not
kick them out/to a login page without processing anything else. So locating
that function in a page, then tracking it back and debuging it's logic would
be my first step.
Adrian
More information about the tfug
mailing list